What is this Artificial Intelligence Bill of Materials (AIBOM) by CERT-In? Not a Regulation Certainly.
From Abhivardhan, our President
So, to save everyone's time on the "Artificial Intelligence Bill of Materials (AIBOM)" by CERT-In, Ministry of Electronics and Information Technology, before any random law firm associate says that "new AI regulation" has come, let's understand what an AIBOM is from cybersecurity PoV.
A Bill of Materials is all about the raw materials, components, parts, and assemblies needed to manufacture a product. It essentially acts as a "recipe" for creating a product.
In the case of AI, the Computer Emergency Response Team hasn't suggested something "huge". All they have stated in the case of AI are pretty basic things.
What most people missed is the definition of "Intended Usage", which is "The specific use cases or scenarios for which the AI model is designed and intended to be used".
This definition of intended usage first of all vindicates the definition of intended purpose I had proposed in India's first AI bill, aiact.in (proof: https://arc.net/l/quote/ikbcydvw).
And honestly, this is a pretty basic definition.
Now, where I agree with Ratnesh Pareek is that maybe CERT-IN should have explored kinds of vulnerabilities, if the Response Center proposes that Vulnerability Exploitability eXchanges for AI (VEX for AI) should be implemented. Dr Chiranjiv Roy, PhD MBA can explore better than me on this, since he is a cybersecurity expert.
This also means that VEX for AI is NOT A MEANS of regulation. Why?
1️⃣ VEX operates as a communication protocol rather than a regulatory framework.
2️⃣ VEX documents are Supplier-Driven and authored, Not Government-Mandated
3️⃣ The VEX model defines technical specifications for data formats (like SPDX or CycloneDX) and minimum required elements. It's essentially a standardized way to say "here's what we know about this vulnerability in our product" rather than "here's what you must do about it."
4️⃣ Organizations can choose whether to implement VEX, how frequently to update it, and what level of detail to provide. There are no penalties for non-compliance or enforcement mechanisms.
5️⃣ The primary goal is to help organizations prioritize remediation efforts and reduce false positives in vulnerability management.
This is about making security operations more efficient, not about regulatory compliance.
You're welcome. Now your time as an AI innovator won't be wasted by garbage takes.
But yes, AIBOM-related vulnerabilities might have an existential risk connect as well.
Have a nice day.