A is incorrect: A threat modeling report identifies potential security threats, attack surfaces, and vulnerabilities in a system's architecture and design. While useful for understanding risks facing AI systems, it focuses on analyzing adversary capabilities and attack vectors rather than providing a structured inventory of AI components and their provenance for supply chain visibility.
B is correct: An AI Bill of Materials (AIBOM) is the correct answer. AIBOM extends the traditional software bill of materials concept to provide transparency into how AI models are built, trained, and deployed. It documents AI-specific components including ML frameworks, pre-trained model origins, training datasets, fine-tuning parameters, and data provenance information. This enables organizations to track all dependencies, assess supply chain risks, and maintain an accurate record of the AI system's complete component lineage. Reference: https://owasp.org/www-project-aibom/
C is incorrect: A model card provides documentation about a single AI model's intended use, performance metrics, evaluation results, and known limitations. While model cards are valuable for transparency about individual model behavior and fairness considerations, they do not provide a comprehensive inventory of all components, third-party dependencies, and datasets used across the organization's AI supply chain.
D is incorrect: A data classification policy defines how an organization categorizes and handles data based on sensitivity levels such as public, internal, confidential, and restricted. While important for data governance and protection, it does not provide a structured component inventory documenting AI-specific artifacts, their origins, or supply chain relationships.