Your next AI audit shouldn't start with archaeology.
Every model gets an AI Bill of Materials — datasets, pipeline steps, hashes, and provenance in CycloneDX 1.7, scored against G7/CISA/NTIA guidance and mapped to EU AI Act Annex IV. And unlike documentation systems that rely on someone recording metadata, the AI-BOM is generated from runtime observation of what actually ran.
Documentation that can be verified — not just claimed.
When an organization marks a DAG public, its AI-BOM is public too — anyone with the link can inspect the components, the completeness score, and the raw CycloneDX JSON. Every component carries a content hash, so the record can be checked.
Open a real audit page — components, score, and downloadable BOM for an actual training run.
Open a live AI-BOM →the gate is the DAG owner's plan, not the viewer — public means public
Facts that follow the data.
Lineage is captured automatically. But some facts only a human knows — a license, a jurisdiction, that a dataset contains PII. Declare them once, at the source, and they propagate down the lineage to every derived artifact. Sanitization steps declare a barrier — and the barrier itself is a recorded, auditable fact.
roar tag why walks any inherited fact back to the human act that declared it.
Nothing is ever silently deleted — overrides are recorded on top, append-only.
Three steps. No new pipeline.
Register.
roar register under your organization scope. The lineage —
jobs, artifacts, hashes, environment — is already captured.
Audit.
GLaaS assembles the BOM from the graph it already has and scores it against a published checklist.
Download.
Machine-readable JSON your compliance team, customer, or auditor can verify — every component carries a content hash.
EU AI Act Annex IV, answered field by field.
Providers of high-risk AI systems must maintain Annex IV technical documentation. Every row below is backed by evidence captured at runtime during development — not reconstructed for the audit:
| Annex IV §2 requires | Where it lives in the AI-BOM |
|---|---|
| Training datasets used | components[*] with BLAKE3 content hashes |
| Data origin and traceability | dependencies, formulation[*].tasks[*].inputs |
| Training pipeline / development process | formulation[*].workflows[*].tasks |
| Tooling used | metadata.tools.components (roar + GLaaS) |
| Component version identity | components[*].version (artifact hash) |
| Supplier / manufacturer | metadata.supplier, metadata.manufacturer |
| Lifecycle changes | successive registered sessions form a versioned audit trail |
The AI Act mandates the information, not a format. CycloneDX 1.7 is the machine-readable format referenced by both the G7 SBOM-for-AI Minimum Elements and CISA's 2025 SBOM Minimum Elements.
What's automatic, and what's yours.
Generated for free — from lineage
Pipeline formulation, dependency graph, content hashes, versions, git context, tooling, timestamps. If roar observed the run, these fields fill themselves.
Authored by you — via labels
Licenses, component descriptions, documentation links — fields no
observer can know. Attach them as labels (license.id,
description, documentation.url) and the
score climbs.
Your next audit is a lookup.
The AI-BOM is the first deliverable of a broader capability: evidence generated automatically from runtime-observed lineage. If your runs are registered, the documentation already exists — it's just waiting to be generated.
AI-BOM export is included in paid plans · see pricing