AI 扩展计划 / Playbooks

AI Supply Chain / AI BOM / Provenance Playbook

版本：v1.0

795 行AI_SUPPLY_CHAIN_AI_BOM_PROVENANCE_PLAYBOOK.md

AI Supply Chain, AI BOM and Provenance Architecture Playbook

版本：v1.0 日期：2026-06-30 适用对象：AI PM、AI BA、Enterprise Architect、Solution Architect、Model Risk、Security、Vendor Risk、Data Governance、Procurement、Legal、Compliance、Internal Audit、金融零售业务负责人

定位：把 AI supply chain、AI Bill of Materials、component provenance、vulnerability/change response、license/data rights、concentration risk 和 exit readiness 统一成一套金融零售可执行架构手册。

核心结论：AI BOM 不是普通 SBOM 的改名版，也不是供应商清单。它是 AI workflow 的 component-level traceability layer，覆盖模型、供应商、数据集、RAG 语料、prompt、工具、MCP servers/connectors、eval datasets、人审供应商、telemetry stores、开源包、许可证、版本、签名、provenance、变更响应和退出路径。

重要说明：本文是学习、架构和作品集材料，不构成法律、监管、审计、采购或正式模型风险管理意见。真实项目必须由 business owner、model risk、security、privacy、legal、compliance、procurement、data governance、architecture 和 internal audit 共同确认。

1. Executive Framing

金融零售机构正在把 GenAI、RAG、Agent、MCP connector、AI workflow SaaS、评估工具和人工标注服务接入客户与运营流程。

AI supply chain 的真实边界比传统软件复杂:

模型可能来自多个 provider，并通过 gateway 动态路由。
RAG 语料来自内部政策、客户记录、供应商文档、网页和第三方数据。
Prompt pack 和 tool schema 能改变系统行为，却常常没有正式版本治理。
MCP server 和 connector 把 Agent 能力扩展到 CRM、工单、支付、邮件和数据仓库。
Eval dataset 和 human review rubric 会决定系统能否上线。
Telemetry store 和 trace schema 决定审计和事故复盘是否可行。
开源模型、package、embedding model、reranker、tokenizer 和 license 会引入权利与漏洞风险。

核心问题:

Can we identify every component that can influence AI behavior, data exposure, evidence, cost, resilience or legal rights,
and can we trace that component to outputs, customers, workflows, owners, approvals and response actions?

AI BOM 提供四种能力:

Capability	Meaning	Executive value
Component visibility	看到模型、数据、prompt、tool、eval、人审和 telemetry 依赖	不再把 AI 系统当黑盒
Provenance evidence	证明组件来源、版本、签名、批准和使用记录	支持模型风险、审计和监管问询
Response speed	出现漏洞、投毒、许可证、模型更新或供应商变更时快速定位影响	降低事故范围和停机时间
Exit readiness	知道哪些组件可替换、可导出、可重建、可降级	降低集中度和锁定风险

AI BOM 不是:

Misunderstanding	Correction
Only SBOM for Python packages	It includes software plus model, data, prompt, tool, eval and human-operational components.
Same as vendor inventory	Vendor inventory tracks suppliers; AI BOM tracks components and runtime use.
Same as model inventory	Model inventory tracks models; AI BOM tracks the full workflow component graph.
One-time spreadsheet	It must connect to release, runtime trace, eval, incident and exit workflows.

SR 26-2 is a current model-risk anchor, but AI BOM must be broader than formal model inventory. Model inventory tells the institution what models it owns or uses; AI BOM tells the institution what exact component chain produced a behavior and what must be changed, tested, paused or exited when any component becomes risky.

2. Source Anchors

Anchor	Official link	Playbook usage
CISA SBOM official page	https://www.cisa.gov/sbom	Establishes SBOM as a component transparency and vulnerability-response discipline.
NIST SSDF SP 800-218	https://csrc.nist.gov/pubs/sp/800/218/final	Provides secure development practices: prepare, protect, produce, respond; extended here to AI component build and release.
OWASP Top 10 for LLM Applications	https://genai.owasp.org/llm-top-10/	Supplies LLM application risks, including supply chain, prompt injection, sensitive disclosure, data/model poisoning, excessive agency and unbounded consumption.
NIST AI RMF	https://www.nist.gov/itl/ai-risk-management-framework	Organizes AI risk through Govern, Map, Measure and Manage; used for AI BOM governance operating model.
Federal Reserve SR 26-2	https://www.federalreserve.gov/supervisionreg/srletters/SR2602.htm	Current model-risk anchor; used to position AI BOM as broader system-component evidence around formal model inventory.

Anchor interpretation:

Source	Strong use	Weak use
CISA SBOM	Use component transparency, supplier, version, dependency and response logic.	Claim SBOM alone covers AI systems.
NIST SSDF	Build secure release and response practices for AI artifacts.	Treat prompt, corpus and eval changes as outside lifecycle.
OWASP LLM Top 10	Add AI-native supply-chain attack surfaces.	Only test direct jailbreak examples.
NIST AI RMF	Tie BOM to governance, mapping, measurement and management.	Treat BOM as purely technical inventory.
SR 26-2	Link to model risk governance and inventory.	Collapse every AI component into a single model record.

3. AI Supply Chain Scope

AI supply chain includes every external or internal component that can influence model behavior, retrieved context, prompt construction, tool/action execution, output safety, customer data exposure, audit replay, evaluation, incident response, operating cost, concentration or exit.

Class	Examples	Why it matters
Model	hosted LLM, open-source model, reranker, embedding model, classifier	Direct behavior, cost, safety, model risk and provider dependency
Provider	model API, RAG SaaS, eval SaaS, cloud GPU, annotation vendor	Contract, subprocessor, support access, concentration
Dataset	training data, tuning data, third-party data, synthetic data	Rights, bias, privacy, provenance, deletion
RAG corpus	policy docs, procedures, product terms, call scripts, knowledge base	Grounding, permissions, source freshness
Prompt	system prompt, developer prompt, policy prompt, tool prompt	Instruction hierarchy, compliance language, behavior drift
Tool/API	customer summary, refund dry-run, case update, email send, fraud check	Agency, least privilege, approval and audit
MCP server/connector	CRM MCP, document search MCP, ticketing connector, payment connector	Tool discovery, manifest poisoning, token scope
Eval dataset	golden set, red-team set, regression set, fairness set	Release gate, safety evidence, model risk
Human review	QA vendor, labeling team, compliance reviewer, calibration panel	Operational quality, bias, confidentiality
Telemetry	trace store, SIEM, model observability, cost dashboard	Audit, monitoring, incident scoping
Open-source package	packages, container images, tokenizers, parsers, vector DB clients	Vulnerability, license, build integrity
License/rights	model license, data terms, generated-output rights, attribution	Legal use, commercial restriction, exit

Relationship to existing inventories:

Inventory	Scope	AI BOM relationship
Model inventory	Formal models, validation, tier, owner, monitoring	AI BOM references model inventory IDs and adds non-model components
Vendor inventory	Supplier entities, contracts, risk ratings, subprocessors	AI BOM maps components to vendors and subprocessors
Data catalog	Datasets, owners, classification, lineage	AI BOM references data assets used by AI workflows
Package SBOM	Software packages and dependencies	AI BOM includes SBOM artifacts as one component class
Prompt/eval registry	Templates, test sets, run records	AI BOM records prompt and eval versions in release manifests

4. AI BOM Schema

Every component record should answer: what is it, where did it come from, who owns it, which version is approved, what rights apply, which workflows use it, how it is verified, and how it exits.

Field	Example
`component_id`	`rag-corpus-card-fee-policy-2026q2`
`component_class`	`rag_corpus`
`component_name`	`Credit Card Fee Policy Corpus`
`version`	`2026q2-v17`
`supplier_type`	`internal_policy_ops`
`supplier_name`	`Card Servicing Policy Operations`
`owner`	`Head of Card Servicing Knowledge`
`business_capability`	`Customer servicing and dispute explanation`
`approved_use`	`Ground employee Copilot answers for card fee and dispute policy`
`prohibited_use`	`Autonomous fee waiver decision or direct customer legal disclosure`
`risk_tier`	`High`
`data_classification`	`Confidential internal policy; no customer PII`
`license_or_rights`	`Internal policy use only; not redistributable outside institution`
`source_uri`	`policy-repo://card/fees/2026Q2`
`checksum`	`sha256:4d8c91f0a72b6c20`
`signature_status`	`signed_by_policy_ops_release_key`
`approval_record`	`AI-CHANGE-2026-0619-044`
`deployment_state`	`production`
`replacement_option`	`rebuild from policy source registry into alternate vector index`
`last_reviewed_at`	`2026-06-30`

Runtime usage record:

Field	Example
`usage_event_id`	`aiuse-20260630-0001842`
`trace_id`	`trace-card-complaint-88172`
`workflow_id`	`card-dispute-copilot`
`release_id`	`release-2026.06.30`
`component_id`	`prompt-card-dispute-sop`
`component_version`	`v9`
`used_at`	`2026-06-30T15:21:44Z`
`use_context`	`prompt_assembly`
`actor`	`service-principal-ai-gateway`
`customer_case_reference`	`case-hash:8120b9`
`retention_class`	`high_risk_customer_service_trace`

Production release manifest should be signed:

{
  "ai_bom_manifest_id": "aibom-card-dispute-copilot-2026.06.30",
  "workflow_id": "card-dispute-copilot",
  "risk_tier": "high",
  "release_id": "release-2026.06.30",
  "approved_by": ["card-servicing-owner", "model-risk-reviewer", "security-architect"],
  "components": [
    {"id": "model-route-primary", "class": "model_route", "version": "2026-06"},
    {"id": "prompt-card-dispute-sop", "class": "prompt_pack", "version": "v9"},
    {"id": "rag-corpus-card-fee-policy-2026q2", "class": "rag_corpus", "version": "2026q2-v17"},
    {"id": "tool-transaction-summary", "class": "tool_api", "version": "v4"},
    {"id": "mcp-crm-case-reader", "class": "mcp_server", "version": "v3.2.1"},
    {"id": "eval-card-dispute-golden", "class": "eval_dataset", "version": "2026q2-v3"},
    {"id": "trace-schema-ai-high-risk", "class": "telemetry_schema", "version": "v6"}
  ],
  "release_gate": {"eval_result": "passed", "critical_failures": 0, "license_exceptions": 0}
}

Required relationships:

Relationship	Meaning
`depends_on`	Component cannot operate without another component
`derived_from`	Component was created from another source or artifact
`provided_by`	Component is supplied or operated by a vendor or internal group
`used_by`	Component is used by a workflow, model, prompt, eval or output
`tested_by`	Component is covered by a specific eval dataset or test
`controlled_by`	Component is governed by a control, policy or contract term
`replaces`	Component supersedes another version
`exit_to`	Component has a replacement or degradation path

5. Component-Level Design Notes

Component	Metadata that matters most	Response question
Model	provider, deployment, version policy, data-use terms, model risk link, fallback route	Which outputs used this model version and can we pin or roll back?
Dataset	source, rights, sensitivity, provenance, approved use, deletion impact	Is this data allowed for eval, RAG, fine-tuning or vendor processing?
RAG corpus	source snapshot, chunk rule, embedding model, ACL, effective date, rebuild SLA	Which answers cited stale, unauthorized or withdrawn documents?
Prompt	owner, template version, policy linkage, signature, eval coverage	Did this prompt version change customer-facing behavior or tool access?
Tool/API	tool risk tier, permission, schema, approver, kill switch, idempotency	Can the model propose it and which system authorizes execution?
MCP server	manifest, methods, transport, token scope, sandbox, signature	Is the server allowlisted, scoped and safe from manifest/tool-output injection?
Eval set	source, synthetic/production flag, rubric, sensitivity, release gate	Does the release gate cover the component and risk being changed?
Human review	vendor, reviewer training, rubric, QA sampling, confidentiality	Did reviewer staffing or rubric drift change quality evidence?
Telemetry	trace schema, store, retention, masking, export, access	Can we replay the component chain for one high-risk output?
Package	package, version, license, maintainer, checksum, vulnerability state	Is the dependency exploitable or legally restricted?

Design principle:

If changing a component can change an answer, permission, evidence record, customer impact, cost, legal right or exit path, it belongs in the AI BOM.

6. Provenance Graph

AI BOM gives the node list; provenance graph gives the edges and events. Without a provenance graph, the organization knows components exist but cannot prove how they produced a specific output.

PROV-style mapping:

PROV concept	AI BOM example
Entity	model component, prompt pack, source document, chunk, eval item, output, trace
Activity	ingest, chunk, embed, sign, approve, retrieve, prompt assemble, invoke, review, retire
Agent	product owner, data owner, model provider, service principal, reviewer, vendor

Graph example:

flowchart LR
  A[Policy Source v12] --> B[Chunking Activity v5]
  B --> C[RAG Corpus 2026Q2-v17]
  C --> D[Retrieval Run trace-88172]
  E[Prompt Pack v9] --> F[Prompt Assembly]
  D --> F
  G[Transaction Summary Tool v4] --> F
  F --> H[Model Invocation enterprise-chat-2026-06]
  H --> I[Employee Copilot Draft]
  I --> J[Human Review QA Rubric v3]
  J --> K[Customer Response Logged]
  L[AI BOM Registry] -. component ids .-> C
  L -. component ids .-> E
  L -. component ids .-> G
  L -. component ids .-> H

Minimum provenance events:

Event	Required fields
`component_registered`	ID, class, version, owner, supplier, source, risk tier
`component_verified`	checksum, signature, license scan, rights review, security scan
`component_approved`	approver, approved use, prohibited use, evidence, expiration
`component_deployed`	environment, workflow, release, change ticket, effective time
`component_used`	trace ID, workflow, component version, use context, actor
`component_evaluated`	eval dataset, result, threshold, reviewer, release gate
`component_flagged`	issue type, severity, detection source, response owner
`component_retired`	replacement, migration evidence, deletion/export evidence

Impact queries:

SELECT output_id, workflow_id, customer_case_hash, trace_id, generated_at
FROM ai_component_usage
WHERE component_id = 'rag-corpus-card-fee-policy-2026q2'
  AND component_version = '2026q2-v17'
  AND generated_at BETWEEN '2026-06-01' AND '2026-06-30';

SELECT DISTINCT workflow_id, business_owner, risk_tier, fallback_mode
FROM ai_bom_dependency_graph
WHERE dependency_component_id = 'mcp-crm-case-reader'
  AND dependency_version = 'v3.2.1';

7. Change And Vulnerability Response

AI BOM response covers CVEs and AI-native component failures.

Event type	Example
Software vulnerability	Vector DB client package has critical CVE
Model change	Provider announces material model update
Prompt issue	Prompt pack omits required complaint escalation language
Corpus issue	Stale fee policy remains retrievable
Dataset issue	Eval dataset contains unmasked customer field
Tool issue	MCP connector exposes broader method than approved
License issue	Open-source model license disallows commercial financial use
Human vendor issue	Review vendor changes offshore subprocessor
Telemetry issue	Trace store logs full account numbers
Concentration issue	Same model provider supports five critical workflows

Response workflow:

Detect issue
  -> classify component and severity
  -> query impact graph
  -> identify owners and affected workflows
  -> choose containment: disable, rollback, pin, purge, reroute, human review
  -> run targeted regression and safety eval
  -> decide release, rollback or residual risk acceptance
  -> update AI BOM status and evidence binder

Severity matrix:

Severity	Criteria	Required action
Critical	Data leakage, unauthorized financial action, prohibited model/data use, active exploit, regulatory response likely	Immediate containment, executive notification, incident record, regression before restore
High	High-risk workflow impact, unsafe customer-facing output, serious license breach, material model drift	Owner task within 1 business day, impact query, release gate or rollback
Medium	Internal workflow degradation, non-critical component outdated, incomplete evidence	Fix in planned change window, monitor KRI
Low	Documentation mismatch or non-material metadata issue	Correct registry and evidence record

Containment patterns:

Component	Containment
Model	Pin prior version, route to fallback, disable high-risk workflow, force human review
RAG corpus	Mark source inactive, purge chunks, rebuild index, block citations
Prompt	Roll back prompt pack, disable tool access path, run regression
Tool/API	Disable method, revoke token, switch to read-only, require dual approval
MCP server	Remove from allowlist, rotate scoped token, sandbox, review manifest
Eval dataset	Quarantine dataset, remove sensitive cases, rerun benchmark
Human vendor	Pause queue, switch reviewer group, re-review sample, confirm confidentiality
Telemetry	Mask field, restrict access, rotate keys, preserve incident evidence
Open-source package	Patch, replace, rebuild image, verify signature

Response evidence:

Evidence	Purpose
Issue record	Detection source, component, severity, owner and timeline
Impact query result	Affected workflows, outputs, customers or releases
Containment action	Disable, rollback, route change, purge or review
Regression report	Issue no longer reproduces or residual risk is understood
Approval record	Business, risk and technical decision
AI BOM update	Component status, replacement and lessons learned

8. License And Data Rights

Rights failures can block deployment, exit, audit or commercial use.

Examples:

Open-source model license restricts commercial or financial-service use.
Dataset terms allow evaluation but not fine-tuning.
Vendor API terms allow prompt retention for abuse monitoring but not training.
Generated output terms require attribution or restrict redistribution.
Policy documents can be used internally but not shared with third-party annotation vendors.

Rights fields:

Field	Example
`rights_owner`	`Card Servicing Legal`
`permitted_use`	`internal employee Copilot grounding and QA evaluation`
`prohibited_use`	`fine-tuning, external redistribution, public benchmark publication`
`attribution_required`	`no external attribution; internal source ID required`
`training_allowed`	`false`
`eval_allowed`	`true with masked customer data`
`redistribution_allowed`	`false`
`expiry_or_review_date`	`2026-12-31`
`evidence_uri`	`contract://AI-DPA-2026-044/section-data-use`

Review questions:

Component	Rights question
Model	Does the license allow the intended commercial financial use and output handling?
Dataset	Does consent, contract or policy allow AI eval, RAG, training or vendor processing?
RAG corpus	Can source documents be embedded, chunked, sent to model provider or reviewed by vendor?
Eval set	Can production-derived examples be retained and shown to external validators?
Human review	Can reviewers see the data, where are they located, and what confidentiality terms apply?
Telemetry	Can logs be exported to SIEM, vendor support or audit workspace?

9. Vendor, Subprocessor, Concentration And Exit

Component-to-vendor view:

Component	Vendor / internal owner	Data exposed	Region	Subprocessor	Contract control
Primary model route	Approved LLM Provider	Masked prompt and output	US approved region	Cloud infrastructure provider	No training, retention limit, change notice
Eval SaaS	EvalOps Vendor	Synthetic and masked eval cases	US	Annotation analytics provider	Confidentiality, deletion, export
Human QA review	Review Vendor A	Masked customer service transcripts	US operations only	Workforce platform	Location control, access log
CRM MCP server	Internal platform	Customer case metadata	Bank environment	None for runtime	Signed manifest, scoped token
Trace vault	Bank observability platform	Encrypted payload and manifest	Bank environment	Cloud KMS	Retention, audit access

Concentration KRIs:

Dimension	Example KRI
Model provider	Percent of high-risk AI workflows using same model provider
Cloud region	Percent of customer-facing AI calls in one region
RAG platform	Number of critical workflows on one vector/RAG SaaS
Eval vendor	Number of release gates dependent on one external evaluator
Human vendor	Percent of high-risk human review queue handled by one vendor
MCP connector	Number of workflows relying on one connector for case data
Telemetry store	Percent of audit replay dependent on one observability platform

Exit mapping:

Component	Exit question	Example answer
Model route	Can we reroute without rewriting applications?	Yes, via model gateway with provider-normalized schema
RAG corpus	Can we rebuild index outside vendor?	Yes, source registry plus chunk rule and embedding job are institution-owned
Prompt pack	Can prompts be exported and tested elsewhere?	Yes, prompt registry stores signed Markdown and JSON manifests
MCP connector	Can we disable or replace it without breaking all workflows?	Yes, tool gateway has per-workflow kill switch and alternate REST adapter
Eval set	Can we run release gate without vendor UI?	Yes, eval cases and expected behaviors are exported as JSONL
Telemetry	Can audit replay survive vendor termination?	Yes, evidence vault stores normalized trace records

10. Dashboards And KRIs

Executive dashboard:

KRI	Target posture
High-risk workflows with complete AI BOM	100 percent before production
High-risk traces with component usage events	100 percent
Components without owner	0 in production
Components without rights review	0 in high-risk workflows
Unsigned prompt/tool/corpus manifests	0 in production
Critical components without exit path	0 for customer-facing workflows
Model/provider concentration over threshold	Reviewed monthly with risk decision
Component vulnerabilities past SLA	0 Critical; High tracked with owner

Operational dashboard:

Metric	Why it matters
Component change frequency by workflow	Detect unstable supply chain
Failed release gates by component class	Identify weak prompt, corpus, tool or eval areas
Runtime use of deprecated components	Detect stale deployments
Tool/MCP manifest drift	Detect connector changes outside approval
RAG source freshness	Prevent stale policy responses
License review aging	Prevent silent rights risk
Eval coverage by OWASP LLM risk	Prevent blind spots
Evidence trace completeness	Preserve audit replay

Board / audit view:

Question	Evidence
Which AI workflows are high-risk and customer-facing?	AI workflow inventory and risk tier map
Which providers and components are concentrated?	Component-to-provider concentration heatmap
Can we respond to a component issue quickly?	Last impact-query and containment exercise
Are model risk and AI BOM connected?	Model inventory records linked to AI BOM manifests
Are exits tested?	Annual exit rehearsal for critical components

11. RACI

Activity	Business	AI PM	BA	Architect	Security	Model Risk	Data Gov	Legal / Privacy	Procurement	Vendor Owner	Audit
Define workflow scope	A	R	R	C	C	C	C	C	I	I	I
Identify AI BOM components	C	R	R	A	C	C	C	C	C	C	I
Classify risk tier	A	R	C	C	C	R	C	C	I	I	C
Review data rights	C	C	C	I	C	C	R	A	C	C	I
Review security and signatures	I	C	I	R	A	C	I	I	I	C	I
Approve model risk linkage	C	C	I	C	I	A	C	C	I	I	C
Manage vendor/subprocessor mapping	I	C	I	C	C	C	C	C	A	R	I
Approve production manifest	A	R	C	R	R	R	C	C	I	C	I
Monitor KRIs	A	R	C	R	R	R	C	C	C	R	C
Execute vulnerability response	A	R	C	R	A	R	C	C	C	R	I

RACI key: R = responsible, A = accountable, C = consulted, I = informed.

12. Financial Retail Examples

12.1 Customer Service RAG

Use case: employee assistant drafts answers for credit card fees, disputes and refunds.

AI BOM focus:

Model route, prompt pack, card policy corpus, transaction summary tool, CRM MCP server.
Eval set for stale policy, complaint escalation, vulnerable customer language and fee-waiver edge cases.
Trace store with prompt, model, corpus, tool and human review versions.

Failure scenario:

A retired annual-fee policy remains in the RAG index.
Impact graph identifies 184 outputs and 17 customer complaints.
Containment purges policy chunks, rebuilds index, requires human review for fee responses, and reruns regression set.

12.2 Credit Underwriting Copilot

Use case: analyst Copilot summarizes income, debt, documents and policy exceptions.

AI BOM focus:

Document OCR package, income classification model, policy RAG corpus, prompt pack, exception scoring tool.
Strict rights on borrower documents and production-derived eval cases.
Model risk linkage because outputs may influence credit decision support.

Failure scenario:

OCR package update changes extraction of paystub year-to-date income.
AI BOM query identifies underwriting workflows using the package version.
Containment pins prior package, samples affected summaries, and adds regression cases.

12.3 AML Case Copilot

Use case: investigator assistant summarizes alerts, customer profile, transaction patterns and narrative draft.

AI BOM focus:

High sensitivity data sources, typology corpus, narrative prompt, graph query tool, red-team eval.
Telemetry evidence for audit and suspicious activity review.
Vendor access must be tightly restricted because AML typologies and case data are sensitive.

Failure scenario:

MCP graph connector exposes a broader query scope than approved.
Tool gateway disables connector for AML workflows, rotates token, reviews trace usage and reruns excessive-agency tests.

12.4 Marketing Content Generator

Use case: marketing team drafts campaign copy with product constraints and brand tone.

AI BOM focus:

Brand prompt pack, product disclosure corpus, approved claims dataset, image/font/license assets.
Lower customer data exposure but higher output rights and disclosure accuracy risk.

Failure scenario:

Open-source image generation dependency changes license.
Rights review flags commercial use restriction, production release is blocked, and approved asset library replaces the component.

13. Templates With Concrete Examples

13.1 AI BOM Component Record

component_id: rag-corpus-card-fee-policy-2026q2
component_class: rag_corpus
component_name: Credit Card Fee Policy Corpus
version: 2026q2-v17
workflow_ids:
  - card-dispute-copilot
  - branch-card-servicing-assistant
owner: Head of Card Servicing Knowledge
supplier_type: internal
supplier_name: Card Policy Operations
risk_tier: high
approved_use: Ground employee Copilot answers about fees, disputes and provisional credits.
prohibited_use: Autonomous customer fee-waiver decisions and external redistribution.
data_classification: confidential_internal_policy
license_or_rights: internal_use_only
source_uri: policy-repo://card/fees/2026Q2
checksum: sha256:4d8c91f0a72b6c20
signature_status: signed_by_policy_ops_release_key
approval_record: AI-CHANGE-2026-0619-044
deployment_state: production
replacement_option: Rebuild corpus from approved policy source registry into alternate vector index.
exit_readiness: tested_2026_06_20
last_reviewed_at: 2026-06-30

13.2 Component Intake Checklist

Question	Example answer
What business workflow uses this component?	`card-dispute-copilot` uses it for employee answer drafting.
Can it affect customer-facing output?	Yes, it grounds policy and disclosure language.
Does it process customer data?	No direct PII; runtime prompt may combine its chunks with masked customer summary.
Who owns it?	Card Servicing Knowledge Owner.
What version evidence exists?	Signed corpus snapshot with checksum and source document list.
What rights apply?	Internal policy, not redistributable to external reviewers.
What eval covers it?	Card dispute golden set and stale-policy regression set.
What is the exit path?	Rebuild index from policy source registry and reroute retrieval through alternate vector DB.

13.3 Vulnerability Response Record

Field	Example
Issue ID	`AIBOM-INC-2026-0712-003`
Detection source	`RAG source freshness monitor`
Component	`rag-corpus-card-fee-policy-2026q2 / 2026q2-v17`
Issue	Retired fee waiver paragraph remained in retrieval index.
Severity	High
Impact query	184 outputs, 17 complaints, 2 fee-waiver escalation cases.
Containment	Marked source inactive, purged chunks, rebuilt index, forced human review on fee responses.
Regression	Stale-policy test pack passed on rebuilt index.
Business decision	Notify servicing managers; no customer notification after case review found no financial harm.
Evidence	Impact query export, purge certificate, eval report, decision memo.

13.4 License Review Record

Field	Example
Component	`open-source-reranker-package / v2.4.0`
License	`Apache-2.0`
Intended use	Internal RAG ranking for employee Copilot
Distribution	No external distribution; deployed as internal service
Training use	Not applicable; package does not receive training data
Attribution	License notice retained in internal third-party notice file
Risk decision	Approved for internal deployment
Reviewer	Legal Technology Counsel
Review date	2026-06-18

13.5 Evidence Query

SELECT
  t.trace_id,
  t.workflow_id,
  t.generated_at,
  u.component_id,
  u.component_version,
  c.component_class,
  c.owner,
  c.risk_tier,
  c.license_or_rights,
  c.deployment_state
FROM ai_trace t
JOIN ai_component_usage u ON t.trace_id = u.trace_id
JOIN ai_bom_component c
  ON u.component_id = c.component_id
 AND u.component_version = c.version
WHERE t.trace_id = 'trace-card-complaint-88172'
ORDER BY c.component_class, c.component_id;

13.6 ADR Example

# ADR: AI BOM Registry For High-Risk GenAI Workflows

Decision date: 2026-06-30
Status: Accepted
Context: Card servicing, AML and credit Copilots depend on model, RAG, prompt, tool, MCP, eval and telemetry components. Existing model inventory and vendor inventory do not provide component-level runtime traceability.
Decision: Build an AI BOM registry connected to prompt registry, model gateway, RAG source registry, tool gateway, eval store and trace vault. Require signed release manifests for high-risk workflows.
Consequences: Release gates become stricter, but incident response can scope affected outputs and exit planning becomes evidence-based.

14. Operating Model

Lifecycle:

Plan component
  -> intake and classify
  -> verify source, license, signature and rights
  -> approve for use
  -> include in release manifest
  -> capture runtime usage
  -> monitor KRIs
  -> respond to change/vulnerability
  -> retire, replace or export

Governance forums:

Forum	Decisions
AI Architecture Review	Component scope, integration, trace, gateway, exit and platform standards
Model Risk Review	Model linkage, validation, eval, monitoring and residual risk
Data Rights Review	License, consent, purpose, retention and deletion constraints
Security Review	Signatures, package vulnerabilities, MCP sandbox, tool permissions
Vendor Review	Provider/subprocessor, contract, SLA, support access, exit
Release Gate	Manifest completeness, eval result, vulnerabilities, rights and approvals
Quarterly Portfolio Review	Concentration, KRI trend, exit rehearsal and policy updates

Evidence binder:

Folder	Contents
`01-scope`	Workflow scope, approved use, prohibited use, risk tier
`02-aibom`	Component records, release manifest, dependency graph
`03-rights`	License reviews, data-use decisions, vendor terms
`04-security`	Signatures, scans, MCP reviews, tool permissions
`05-eval`	Eval datasets, rubrics, results, reviewer calibration
`06-runtime`	Trace completeness report, component usage samples
`07-response`	Vulnerability records, impact queries, containment evidence
`08-exit`	Export tests, fallback route, index rebuild, deletion certificates

15. 30-Day Lab

Goal: Build an AI BOM and provenance response pack for one financial retail AI workflow.

Day	Task	Output
1	Select workflow, business owner, customer impact and risk tier.	Workflow scope one-pager
2	Draw AI workflow from user input to model, RAG, tools, output and trace.	Data and component flow
3	Link formal model inventory records to the workflow.	Model linkage table
4	Identify non-model components: prompts, corpora, tools, MCP, eval, telemetry.	Draft AI BOM
5	Identify providers, subprocessors and human review vendors.	Component-to-vendor map
6	Classify data exposure by component.	Data exposure matrix
7	Record license and data-rights restrictions.	Rights review table
8	Define component IDs and version naming convention.	Naming standard
9	Create model and model-route records.	Model component records
10	Create RAG corpus and source-registry records.	RAG component records
11	Create prompt pack and policy pack records.	Prompt component records
12	Create tool API and MCP server records.	Tool and MCP records
13	Create eval dataset and rubric records.	Eval component records
14	Create telemetry and evidence-store records.	Telemetry component records
15	Build release manifest with signatures and approvals.	Signed manifest draft
16	Design provenance events and trace fields.	Provenance event schema
17	Write three impact queries for model, corpus and MCP issue.	Impact query pack
18	Define vulnerability severity matrix and SLA.	Response policy
19	Simulate stale RAG corpus issue.	Incident response record
20	Simulate MCP connector over-permission issue.	Tool containment record
21	Simulate license restriction issue.	Rights response record
22	Define dashboards and KRIs.	Dashboard spec
23	Map RACI across business, PM, BA, architect and risk.	RACI table
24	Create exit plan for one critical component.	Component exit runbook
25	Run mini exit rehearsal for RAG index rebuild or model reroute.	Exit evidence
26	Connect AI BOM to model inventory and vendor inventory.	Cross-inventory mapping
27	Build portfolio evidence binder.	Evidence pack
28	Write 30-second and 2-minute interview answer.	Interview script
29	Review against CISA, NIST SSDF, OWASP, NIST AI RMF and SR 26-2 anchors.	Source alignment memo
30	Present final architecture narrative.	10-minute portfolio walkthrough

16. Interview Answers

16.1 30-Second Version

AI BOM is the component-level traceability layer for GenAI systems. I would not stop at SBOM or model inventory. For a financial AI workflow, I would track models, providers, datasets, RAG corpora, prompt packs, tools, MCP servers, eval datasets, human review vendors, telemetry stores, open-source packages, licenses, versions, signatures and runtime usage. The goal is to answer: which exact components produced this output, what rights and risks attach to them, and how fast can we contain or replace them if something changes.

16.2 2-Minute Version

In financial retail, AI supply chain is broader than software supply chain. A customer service Copilot might depend on a hosted model, an internal policy corpus, an embedding model, prompt templates, transaction summary tools, an MCP CRM connector, eval datasets, human QA reviewers and a trace store. Any one of those can change behavior, expose data, break audit replay or create vendor lock-in.

I would build AI BOM as a registry plus provenance event log plus impact graph. The registry stores each component's owner, supplier, version, rights, approved use, risk tier, signature and exit option. The provenance event log records registration, verification, approval, deployment, runtime use, evaluation, vulnerability and retirement. The impact graph lets us answer response questions such as which outputs used a stale corpus, which workflows rely on one MCP server, or which eval sets contain production-derived data.

I would connect this to NIST AI RMF for governance, NIST SSDF for secure build and response discipline, OWASP LLM Top 10 for AI-native supply-chain risks, CISA SBOM for component transparency, and SR 26-2 for the model-risk anchor. The nuance is that SR 26-2 model inventory remains important, but AI BOM must include non-model components that materially affect outcomes.

16.3 Q: How is this different from vendor risk management?

Vendor risk management evaluates supplier lifecycle, contracts, financial condition, controls, subprocessors, SLA and exit. AI BOM operates one level deeper: it identifies component versions and runtime usage. A single vendor may supply many components, and a single workflow may depend on many vendors. AI BOM lets us scope exactly which component caused risk and which workflows, traces and outputs are affected.

16.4 Q: What components belong in an AI BOM?

Everything that can influence behavior, data exposure, evidence, rights, cost or exit belongs in scope: foundation model, embedding model, reranker, datasets, RAG corpus, prompt pack, policy pack, tool schema, MCP server, connector, eval dataset, human review vendor, telemetry schema, trace store, open-source packages, licenses and provider contracts.

16.5 Q: How would you respond to a poisoned RAG corpus?

First, flag the corpus component and query the impact graph to find affected workflows, outputs and cases. Second, contain by marking the source inactive, purging chunks, rebuilding the index, and forcing human review for affected answer categories. Third, run regression tests focused on the poisoned content and related policy scenarios. Fourth, update the AI BOM status, preserve evidence, notify owners and decide whether customer remediation or regulatory escalation is needed.

16.6 Q: Why are eval datasets part of supply chain?

Eval datasets determine what the system is allowed to ship. If an eval set is stale, biased, leaked, production-derived without rights, or missing adversarial cases, the release gate becomes false confidence. Eval sets need owners, versions, provenance, sensitivity classification, rights, retention, reviewer calibration and coverage mapping.

16.7 Q: How do MCP servers change AI supply-chain risk?

MCP servers expose tools and context to agents. Their manifests, descriptions, tokens and tool results can influence model behavior. A malicious or over-permissioned MCP server can cause data exfiltration, unauthorized tool calls or cross-agent propagation. AI BOM should track MCP server version, allowed methods, token scope, sandbox, signature, owner, runtime usage and kill switch.

16.8 Q: What would you show an executive?

I would show a simple heatmap: high-risk AI workflows, critical components, provider concentration, unsigned or unreviewed components, vulnerabilities past SLA, traces with complete component evidence, and exit readiness. The executive message is that the institution can identify dependencies, prove what produced customer-impacting outputs, respond quickly to component issues, and avoid uncontrolled lock-in.

17. Minimum Practice Checklist

Area	Done standard
Scope	Workflow, owner, risk tier, approved and prohibited use are documented.
Component coverage	Model, data, RAG, prompt, tool, MCP, eval, human, telemetry and package components are assessed.
Metadata	Owner, supplier, version, rights, risk tier, signature, approval and exit fields are complete.
Provenance	Component lifecycle and runtime usage events are captured.
Release	Production manifests are signed and release-gated.
Response	Impact queries and containment actions are tested.
Rights	License and data-use restrictions are recorded.
Vendor	Component-to-vendor and subprocessor mapping is current.
KRI	Dashboards show completeness, vulnerabilities, concentration and exit readiness.
MRM	Formal model inventory is linked to AI BOM manifests.