From c676586aadb43e3d0df04a3e93731fe5112ef217 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 30 Apr 2026 09:56:05 -0500 Subject: [PATCH 001/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x80-Appendix-eu-ai-act-mappings.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 ML-BOM/en/0x80-Appendix-eu-ai-act-mappings.md diff --git a/ML-BOM/en/0x80-Appendix-eu-ai-act-mappings.md b/ML-BOM/en/0x80-Appendix-eu-ai-act-mappings.md new file mode 100644 index 00000000..a1ca7841 --- /dev/null +++ b/ML-BOM/en/0x80-Appendix-eu-ai-act-mappings.md @@ -0,0 +1,20 @@ +# Appendix A: ML-BOM mappings to the European Union's Artificial Intelligence Act (EU AI Act) + +This appendix provides a mapping between the EU AI Act's prose requirements and how they are shown to be fulfilled using CycloneDX ML-BOM as documented in specific sections of this guide. + +### Summary of the EU AI Act + +The AI Act requires model providers to report extensive information on the models they produce to be used for risk assessment and compliance purposes. This act, effectively endorses moving away from the current non-normative publication of model cards and research papers (or similar or documentation) towards normative and standardized methods such as AI/ML Bills-of-Materials (AI BOMs). + +In order to fulfill requirements of the act, providers must create and maintain up-to-date technical documentation, which includes providing a detailed description of the model’s capabilities, limitations, and intended use. + +Some of these model documentation requirements include: + +- General description, architecture, number of parameters and capabilities. +- Training data provenance, methodologies and scope. +- Evaluation results and performance benchmarks. +- Known limitations and intended use cases. +- Disclosing energy consumption and other environmental impacts. + +### EU AI Act mappings + From 21bee3c21c296d92cf4350da917e459cd23861a4 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 1 May 2026 08:29:48 -0500 Subject: [PATCH 002/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x80-Appendix-eu-ai-act-mappings.md | 102 +++++++++++++++++- ...on => 0x92_Appendix-C_Complete_Example.md} | 13 ++- 2 files changed, 112 insertions(+), 3 deletions(-) rename ML-BOM/en/{1.7_schema_example_v1.json => 0x92_Appendix-C_Complete_Example.md} (98%) diff --git a/ML-BOM/en/0x80-Appendix-eu-ai-act-mappings.md b/ML-BOM/en/0x80-Appendix-eu-ai-act-mappings.md index a1ca7841..3dbd27b0 100644 --- a/ML-BOM/en/0x80-Appendix-eu-ai-act-mappings.md +++ b/ML-BOM/en/0x80-Appendix-eu-ai-act-mappings.md @@ -1,10 +1,10 @@ # Appendix A: ML-BOM mappings to the European Union's Artificial Intelligence Act (EU AI Act) -This appendix provides a mapping between the EU AI Act's prose requirements and how they are shown to be fulfilled using CycloneDX ML-BOM as documented in specific sections of this guide. +This appendix provides a mapping between the [EU AI Act's](https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng#anx_XI) prose requirements and how they are shown to be fulfilled using CycloneDX ML-BOM as documented in specific sections of this guide. ### Summary of the EU AI Act -The AI Act requires model providers to report extensive information on the models they produce to be used for risk assessment and compliance purposes. This act, effectively endorses moving away from the current non-normative publication of model cards and research papers (or similar or documentation) towards normative and standardized methods such as AI/ML Bills-of-Materials (AI BOMs). +The AI Act requires model providers to report extensive information on the models they produce to be used for risk assessment and compliance purposes. This act, effectively endorses moving away from the current non-normative publication of model cards and research papers (or similar or documentation) towards normative and standardized methods such as AI/ML Bills-of-Materials (AI/ML-BOMs). Specifically, AIBOMs are recognized as a key method for creating the technical documentation required by the EU AI Act (Article 11 and Annex IV). In order to fulfill requirements of the act, providers must create and maintain up-to-date technical documentation, which includes providing a detailed description of the model’s capabilities, limitations, and intended use. @@ -18,3 +18,101 @@ Some of these model documentation requirements include: ### EU AI Act mappings +This section provides mappings of the EU AI Act's requirements to sections of this guide that show how CycloneDX can accommodate these requirements. + +#### EU AI Act: ANNEX XI + +This section contains mappings for the EU AI Act, ANNEX XI. + + +Technical documentation referred to in Article 53(1), point (a) — technical documentation for providers of general-purpose AI models + +Section 1 + +Information to be provided by all providers of general-purpose AI models + +The technical documentation referred to in Article 53(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: + +1. + + +A general description of the general-purpose AI model including: + +(a) + + +the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; + +(b) + + +the acceptable use policies applicable; + +(c) + + +the date of release and methods of distribution; + +(d) + + +the architecture and number of parameters; + +(e) + + +the modality (e.g. text, image) and format of inputs and outputs; + +(f) + + +the licence. + +2. + + +A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: + +(a) + + +the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; + +(b) + + +the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; + +(c) + + +information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; + +(d) + + +the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; + +(e) + + +known or estimated energy consumption of the model. + +With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. + +Section 2 + +Additional information to be provided by providers of general-purpose AI models with systemic risk + + +1. + A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. + + +2. + Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. + + +3. + Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. + diff --git a/ML-BOM/en/1.7_schema_example_v1.json b/ML-BOM/en/0x92_Appendix-C_Complete_Example.md similarity index 98% rename from ML-BOM/en/1.7_schema_example_v1.json rename to ML-BOM/en/0x92_Appendix-C_Complete_Example.md index 8cc0ac65..022a8ca7 100644 --- a/ML-BOM/en/1.7_schema_example_v1.json +++ b/ML-BOM/en/0x92_Appendix-C_Complete_Example.md @@ -1,3 +1,13 @@ +# Appendix C: References + +This appendix includes a complete AI/ML BOM example that combines most of the isolated examples for the Qwen model shown throughout this guide. + +#### Example: Qwen-7B AI/ML BOM + + +> **Note**: For brevity, the `formulation` entry for the model's training only describes the top-level `workflow` topology (i.e., the run-time "stack"), but none of the `tasks` or `steps` that could be detailed. + +```json { "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", "bomFormat": "CycloneDX", @@ -436,4 +446,5 @@ ] } ] -} \ No newline at end of file +} +``` \ No newline at end of file From 29ef3da287e356f4a30a5f92b3635fdc1356e02a Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 1 May 2026 08:43:07 -0500 Subject: [PATCH 003/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x91-Appendix-B_References.md | 2 +- ...md => 0x92-Appendix-EU-AI-Act-mappings.md} | 40 +++++++++++++++++-- ...md => 0x93_Appendix-C_Complete_Example.md} | 0 3 files changed, 37 insertions(+), 5 deletions(-) rename ML-BOM/en/{0x80-Appendix-eu-ai-act-mappings.md => 0x92-Appendix-EU-AI-Act-mappings.md} (50%) rename ML-BOM/en/{0x92_Appendix-C_Complete_Example.md => 0x93_Appendix-C_Complete_Example.md} (100%) diff --git a/ML-BOM/en/0x91-Appendix-B_References.md b/ML-BOM/en/0x91-Appendix-B_References.md index 9046f164..6f12f94b 100644 --- a/ML-BOM/en/0x91-Appendix-B_References.md +++ b/ML-BOM/en/0x91-Appendix-B_References.md @@ -27,7 +27,7 @@ This appendix includes references to resources, standards, technologies, and mod * [ECMA-428 Common Lifecycle Enumeration (CLE) specification](https://ecma-international.org/publications-and-standards/standards/ecma-428/) - The CLE provides a standardized format for communicating software component lifecycle events in a machine-readable format. * [European Union's Cyber Resilience Act (EU CRA)](https://www.european-cyber-resilience-act.com/) * [Cyber Resilience Act (CRA)](https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Articles.html) - "The Final Text" -* [EU’s AI Act](https://artificialintelligenceact.eu/) ([text](https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng)) - The European Union's comprehensive legal framework for artificial intelligence, designed to ensure that AI systems used in the European Union are safe, ethical, and trustworthy. +* [EU’s AI Act](https://artificialintelligenceact.eu/) ([text](https://artificialintelligenceact.eu/ai-act-explorer/)) - The European Union's comprehensive legal framework for artificial intelligence, designed to ensure that AI systems used in the European Union are safe, ethical, and trustworthy. * [Article 53: Obligations for Providers of General-Purpose AI Models](https://artificialintelligenceact.eu/article/53/) * [Annex XI: Technical Documentation Referred to in Article 53(1), Point (a) – Technical Documentation for Providers of General-Purpose AI Models](https://artificialintelligenceact.eu/annex/11/) * [Explanatory Notice and Template for the Public Summary of Training Content for general-purpose AI models](https://digital-strategy.ec.europa.eu/en/library/explanatory-notice-and-template-public-summary-training-content-general-purpose-ai-models) diff --git a/ML-BOM/en/0x80-Appendix-eu-ai-act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md similarity index 50% rename from ML-BOM/en/0x80-Appendix-eu-ai-act-mappings.md rename to ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 3dbd27b0..11a40870 100644 --- a/ML-BOM/en/0x80-Appendix-eu-ai-act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -1,6 +1,6 @@ # Appendix A: ML-BOM mappings to the European Union's Artificial Intelligence Act (EU AI Act) -This appendix provides a mapping between the [EU AI Act's](https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng#anx_XI) prose requirements and how they are shown to be fulfilled using CycloneDX ML-BOM as documented in specific sections of this guide. +This appendix provides a mapping between the [EU AI Act's]() prose requirements and how they are shown to be fulfilled using CycloneDX ML-BOM as documented in specific sections of this guide. ### Summary of the EU AI Act @@ -20,12 +20,44 @@ Some of these model documentation requirements include: This section provides mappings of the EU AI Act's requirements to sections of this guide that show how CycloneDX can accommodate these requirements. -#### EU AI Act: ANNEX XI +#### Article 53: Obligations for Providers of General-Purpose AI Models -This section contains mappings for the EU AI Act, ANNEX XI. +This section contains mappings for [Article 53: Obligations for Providers of General-Purpose AI Models](https://artificialintelligenceact.eu/article/53/) which is part of [Chapter V: General-Purpose AI Models](https://artificialintelligenceact.eu/chapter/5/). +##### Mappings + +1. Providers of general-purpose AI models shall: + +(a) draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation, which shall contain, at a minimum, the information set out in Annex XI for the purpose of providing it, upon request, to the AI Office and the national competent authorities; + +(b) draw up, keep up-to-date and make available information and documentation to providers of AI systems who intend to integrate the general-purpose AI model into their AI systems. Without prejudice to the need to observe and protect intellectual property rights and confidential business information or trade secrets in accordance with Union and national law, the information and documentation shall: + +(i) enable providers of AI systems to have a good understanding of the capabilities and limitations of the general-purpose AI model and to comply with their obligations pursuant to this Regulation; and + +(ii) contain, at a minimum, the elements set out in Annex XII; + +(c) put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of Directive (EU) 2019/790; + +(d) draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. + +2. The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. + +3. Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. + +4. Providers of general-purpose AI models may rely on codes of practice within the meaning of Article 56 to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. + +5. For the purpose of facilitating compliance with Annex XI, in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with Article 97 to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. + +6. The Commission is empowered to adopt delegated acts in accordance with Article 97(2) to amend Annexes XI and XII in light of evolving technological developments. + +7. Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in Article 78. + +--- + +#### ANNEX XI: Technical Documentation Referred to in Article 53(1), Point (a) – Technical Documentation for Providers of General-Purpose AI Models + +This section contains mappings for [ANNEX XI: Technical Documentation Referred to in Article 53](https://artificialintelligenceact.eu/annex/11/). -Technical documentation referred to in Article 53(1), point (a) — technical documentation for providers of general-purpose AI models Section 1 diff --git a/ML-BOM/en/0x92_Appendix-C_Complete_Example.md b/ML-BOM/en/0x93_Appendix-C_Complete_Example.md similarity index 100% rename from ML-BOM/en/0x92_Appendix-C_Complete_Example.md rename to ML-BOM/en/0x93_Appendix-C_Complete_Example.md From 11e8c8b003883959a9194d65aaab43085575018c Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 1 May 2026 08:46:13 -0500 Subject: [PATCH 004/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x91-Appendix-B_References.md | 2 +- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x91-Appendix-B_References.md b/ML-BOM/en/0x91-Appendix-B_References.md index 6f12f94b..87c986c8 100644 --- a/ML-BOM/en/0x91-Appendix-B_References.md +++ b/ML-BOM/en/0x91-Appendix-B_References.md @@ -27,7 +27,7 @@ This appendix includes references to resources, standards, technologies, and mod * [ECMA-428 Common Lifecycle Enumeration (CLE) specification](https://ecma-international.org/publications-and-standards/standards/ecma-428/) - The CLE provides a standardized format for communicating software component lifecycle events in a machine-readable format. * [European Union's Cyber Resilience Act (EU CRA)](https://www.european-cyber-resilience-act.com/) * [Cyber Resilience Act (CRA)](https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Articles.html) - "The Final Text" -* [EU’s AI Act](https://artificialintelligenceact.eu/) ([text](https://artificialintelligenceact.eu/ai-act-explorer/)) - The European Union's comprehensive legal framework for artificial intelligence, designed to ensure that AI systems used in the European Union are safe, ethical, and trustworthy. +* [EU AI Act](https://artificialintelligenceact.eu/) ([index](https://artificialintelligenceact.eu/ai-act-explorer/)) - The European Union's comprehensive legal framework for artificial intelligence, designed to ensure that AI systems used in the European Union are safe, ethical, and trustworthy. * [Article 53: Obligations for Providers of General-Purpose AI Models](https://artificialintelligenceact.eu/article/53/) * [Annex XI: Technical Documentation Referred to in Article 53(1), Point (a) – Technical Documentation for Providers of General-Purpose AI Models](https://artificialintelligenceact.eu/annex/11/) * [Explanatory Notice and Template for the Public Summary of Training Content for general-purpose AI models](https://digital-strategy.ec.europa.eu/en/library/explanatory-notice-and-template-public-summary-training-content-general-purpose-ai-models) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 11a40870..2b7529cb 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -1,6 +1,6 @@ # Appendix A: ML-BOM mappings to the European Union's Artificial Intelligence Act (EU AI Act) -This appendix provides a mapping between the [EU AI Act's]() prose requirements and how they are shown to be fulfilled using CycloneDX ML-BOM as documented in specific sections of this guide. +This appendix provides a mapping between the [EU’s AI Act](https://artificialintelligenceact.eu/) prose requirements and how they are shown to be fulfilled using CycloneDX ML-BOM as documented in specific sections of this guide. ### Summary of the EU AI Act From 383ef2b1098ad9c13e1b3a7d95740598221f5858 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 1 May 2026 10:37:58 -0500 Subject: [PATCH 005/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 149 ++++-------------- 1 file changed, 35 insertions(+), 114 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 2b7529cb..6838f453 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -26,31 +26,21 @@ This section contains mappings for [Article 53: Obligations for Providers of Gen ##### Mappings -1. Providers of general-purpose AI models shall: - -(a) draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation, which shall contain, at a minimum, the information set out in Annex XI for the purpose of providing it, upon request, to the AI Office and the national competent authorities; - -(b) draw up, keep up-to-date and make available information and documentation to providers of AI systems who intend to integrate the general-purpose AI model into their AI systems. Without prejudice to the need to observe and protect intellectual property rights and confidential business information or trade secrets in accordance with Union and national law, the information and documentation shall: - -(i) enable providers of AI systems to have a good understanding of the capabilities and limitations of the general-purpose AI model and to comply with their obligations pursuant to this Regulation; and - -(ii) contain, at a minimum, the elements set out in Annex XII; - -(c) put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of Directive (EU) 2019/790; - -(d) draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. - -2. The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. - -3. Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. - -4. Providers of general-purpose AI models may rely on codes of practice within the meaning of Article 56 to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. - -5. For the purpose of facilitating compliance with Annex XI, in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with Article 97 to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. - -6. The Commission is empowered to adopt delegated acts in accordance with Article 97(2) to amend Annexes XI and XII in light of evolving technological developments. - -7. Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in Article 78. +| Section | Text | Guide references | +| --- | --- | --- | +| 1. | Providers of general-purpose AI models shall: | N/A | +| 1.(a) | draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation, which shall contain, at a minimum, the information set out in Annex XI for the purpose of providing it, upon request, to the AI Office and the national competent authorities; | | +| 1.(b) | draw up, keep up-to-date and make available information and documentation to providers of AI systems who intend to integrate the general-purpose AI model into their AI systems. Without prejudice to the need to observe and protect intellectual property rights and confidential business information or trade secrets in accordance with Union and national law, the information and documentation shall: | | +| 1.(b).(i) | enable providers of AI systems to have a good understanding of the capabilities and limitations of the general-purpose AI model and to comply with their obligations pursuant to this Regulation; and | | +| 1.(b).(ii) |contain, at a minimum, the elements set out in Annex XII; | | +| 1.(c) | put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of Directive (EU) 2019/790; | | +| 1.(d) | draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. +| 2. | The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. | | +| 3. | Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. | | +| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of Article 56 to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | | +| 5. | For the purpose of facilitating compliance with Annex XI, in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with Article 97 to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | | +| 6. | The Commission is empowered to adopt delegated acts in accordance with Article 97(2) to amend Annexes XI and XII in light of evolving technological developments. | | +| 7. | Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in Article 78. | | --- @@ -59,92 +49,23 @@ This section contains mappings for [Article 53: Obligations for Providers of Gen This section contains mappings for [ANNEX XI: Technical Documentation Referred to in Article 53](https://artificialintelligenceact.eu/annex/11/). -Section 1 - -Information to be provided by all providers of general-purpose AI models - -The technical documentation referred to in Article 53(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: - -1. - - -A general description of the general-purpose AI model including: - -(a) - - -the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; - -(b) - - -the acceptable use policies applicable; - -(c) - - -the date of release and methods of distribution; - -(d) - - -the architecture and number of parameters; - -(e) - - -the modality (e.g. text, image) and format of inputs and outputs; - -(f) - - -the licence. - -2. - - -A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: - -(a) - - -the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; - -(b) - - -the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; - -(c) - - -information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; - -(d) - - -the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; - -(e) - - -known or estimated energy consumption of the model. - -With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. - -Section 2 - -Additional information to be provided by providers of general-purpose AI models with systemic risk - - -1. - A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. - - -2. - Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. - - -3. - Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. - +| Section | Text | Guide references | +| --- | --- | --- | +| 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in Article 53(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | +| 1.1 | A general description of the general-purpose AI model including: | N/A | +| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | | +| 1.1.(b) |the acceptable use policies applicable; | | +| 1.1.(c) |the date of release and methods of distribution; | | +| 1.1.(d) |the architecture and number of parameters; | | +| 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | | +| 1.1.(f) | the licence. | | +| 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | +| 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | | +| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | | +| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | | +| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | | +| 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | | +| 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | +| 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | | +| 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | | +| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | | From cabe164f3cc34d8da61cf98b6f45c909a907df4d Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 1 May 2026 10:43:38 -0500 Subject: [PATCH 006/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 6838f453..cd29b87c 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -29,18 +29,18 @@ This section contains mappings for [Article 53: Obligations for Providers of Gen | Section | Text | Guide references | | --- | --- | --- | | 1. | Providers of general-purpose AI models shall: | N/A | -| 1.(a) | draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation, which shall contain, at a minimum, the information set out in Annex XI for the purpose of providing it, upon request, to the AI Office and the national competent authorities; | | +| 1.(a) | draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation, which shall contain, at a minimum, the information set out in [Annex XI](https://artificialintelligenceact.eu/annex/11/) for the purpose of providing it, upon request, to the AI Office and the national competent authorities; | | | 1.(b) | draw up, keep up-to-date and make available information and documentation to providers of AI systems who intend to integrate the general-purpose AI model into their AI systems. Without prejudice to the need to observe and protect intellectual property rights and confidential business information or trade secrets in accordance with Union and national law, the information and documentation shall: | | | 1.(b).(i) | enable providers of AI systems to have a good understanding of the capabilities and limitations of the general-purpose AI model and to comply with their obligations pursuant to this Regulation; and | | -| 1.(b).(ii) |contain, at a minimum, the elements set out in Annex XII; | | +| 1.(b).(ii) |contain, at a minimum, the elements set out in [Annex XII](https://artificialintelligenceact.eu/annex/12/); | | | 1.(c) | put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of Directive (EU) 2019/790; | | | 1.(d) | draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. | 2. | The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. | | | 3. | Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. | | -| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of Article 56 to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | | -| 5. | For the purpose of facilitating compliance with Annex XI, in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with Article 97 to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | | -| 6. | The Commission is empowered to adopt delegated acts in accordance with Article 97(2) to amend Annexes XI and XII in light of evolving technological developments. | | -| 7. | Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in Article 78. | | +| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](artificialintelligenceact.eu/article/56) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | | +| 5. | For the purpose of facilitating compliance with [Annex XI](https://artificialintelligenceact.eu/annex/11/), in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/) to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | | +| 6. | The Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/)(2) to amend [Annexes XI](https://artificialintelligenceact.eu/annex/11) and [XII](https://artificialintelligenceact.eu/annex/12) in light of evolving technological developments. | | +| 7. | Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in [Article 78](https://artificialintelligenceact.eu/article/78/). | | --- @@ -51,7 +51,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | Section | Text | Guide references | | --- | --- | --- | -| 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in Article 53(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | +| 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | | 1.1 | A general description of the general-purpose AI model including: | N/A | | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | | | 1.1.(b) |the acceptable use policies applicable; | | From 220bba7527057ed3ea019ae1a1b0a12c94fefc15 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 1 May 2026 11:49:21 -0500 Subject: [PATCH 007/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index cd29b87c..5081033c 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -35,7 +35,7 @@ This section contains mappings for [Article 53: Obligations for Providers of Gen | 1.(b).(ii) |contain, at a minimum, the elements set out in [Annex XII](https://artificialintelligenceact.eu/annex/12/); | | | 1.(c) | put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of Directive (EU) 2019/790; | | | 1.(d) | draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. -| 2. | The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. | | +| 2. | The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. | N/A | | 3. | Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. | | | 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](artificialintelligenceact.eu/article/56) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | | | 5. | For the purpose of facilitating compliance with [Annex XI](https://artificialintelligenceact.eu/annex/11/), in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/) to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | | @@ -53,7 +53,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | | 1.1 | A general description of the general-purpose AI model including: | N/A | -| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | | +| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)| | 1.1.(b) |the acceptable use policies applicable; | | | 1.1.(c) |the date of release and methods of distribution; | | | 1.1.(d) |the architecture and number of parameters; | | From 0c782f2c8e1ba2af3f2ac3b0c0e0e32aeb812693 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 1 May 2026 12:39:52 -0500 Subject: [PATCH 008/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 5081033c..acbf40c0 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -52,8 +52,8 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | Section | Text | Guide references | | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | -| 1.1 | A general description of the general-purpose AI model including: | N/A | -| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)| +| 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) metadata:component:
- type: "machine-learning-model"
- name:
- version
- description
- supplier
- manufacturer
- publisher | +| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | | 1.1.(b) |the acceptable use policies applicable; | | | 1.1.(c) |the date of release and methods of distribution; | | | 1.1.(d) |the architecture and number of parameters; | | From 20db29929a595a4559ddeb5c8930f2d97139b1b1 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 1 May 2026 13:35:38 -0500 Subject: [PATCH 009/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 22 ++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index acbf40c0..8ffc0c5b 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -1,6 +1,6 @@ # Appendix A: ML-BOM mappings to the European Union's Artificial Intelligence Act (EU AI Act) -This appendix provides a mapping between the [EU’s AI Act](https://artificialintelligenceact.eu/) prose requirements and how they are shown to be fulfilled using CycloneDX ML-BOM as documented in specific sections of this guide. +This appendix provides a mapping between the [EU’s AI Act](https://artificialintelligenceact.eu/) prose requirements, as well as the more prescriptive [Explanatory Notice and Template for the Public Summary of Training Content for general-purpose AI models](https://digital-strategy.ec.europa.eu/en/library/explanatory-notice-and-template-public-summary-training-content-general-purpose-ai-models), and how they are shown to be fulfilled using CycloneDX ML-BOM as documented in specific sections of this guide. ### Summary of the EU AI Act @@ -16,9 +16,13 @@ Some of these model documentation requirements include: - Known limitations and intended use cases. - Disclosing energy consumption and other environmental impacts. -### EU AI Act mappings +### Summary of the Explanatory Notice and Template for the Public Summary of Training Content for general-purpose AI models -This section provides mappings of the EU AI Act's requirements to sections of this guide that show how CycloneDX can accommodate these requirements. +On July 24, 2025, the European Commission released the mandatory Explanatory Notice and Template for the Public Summary of Training Content for general-purpose AI (GPAI) models, a key compliance step under [Article 53](https://artificialintelligenceact.eu/article/53/)(1)(d) of the EU AI Act.This template serves as a mandatory minimum baseline for all GPAI providers, including those using open-source licenses, to publicly disclose information about their training data. + +### EU AI Act & Explanatory template mappings + +This section provides mappings of the EU AI Act's written and templated requirements to sections of this guide that show how CycloneDX can accommodate these requirements. #### Article 53: Obligations for Providers of General-Purpose AI Models @@ -69,3 +73,15 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | | | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | | | 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | | + +#### Explanatory Notice and Template for the Public Summary of Training Content for general-purpose AI models mappings + +The Explanatory Notice and Template seeks to address +relevant legal text from [Article 53](https://artificialintelligenceact.eu/article/53/)(1)(d) of the AI Act: + +*Providers of general-purpose AI models shall […] draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office.* + +As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of the AI Act: + +*In order to increase transparency on the data that is used in the pre-training and training of general-purpose AI models, including text and data protected by copyright law, it is adequate that providers of such models draw up and make publicly available a sufficiently detailed summary of the content used for training the general-purpose AI model.* + From bc26403b4572439e28861229358157ebb9010595 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 1 May 2026 14:51:44 -0500 Subject: [PATCH 010/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 40 ++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 8ffc0c5b..e62b8fbd 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -26,6 +26,7 @@ This section provides mappings of the EU AI Act's written and templated requirem #### Article 53: Obligations for Providers of General-Purpose AI Models + This section contains mappings for [Article 53: Obligations for Providers of General-Purpose AI Models](https://artificialintelligenceact.eu/article/53/) which is part of [Chapter V: General-Purpose AI Models](https://artificialintelligenceact.eu/chapter/5/). ##### Mappings @@ -74,7 +75,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | | | 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | | -#### Explanatory Notice and Template for the Public Summary of Training Content for general-purpose AI models mappings +#### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 The Explanatory Notice and Template seeks to address relevant legal text from [Article 53](https://artificialintelligenceact.eu/article/53/)(1)(d) of the AI Act: @@ -85,3 +86,40 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t *In order to increase transparency on the data that is used in the pre-training and training of general-purpose AI models, including text and data protected by copyright law, it is adequate that providers of such models draw up and make publicly available a sufficiently detailed summary of the content used for training the general-purpose AI model.* +##### Mappings + +| Section | Text | Commentary | Guide references | +| --- | --- | --- | --- | +| 1. | General information | | | +| 1.1 | Provider identification | | | +| 1.1.(i) | Provider name and contact details | | | +| 1.1.(ii) | Authorised representative name and contact details | | | +| 1.2 | Model identification | | | +| 1.2.(i) | Versioned model name(s) | | | +| 1.2.(ii) | Model dependencies | | | +| 1.2.(iii) | Date of placement of the model on the Union market: | | | +| 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | **Note**: *Multi-model models may require modality information for each sub-model in v2.0* | | | +| 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | | | +| 1.3.(ii) | Training data size | | | +| 1.3.(ii) | Types of content | | | +| 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | | +| 2.1 | Publicly available datasets | | | +| 2.2 | Private non-publicly available datasets obtained from third parties | | | +| 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | | | +| 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | **Note**: *modalities covered by license may need future consideration for v2.0* | +| 2.2.2 | Private datasets obtained from other third parties | | | +| 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | | | +| 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | | | +| 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | | | +| 2.2.2.(iv) | Additional comments *(Providers may also disclose other relevant information on a voluntary basis, e.g. the period of data collection, size of the datasets and further details.)* | | | +| 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)* | The following subsections only apply if If crawlers were used for data collection. | | +| 2.3.(i) | specify crawler name(s)/identifier(s) | | | +| 2.3.(ii) | Purposes of the crawler(s) | | | +| 2.3.(iii) | General description of crawler behaviour | | | +| 2.3.(iv) | Period of data collection | | | +| 2.3.(v) | Comprehensive description of the type of content and online sources crawled | | | +| 2.3.(vi) | Type of modality covered | | | +| 2.3.(vii) | Summary of the most relevant domain names crawled | | | +| 2.3.(viii) | Additional comments *(Providers may also disclose other relevant information on a voluntary basis, for instance more domain names than those required in the list above and/or URLs and the sources of individual works.)* | | | + + From 717ec1fb3624f68f7c908b6839b3c3f895c1edd8 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 1 May 2026 15:23:22 -0500 Subject: [PATCH 011/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 24 +++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index e62b8fbd..02e11257 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -111,8 +111,8 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | | | | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | | | | 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | | | -| 2.2.2.(iv) | Additional comments *(Providers may also disclose other relevant information on a voluntary basis, e.g. the period of data collection, size of the datasets and further details.)* | | | -| 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)* | The following subsections only apply if If crawlers were used for data collection. | | +| 2.2.2.(iv) | Additional comments *(optional)* | *e.g. the period of data collection, size of the datasets and further details* | | +| 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)* | The following subsections only apply if "crawlers were used for data collection". | | | 2.3.(i) | specify crawler name(s)/identifier(s) | | | | 2.3.(ii) | Purposes of the crawler(s) | | | | 2.3.(iii) | General description of crawler behaviour | | | @@ -120,6 +120,20 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 2.3.(v) | Comprehensive description of the type of content and online sources crawled | | | | 2.3.(vi) | Type of modality covered | | | | 2.3.(vii) | Summary of the most relevant domain names crawled | | | -| 2.3.(viii) | Additional comments *(Providers may also disclose other relevant information on a voluntary basis, for instance more domain names than those required in the list above and/or URLs and the sources of individual works.)* | | | - - +| 2.3.(viii) | Additional comments *(optional)* | *e.g., domain names, URLs and the sources of individual works* | | +| 2.4 | User data *(information about user data collected by all services and products of the provider, including through mail services, social media platforms, content platforms)* | The following subsections only apply if user information sources were used. | | | +| 2.4.(i) | provide a general description of the +provider’s services or products that were used to +collect the user data | | | +| 2.4.(ii) | Additional comments *(optional)* | | | +| 2.5 | Synthetic data | The following subsections only apply if synthetic information sources were used. | | | +| 2.5.(i) | modality of the synthetic data | | | | +| 2.5.(ii) | specify the general-purpose AI model(s) used to generate the synthetic data if available on the market | | | | +| 2.5.(iii) | Information about other AI models, including provider’s own AI model(s) not available on the market, used to generate synthetic data to train the model | | | | +| 2.5.(iv) | Additional comments *(optional)* | | | +| 2.6 | Other sources of data | The following subsections only apply if other information sources were used. | | | +| 2.6.(i) | provide a narrative description of these data sources and the data | | | +| 2.5.(ii) | Additional comments *(optional)* | | | +| 3 | Data processing aspects The following subsections only apply if synthetic information sources were used. | N/A | | +| 3.1 | Respect of reservation of rights from text and data mining exception or limitation | *(measures implemented by the provider to identify and comply with the reservation of rights from the text and data mining (TDM) exception or limitation expressed pursuant to Article 4(3))* | | +| 3.1.(i) | Additional comments *(optional)* | | | From ccd2bd6b36a918ea39010893bdc5051843bbbfb6 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 1 May 2026 15:26:02 -0500 Subject: [PATCH 012/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 02e11257..229b01dd 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -137,3 +137,5 @@ collect the user data | | | | 3 | Data processing aspects The following subsections only apply if synthetic information sources were used. | N/A | | | 3.1 | Respect of reservation of rights from text and data mining exception or limitation | *(measures implemented by the provider to identify and comply with the reservation of rights from the text and data mining (TDM) exception or limitation expressed pursuant to Article 4(3))* | | | 3.1.(i) | Additional comments *(optional)* | | | +| 3.2 | Removal of illegal content | *measures taken to avoid or remove illegal content under Union law from the training data (such as blacklists, keywords, and model-based classifiers), without requiring disclosure of specific details about the provider’s internal business practices or trade secrets* | | +| 3.3 | Other information *(optional)* | *Other relevant information about data processing* | | From 2fb58a712c03803e5ad616e522082af116ac5365 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 4 May 2026 08:37:29 -0500 Subject: [PATCH 013/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 229b01dd..676854b4 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -57,10 +57,10 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | Section | Text | Guide references | | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | -| 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) metadata:component:
- type: "machine-learning-model"
- name:
- version
- description
- supplier
- manufacturer
- publisher | +| 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component):
- type: "machine-learning-model"
- name:
- version
- description
- supplier
- manufacturer
- publisher | | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | | 1.1.(b) |the acceptable use policies applicable; | | -| 1.1.(c) |the date of release and methods of distribution; | | +| 1.1.(c) |the date of release and methods of distribution; | [metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
*Supports multiple releases notes for the associated model/version.* | | 1.1.(d) |the architecture and number of parameters; | | | 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | | | 1.1.(f) | the licence. | | From abad2233a875b1ec017795d1dfc38896daef9997 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 4 May 2026 09:00:31 -0500 Subject: [PATCH 014/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- .../0x20-Design-Model-Component-Metadata.md | 49 ++++++++++++++++--- ML-BOM/en/0x93_Appendix-C_Complete_Example.md | 14 ++++++ 2 files changed, 57 insertions(+), 6 deletions(-) diff --git a/ML-BOM/en/0x20-Design-Model-Component-Metadata.md b/ML-BOM/en/0x20-Design-Model-Component-Metadata.md index f0889d68..74e4a4ca 100644 --- a/ML-BOM/en/0x20-Design-Model-Component-Metadata.md +++ b/ML-BOM/en/0x20-Design-Model-Component-Metadata.md @@ -171,15 +171,33 @@ Organizations that produce BOMs for hardware or software components they produce The following example shows how a registered name for a fictional company, ACME, which registered the namespace `acme`, could provide a property to identify one of its internal ML models. ```json -"component": { - "properties": [ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + // ... + "metadata": + { + "component": { - "name": "acme:research:model:llm:id", - "value": "MODEL-ID-12345-INTERNAL" + "type": "machine-learning-model", + "bom-ref": "pkg:huggingface/Qwen/Qwen-7B@ef3c5c9", + // ... + "releaseNotes": [ + { + "type": "major", + "title": "Qwen 7B initial release", + "timestamp": "2023-08-03T15:30:00Z", + "notes": { + { + "locale": "en-US", + "text": "United States (US), English release date." + } + // ... + } + } + ] }, // ... - ], - // ... + } } ``` @@ -224,11 +242,30 @@ Each can be specifically identified in a CycloneDX component using a Package URL } ``` +##### Providing model release notes + +It is important to disclose information regarding a model's release. This is accomplished by utilizing the CycloneDX component's `releaseNotes` object and its fields. + +###### Example: releaseNotes + +```json +"component": +{ + "type": "machine-learning-model", + "purl": "pkg:github/onnx/models@4c46cd00fbdb7cd30b6c1c17ab54f2e1f4f7b177#validated/vision/object_detection_segmentation/tiny-yolov2/model", + "bom-ref": "pkg:github/onnx/models@244fd47#tiny-yolov2/model" + // ... +} +``` + ###### Field discussion * **type** - the type has the value `machine-learning-model` since the single file contains all the information (e.g., default configuration parameters, references to architectures and tokenizers, prompt template, etc.) needed to run the model in GGUF inference frameworks. + + + #### Describing a model repository as a CycloneDX assembly CycloneDX allows for declarations of software compositions (e.g., hardware products, software applications, packages, libraries, archives, etc.). diff --git a/ML-BOM/en/0x93_Appendix-C_Complete_Example.md b/ML-BOM/en/0x93_Appendix-C_Complete_Example.md index 022a8ca7..34e609e8 100644 --- a/ML-BOM/en/0x93_Appendix-C_Complete_Example.md +++ b/ML-BOM/en/0x93_Appendix-C_Complete_Example.md @@ -31,6 +31,20 @@ This appendix includes a complete AI/ML BOM example that combines most of the is "name": "Qwen/Qwen-7B", "version": "ef3c5c9c57b252f3149c1408daf4d649ec8b6c85", "description": "Qwen-7B is a Transformer-based large language model, which is pretrained on a large volume of data, including web texts, books, codes, etc.", + "releaseNotes": [ + { + "type": "major", + "title": "Qwen 7B initial release", + "timestamp": "2023-08-03T15:30:00Z", + "notes": { + { + "locale": "en-US", + "text": "United States (US), English release date." + } + // ... + } + } + ], "externalReferences": [ { "type": "vcs", From 412ce55cd07bea7a1649062a1acdc94ff216759d Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 4 May 2026 09:07:44 -0500 Subject: [PATCH 015/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x20-Design-Model-Component-Metadata.md | 1 + ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ML-BOM/en/0x20-Design-Model-Component-Metadata.md b/ML-BOM/en/0x20-Design-Model-Component-Metadata.md index 74e4a4ca..304b9dab 100644 --- a/ML-BOM/en/0x20-Design-Model-Component-Metadata.md +++ b/ML-BOM/en/0x20-Design-Model-Component-Metadata.md @@ -17,6 +17,7 @@ For convenience, here are links to the specific sections for each of those infor * [Describing models as components](#describing-models-as-components) * [Model repositories as components](#model-repositories-as-components) * [Model identifiers](#model-identifiers) + * [Providing model release notes](#providing-model-release-notes) * [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) * [Declaring a model's pedigree](#declaring-a-models-pedigree) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 676854b4..b06fa7e0 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -60,7 +60,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component):
- type: "machine-learning-model"
- name:
- version
- description
- supplier
- manufacturer
- publisher | | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | | 1.1.(b) |the acceptable use policies applicable; | | -| 1.1.(c) |the date of release and methods of distribution; | [metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
*Supports multiple releases notes for the associated model/version.* | +| 1.1.(c) |the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes)
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
*Supports multiple releases notes for the associated model/version.* | | 1.1.(d) |the architecture and number of parameters; | | | 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | | | 1.1.(f) | the licence. | | From 8d44bdd3a603070571aa095812cdf5843c51f25b Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 4 May 2026 09:35:07 -0500 Subject: [PATCH 016/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- .../0x20-Design-Model-Component-Metadata.md | 61 ++++++++++--------- 1 file changed, 32 insertions(+), 29 deletions(-) diff --git a/ML-BOM/en/0x20-Design-Model-Component-Metadata.md b/ML-BOM/en/0x20-Design-Model-Component-Metadata.md index 304b9dab..714bf384 100644 --- a/ML-BOM/en/0x20-Design-Model-Component-Metadata.md +++ b/ML-BOM/en/0x20-Design-Model-Component-Metadata.md @@ -167,38 +167,20 @@ If the model being described by an ML-BOM is instead hosted in a GitHub reposito Organizations that produce BOMs for hardware or software components they produce may have multiple domain-specific identifiers for the same component. In these cases, it is best practice to register (reserve) an official namespace for these domains with the [CycloneDX Property Taxonomy](), which is the authoritative source of official namespaces used in CycloneDX `properties`. -###### Example: +###### Example: domain-specific identifiers The following example shows how a registered name for a fictional company, ACME, which registered the namespace `acme`, could provide a property to identify one of its internal ML models. ```json -{ - "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", - // ... - "metadata": - { - "component": +"component": { + "properties": [ { - "type": "machine-learning-model", - "bom-ref": "pkg:huggingface/Qwen/Qwen-7B@ef3c5c9", - // ... - "releaseNotes": [ - { - "type": "major", - "title": "Qwen 7B initial release", - "timestamp": "2023-08-03T15:30:00Z", - "notes": { - { - "locale": "en-US", - "text": "United States (US), English release date." - } - // ... - } - } - ] + "name": "acme:research:model:llm:id", + "value": "MODEL-ID-12345-INTERNAL" }, // ... - } + ], + // ... } ``` @@ -250,12 +232,33 @@ It is important to disclose information regarding a model's release. This is ac ###### Example: releaseNotes ```json -"component": { - "type": "machine-learning-model", - "purl": "pkg:github/onnx/models@4c46cd00fbdb7cd30b6c1c17ab54f2e1f4f7b177#validated/vision/object_detection_segmentation/tiny-yolov2/model", - "bom-ref": "pkg:github/onnx/models@244fd47#tiny-yolov2/model" + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", // ... + "metadata": + { + "component": + { + "type": "machine-learning-model", + "bom-ref": "pkg:huggingface/Qwen/Qwen-7B@ef3c5c9", + // ... + "releaseNotes": [ + { + "type": "major", + "title": "Qwen 7B initial release", + "timestamp": "2023-08-03T15:30:00Z", + "notes": { + { + "locale": "en-US", + "text": "United States (US), English release date." + } + // ... + } + } + ] + }, + // ... + } } ``` From cec62f16190f6a1686c9365817b72200958d9df3 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 4 May 2026 13:21:32 -0500 Subject: [PATCH 017/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- .../0x20-Design-Model-Component-Metadata.md | 6 +- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 70 +++++++++---------- 2 files changed, 36 insertions(+), 40 deletions(-) diff --git a/ML-BOM/en/0x20-Design-Model-Component-Metadata.md b/ML-BOM/en/0x20-Design-Model-Component-Metadata.md index 714bf384..6cb8ec40 100644 --- a/ML-BOM/en/0x20-Design-Model-Component-Metadata.md +++ b/ML-BOM/en/0x20-Design-Model-Component-Metadata.md @@ -229,7 +229,7 @@ Each can be specifically identified in a CycloneDX component using a Package URL It is important to disclose information regarding a model's release. This is accomplished by utilizing the CycloneDX component's `releaseNotes` object and its fields. -###### Example: releaseNotes +###### Example: release notes ```json { @@ -266,10 +266,6 @@ It is important to disclose information regarding a model's release. This is ac * **type** - the type has the value `machine-learning-model` since the single file contains all the information (e.g., default configuration parameters, references to architectures and tokenizers, prompt template, etc.) needed to run the model in GGUF inference frameworks. - - - - #### Describing a model repository as a CycloneDX assembly CycloneDX allows for declarations of software compositions (e.g., hardware products, software applications, packages, libraries, archives, etc.). diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index b06fa7e0..8cb0a560 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -31,21 +31,21 @@ This section contains mappings for [Article 53: Obligations for Providers of Gen ##### Mappings -| Section | Text | Guide references | -| --- | --- | --- | -| 1. | Providers of general-purpose AI models shall: | N/A | -| 1.(a) | draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation, which shall contain, at a minimum, the information set out in [Annex XI](https://artificialintelligenceact.eu/annex/11/) for the purpose of providing it, upon request, to the AI Office and the national competent authorities; | | -| 1.(b) | draw up, keep up-to-date and make available information and documentation to providers of AI systems who intend to integrate the general-purpose AI model into their AI systems. Without prejudice to the need to observe and protect intellectual property rights and confidential business information or trade secrets in accordance with Union and national law, the information and documentation shall: | | -| 1.(b).(i) | enable providers of AI systems to have a good understanding of the capabilities and limitations of the general-purpose AI model and to comply with their obligations pursuant to this Regulation; and | | -| 1.(b).(ii) |contain, at a minimum, the elements set out in [Annex XII](https://artificialintelligenceact.eu/annex/12/); | | -| 1.(c) | put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of Directive (EU) 2019/790; | | -| 1.(d) | draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. -| 2. | The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. | N/A | -| 3. | Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. | | -| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](artificialintelligenceact.eu/article/56) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | | -| 5. | For the purpose of facilitating compliance with [Annex XI](https://artificialintelligenceact.eu/annex/11/), in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/) to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | | -| 6. | The Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/)(2) to amend [Annexes XI](https://artificialintelligenceact.eu/annex/11) and [XII](https://artificialintelligenceact.eu/annex/12) in light of evolving technological developments. | | -| 7. | Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in [Article 78](https://artificialintelligenceact.eu/article/78/). | | +| Section | Text | Guide references | Relevant Schema | +| --- | --- | --- | --- | +| 1. | Providers of general-purpose AI models shall: | N/A | N/A | +| 1.(a) | draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation, which shall contain, at a minimum, the information set out in [Annex XI](https://artificialintelligenceact.eu/annex/11/) for the purpose of providing it, upon request, to the AI Office and the national competent authorities; | | | +| 1.(b) | draw up, keep up-to-date and make available information and documentation to providers of AI systems who intend to integrate the general-purpose AI model into their AI systems. Without prejudice to the need to observe and protect intellectual property rights and confidential business information or trade secrets in accordance with Union and national law, the information and documentation shall: | | | +| 1.(b).(i) | enable providers of AI systems to have a good understanding of the capabilities and limitations of the general-purpose AI model and to comply with their obligations pursuant to this Regulation; and | | | +| 1.(b).(ii) |contain, at a minimum, the elements set out in [Annex XII](https://artificialintelligenceact.eu/annex/12/); | | | +| 1.(c) | put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of Directive (EU) 2019/790; | | | +| 1.(d) | draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. | | +| 2. | The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. | N/A | N/A | +| 3. | Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. | N/A | N/A | +| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](artificialintelligenceact.eu/article/56) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | | | +| 5. | For the purpose of facilitating compliance with [Annex XI](https://artificialintelligenceact.eu/annex/11/), in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/) to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | | | +| 6. | The Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/)(2) to amend [Annexes XI](https://artificialintelligenceact.eu/annex/11) and [XII](https://artificialintelligenceact.eu/annex/12) in light of evolving technological developments. | | | +| 7. | Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in [Article 78](https://artificialintelligenceact.eu/article/78/). | | | --- @@ -54,26 +54,26 @@ This section contains mappings for [Article 53: Obligations for Providers of Gen This section contains mappings for [ANNEX XI: Technical Documentation Referred to in Article 53](https://artificialintelligenceact.eu/annex/11/). -| Section | Text | Guide references | -| --- | --- | --- | -| 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | -| 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component):
- type: "machine-learning-model"
- name:
- version
- description
- supplier
- manufacturer
- publisher | -| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | -| 1.1.(b) |the acceptable use policies applicable; | | -| 1.1.(c) |the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes)
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
*Supports multiple releases notes for the associated model/version.* | -| 1.1.(d) |the architecture and number of parameters; | | -| 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | | -| 1.1.(f) | the licence. | | -| 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | -| 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | | -| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | | -| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | | -| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | | -| 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | | -| 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | -| 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | | -| 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | | -| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | | +| Section | Text | Guide references | Relevant Schema | +| --- | --- | --- | --- | +| 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | | +| 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name:
- version
- description
- supplier
- manufacturer
- publisher | | +| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | - [component.modelCard.considerations.users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
-[component.modelCard.considerations.userCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | +| 1.1.(b) | the acceptable use policies applicable; | | | +| 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) |
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
*Supports multiple releases notes for the associated model/version.* | +| 1.1.(d) |the architecture and number of parameters; | | | +| 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | | | +| 1.1.(f) | the licence. | | | +| 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | | +| 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | | | +| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | | | +| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | | | +| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | | | +| 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | | | +| 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | +| 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | | | +| 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | | | +| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | | | #### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 From dd06c3d52ba064149701876ade81efe011188c98 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 4 May 2026 14:28:39 -0500 Subject: [PATCH 018/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 8cb0a560..fa7159ec 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -56,12 +56,12 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | Section | Text | Guide references | Relevant Schema | | --- | --- | --- | --- | -| 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | | -| 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name:
- version
- description
- supplier
- manufacturer
- publisher | | +| 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | +| 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name
- version
- description
- supplier
- manufacturer
- publisher | | | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | - [component.modelCard.considerations.users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
-[component.modelCard.considerations.userCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | -| 1.1.(b) | the acceptable use policies applicable; | | | +| 1.1.(b) | the acceptable use policies applicable; | Reference Qwen usage policy page:
- https://qwen.ai/usagepolicy | Usage policies can be provided as a CycloneDX external reference.
[metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)| | 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) |
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
*Supports multiple releases notes for the associated model/version.* | -| 1.1.(d) |the architecture and number of parameters; | | | +| 1.1.(d) |the architecture and n<- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| | | 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | | | | 1.1.(f) | the licence. | | | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | | From 6fd33b8bf6bf98ee7c8c19472339ca56849ff3a9 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 4 May 2026 15:06:08 -0500 Subject: [PATCH 019/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index fa7159ec..adaa08b3 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -58,9 +58,9 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name
- version
- description
- supplier
- manufacturer
- publisher | | -| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | - [component.modelCard.considerations.users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
-[component.modelCard.considerations.userCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | -| 1.1.(b) | the acceptable use policies applicable; | Reference Qwen usage policy page:
- https://qwen.ai/usagepolicy | Usage policies can be provided as a CycloneDX external reference.
[metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)| -| 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) |
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
*Supports multiple releases notes for the associated model/version.* | +| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | - [component.modelCard.considerations.users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [component.modelCard.considerations.userCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | +| 1.1.(b) | the acceptable use policies applicable; | Reference Qwen usage policy page:
- https://qwen.ai/usagepolicy | Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)| +| 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release information can be provided using the `releaseNotes` fields in the model's component: -
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) |the architecture and n<- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| | | 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | | | | 1.1.(f) | the licence. | | | From b773005690f22ba32ff31191bab1560d1536e8e2 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 4 May 2026 15:13:01 -0500 Subject: [PATCH 020/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index adaa08b3..4f83c7c8 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -61,7 +61,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | - [component.modelCard.considerations.users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [component.modelCard.considerations.userCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | | 1.1.(b) | the acceptable use policies applicable; | Reference Qwen usage policy page:
- https://qwen.ai/usagepolicy | Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)| | 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release information can be provided using the `releaseNotes` fields in the model's component: -
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | -| 1.1.(d) |the architecture and n<- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| | +| 1.1.(d) |the architecture and n<- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| - [metadata.component.modelCard.modelParameters.architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- - [metadata.component.modelCard.modelParameters.modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | | | | 1.1.(f) | the licence. | | | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | | From 0ea94b286d816009e6ac607d18ec148019d42bbc Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 4 May 2026 15:14:56 -0500 Subject: [PATCH 021/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 4f83c7c8..af220e3e 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -61,7 +61,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | - [component.modelCard.considerations.users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [component.modelCard.considerations.userCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | | 1.1.(b) | the acceptable use policies applicable; | Reference Qwen usage policy page:
- https://qwen.ai/usagepolicy | Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)| | 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release information can be provided using the `releaseNotes` fields in the model's component: -
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | -| 1.1.(d) |the architecture and n<- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| - [metadata.component.modelCard.modelParameters.architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- - [metadata.component.modelCard.modelParameters.modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | +| 1.1.(d) |the architecture and n<- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | | | | 1.1.(f) | the licence. | | | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | | From 86a82fadb502d1db2655554d9ee7ddce29bfb372 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 4 May 2026 15:16:13 -0500 Subject: [PATCH 022/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index af220e3e..15f08189 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -60,7 +60,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name
- version
- description
- supplier
- manufacturer
- publisher | | | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | - [component.modelCard.considerations.users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [component.modelCard.considerations.userCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | | 1.1.(b) | the acceptable use policies applicable; | Reference Qwen usage policy page:
- https://qwen.ai/usagepolicy | Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)| -| 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release information can be provided using the `releaseNotes` fields in the model's component: -
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | +| 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release information can be provided using the `releaseNotes` fields in the model's component:
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) |the architecture and n<- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | | | | 1.1.(f) | the licence. | | | From fb2b6e7946a0dc566cdaa0c56c1ee3059052a014 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 4 May 2026 15:20:08 -0500 Subject: [PATCH 023/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 15f08189..6ef7406d 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -58,10 +58,10 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name
- version
- description
- supplier
- manufacturer
- publisher | | -| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | - [component.modelCard.considerations.users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [component.modelCard.considerations.userCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | +| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | The model's model card object includes many considerations including intended use cases and users:
[Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | [component.modelCard.considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
- [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [.userCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | | 1.1.(b) | the acceptable use policies applicable; | Reference Qwen usage policy page:
- https://qwen.ai/usagepolicy | Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)| | 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release information can be provided using the `releaseNotes` fields in the model's component:
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | -| 1.1.(d) |the architecture and n<- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | +| 1.1.(d) |the architecture and number of parameters; | The model parameters object includes fields for model architecture:
[Model metadata](#model-metadata)
- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | | | | 1.1.(f) | the licence. | | | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | | From 2148494b5066b571ddcc9e48021b8177a3b0805b Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 4 May 2026 15:50:37 -0500 Subject: [PATCH 024/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 31 ++++++++++--------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 6ef7406d..e8efe25f 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -31,21 +31,21 @@ This section contains mappings for [Article 53: Obligations for Providers of Gen ##### Mappings -| Section | Text | Guide references | Relevant Schema | -| --- | --- | --- | --- | -| 1. | Providers of general-purpose AI models shall: | N/A | N/A | -| 1.(a) | draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation, which shall contain, at a minimum, the information set out in [Annex XI](https://artificialintelligenceact.eu/annex/11/) for the purpose of providing it, upon request, to the AI Office and the national competent authorities; | | | -| 1.(b) | draw up, keep up-to-date and make available information and documentation to providers of AI systems who intend to integrate the general-purpose AI model into their AI systems. Without prejudice to the need to observe and protect intellectual property rights and confidential business information or trade secrets in accordance with Union and national law, the information and documentation shall: | | | -| 1.(b).(i) | enable providers of AI systems to have a good understanding of the capabilities and limitations of the general-purpose AI model and to comply with their obligations pursuant to this Regulation; and | | | -| 1.(b).(ii) |contain, at a minimum, the elements set out in [Annex XII](https://artificialintelligenceact.eu/annex/12/); | | | -| 1.(c) | put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of Directive (EU) 2019/790; | | | +| Section | Text | Guide references | +| --- | --- | --- | +| 1. | Providers of general-purpose AI models shall: | N/A | +| 1.(a) | draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation, which shall contain, at a minimum, the information set out in [Annex XI](https://artificialintelligenceact.eu/annex/11/) for the purpose of providing it, upon request, to the AI Office and the national competent authorities; | See [Annex XI: mappings](#annex-xi-mappings) | +| 1.(b) | draw up, keep up-to-date and make available information and documentation to providers of AI systems who intend to integrate the general-purpose AI model into their AI systems. Without prejudice to the need to observe and protect intellectual property rights and confidential business information or trade secrets in accordance with Union and national law, the information and documentation shall: | This effectively describes the AI/ML BOM document in its entirety. | +| 1.(b).(i) | enable providers of AI systems to have a good understanding of the capabilities and limitations of the general-purpose AI model and to comply with their obligations pursuant to this Regulation; and | [Model design considerations](0x24-Design-Model-Card-Considerations.md#model-design-considerations) | +| 1.(b).(ii) |contain, at a minimum, the elements set out in [Annex XII](https://artificialintelligenceact.eu/annex/12/); | See [Annex XI: mappings](#annex-xi-mappings) | +| 1.(c) | put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of [Directive (EU) 2019/790](https://eur-lex.europa.eu/eli/dir/2019/790/oj/eng); | **Intention**: *Article 4 in Directive 2019/790 (CDSMD), the European Union legislator intended to both encourage innovation and to provide more legal certainty for text and data mining (TDM) activities.*
- See: Oxford: Journal of Intellectual Property Law & Practice["The text and data mining opt-out in Article 4(3) CDSMD: Adequate veto right for rightholders or a suffocating blanket for European artificial intelligence innovations?"](https://academic.oup.com/jiplp/article/19/5/453/7614898)

CycloneDX enables various methods of conveying non-normative and legal information; primarily, this is accomplished via `externalReferences`, component `properties`, as well as through explicit `licenses` objects and `copyright` and fields. | | 1.(d) | draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. | | -| 2. | The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. | N/A | N/A | -| 3. | Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. | N/A | N/A | -| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](artificialintelligenceact.eu/article/56) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | | | -| 5. | For the purpose of facilitating compliance with [Annex XI](https://artificialintelligenceact.eu/annex/11/), in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/) to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | | | -| 6. | The Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/)(2) to amend [Annexes XI](https://artificialintelligenceact.eu/annex/11) and [XII](https://artificialintelligenceact.eu/annex/12) in light of evolving technological developments. | | | -| 7. | Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in [Article 78](https://artificialintelligenceact.eu/article/78/). | | | +| 2. | The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. | N/A | +| 3. | Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. | N/A | +| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](artificialintelligenceact.eu/article/56) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | | +| 5. | For the purpose of facilitating compliance with [Annex XI](https://artificialintelligenceact.eu/annex/11/), in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/) to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | | +| 6. | The Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/)(2) to amend [Annexes XI](https://artificialintelligenceact.eu/annex/11) and [XII](https://artificialintelligenceact.eu/annex/12) in light of evolving technological developments. | | +| 7. | Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in [Article 78](https://artificialintelligenceact.eu/article/78/). | | --- @@ -53,8 +53,9 @@ This section contains mappings for [Article 53: Obligations for Providers of Gen This section contains mappings for [ANNEX XI: Technical Documentation Referred to in Article 53](https://artificialintelligenceact.eu/annex/11/). +# Annex XI mappings -| Section | Text | Guide references | Relevant Schema | +| Section | Text | Guide references | Relevant schema | | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name
- version
- description
- supplier
- manufacturer
- publisher | | From aa4d0c907404b55f1d40ceeeb1d86e671f6e9982 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 4 May 2026 16:17:53 -0500 Subject: [PATCH 025/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index e8efe25f..f8f1f3aa 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -59,7 +59,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name
- version
- description
- supplier
- manufacturer
- publisher | | -| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | The model's model card object includes many considerations including intended use cases and users:
[Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | [component.modelCard.considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
- [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [.userCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | +| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | The model's model card object includes many considerations including intended use cases and users:
[Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | [component.modelCard.considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
- [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | | 1.1.(b) | the acceptable use policies applicable; | Reference Qwen usage policy page:
- https://qwen.ai/usagepolicy | Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)| | 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release information can be provided using the `releaseNotes` fields in the model's component:
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) |the architecture and number of parameters; | The model parameters object includes fields for model architecture:
[Model metadata](#model-metadata)
- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | From 4588f4451405891e5ea60b6475740439c43a95dd Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 5 May 2026 08:35:08 -0500 Subject: [PATCH 026/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index f8f1f3aa..e00f4832 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -39,7 +39,7 @@ This section contains mappings for [Article 53: Obligations for Providers of Gen | 1.(b).(i) | enable providers of AI systems to have a good understanding of the capabilities and limitations of the general-purpose AI model and to comply with their obligations pursuant to this Regulation; and | [Model design considerations](0x24-Design-Model-Card-Considerations.md#model-design-considerations) | | 1.(b).(ii) |contain, at a minimum, the elements set out in [Annex XII](https://artificialintelligenceact.eu/annex/12/); | See [Annex XI: mappings](#annex-xi-mappings) | | 1.(c) | put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of [Directive (EU) 2019/790](https://eur-lex.europa.eu/eli/dir/2019/790/oj/eng); | **Intention**: *Article 4 in Directive 2019/790 (CDSMD), the European Union legislator intended to both encourage innovation and to provide more legal certainty for text and data mining (TDM) activities.*
- See: Oxford: Journal of Intellectual Property Law & Practice["The text and data mining opt-out in Article 4(3) CDSMD: Adequate veto right for rightholders or a suffocating blanket for European artificial intelligence innovations?"](https://academic.oup.com/jiplp/article/19/5/453/7614898)

CycloneDX enables various methods of conveying non-normative and legal information; primarily, this is accomplished via `externalReferences`, component `properties`, as well as through explicit `licenses` objects and `copyright` and fields. | -| 1.(d) | draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. | | +| 1.(d) | draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. | The CycloneDX model card's parameter object allows for a description of the model's Training [Approach](0x22-Design-Model-Card-Parameters.md#approach).

**Note**: CycloneDX, as a Bills-of-Materials standard, accounts for each dataset as its own, fully described, component. See [Declaring Datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets). | | 2. | The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. | N/A | | 3. | Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. | N/A | | 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](artificialintelligenceact.eu/article/56) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | | From eeb72446d8c26f25e97023abe379cb264b0b6245 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 5 May 2026 15:49:18 -0500 Subject: [PATCH 027/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index e00f4832..f00d0a36 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -37,12 +37,12 @@ This section contains mappings for [Article 53: Obligations for Providers of Gen | 1.(a) | draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation, which shall contain, at a minimum, the information set out in [Annex XI](https://artificialintelligenceact.eu/annex/11/) for the purpose of providing it, upon request, to the AI Office and the national competent authorities; | See [Annex XI: mappings](#annex-xi-mappings) | | 1.(b) | draw up, keep up-to-date and make available information and documentation to providers of AI systems who intend to integrate the general-purpose AI model into their AI systems. Without prejudice to the need to observe and protect intellectual property rights and confidential business information or trade secrets in accordance with Union and national law, the information and documentation shall: | This effectively describes the AI/ML BOM document in its entirety. | | 1.(b).(i) | enable providers of AI systems to have a good understanding of the capabilities and limitations of the general-purpose AI model and to comply with their obligations pursuant to this Regulation; and | [Model design considerations](0x24-Design-Model-Card-Considerations.md#model-design-considerations) | -| 1.(b).(ii) |contain, at a minimum, the elements set out in [Annex XII](https://artificialintelligenceact.eu/annex/12/); | See [Annex XI: mappings](#annex-xi-mappings) | -| 1.(c) | put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of [Directive (EU) 2019/790](https://eur-lex.europa.eu/eli/dir/2019/790/oj/eng); | **Intention**: *Article 4 in Directive 2019/790 (CDSMD), the European Union legislator intended to both encourage innovation and to provide more legal certainty for text and data mining (TDM) activities.*
- See: Oxford: Journal of Intellectual Property Law & Practice["The text and data mining opt-out in Article 4(3) CDSMD: Adequate veto right for rightholders or a suffocating blanket for European artificial intelligence innovations?"](https://academic.oup.com/jiplp/article/19/5/453/7614898)

CycloneDX enables various methods of conveying non-normative and legal information; primarily, this is accomplished via `externalReferences`, component `properties`, as well as through explicit `licenses` objects and `copyright` and fields. | +| 1.(b).(ii) |contain, at a minimum, the elements set out in [Annex XII](https://artificialintelligenceact.eu/annex/12/); | Annex XII: "Technical Documentation for Providers of General-Purpose AI Models to Downstream Providers that Integrate the Model into Their AI System"
**Note**: CycloneDX can fully describe an AI/ML model that is part of, or used by, an application or service via contextual or referential inclusion as components in a Software Bill-of-Materials (SBOM) or Software-as-a-Service Bill-of-Materials (SaaSBOM). | +| 1.(c) | put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of [Directive (EU) 2019/790](https://eur-lex.europa.eu/eli/dir/2019/790/oj/eng); | **Intention**: *Article 4 in Directive 2019/790 (CDSMD), the European Union legislator intended to both encourage innovation and to provide more legal certainty for text and data mining (TDM) activities.*
- See: Oxford: Journal of Intellectual Property Law & Practice["The text and data mining opt-out in Article 4(3) CDSMD: Adequate veto right for rightholders or a suffocating blanket for European artificial intelligence innovations?"](https://academic.oup.com/jiplp/article/19/5/453/7614898)

CycloneDX enables various methods of conveying non-normative and legal information. Primarily, this is accomplished via `externalReferences`, component `properties`, as well as through explicit `licenses` objects and `copyright` fields. | | 1.(d) | draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. | The CycloneDX model card's parameter object allows for a description of the model's Training [Approach](0x22-Design-Model-Card-Parameters.md#approach).

**Note**: CycloneDX, as a Bills-of-Materials standard, accounts for each dataset as its own, fully described, component. See [Declaring Datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets). | | 2. | The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. | N/A | | 3. | Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. | N/A | -| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](artificialintelligenceact.eu/article/56) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | | +| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](https://artificialintelligenceact.eu/article/56/) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | | | 5. | For the purpose of facilitating compliance with [Annex XI](https://artificialintelligenceact.eu/annex/11/), in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/) to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | | | 6. | The Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/)(2) to amend [Annexes XI](https://artificialintelligenceact.eu/annex/11) and [XII](https://artificialintelligenceact.eu/annex/12) in light of evolving technological developments. | | | 7. | Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in [Article 78](https://artificialintelligenceact.eu/article/78/). | | From 7934271eab5ed0f89aae3de49da9570038f157a9 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 5 May 2026 16:11:00 -0500 Subject: [PATCH 028/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index f00d0a36..cc34ce00 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -42,7 +42,7 @@ This section contains mappings for [Article 53: Obligations for Providers of Gen | 1.(d) | draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. | The CycloneDX model card's parameter object allows for a description of the model's Training [Approach](0x22-Design-Model-Card-Parameters.md#approach).

**Note**: CycloneDX, as a Bills-of-Materials standard, accounts for each dataset as its own, fully described, component. See [Declaring Datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets). | | 2. | The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. | N/A | | 3. | Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. | N/A | -| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](https://artificialintelligenceact.eu/article/56/) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | | +| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](https://artificialintelligenceact.eu/article/56/) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | In short, article 56 references further creation of new "Codes of Practice" that provide:
• a means to ensure that the information, referred to in Article 53, is kept up to date.
• an adequate level of detail for the summary about the content used for training;
• identification of the type and nature of the systemic risks at Union level, including their sources, where appropriate;
• measures, procedures and modalities for the assessment and management of the systemic risks at Union level, including the documentation thereof, which shall be proportionate to the risks.

As these codes are developed, future revisions of this guide will provide updates to facilitate compliance using CycloneDX. | | 5. | For the purpose of facilitating compliance with [Annex XI](https://artificialintelligenceact.eu/annex/11/), in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/) to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | | | 6. | The Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/)(2) to amend [Annexes XI](https://artificialintelligenceact.eu/annex/11) and [XII](https://artificialintelligenceact.eu/annex/12) in light of evolving technological developments. | | | 7. | Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in [Article 78](https://artificialintelligenceact.eu/article/78/). | | From 012e37f8937c75e9a1ab10137c472d24f040edbf Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 5 May 2026 16:58:19 -0500 Subject: [PATCH 029/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index cc34ce00..1e95d378 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -42,8 +42,8 @@ This section contains mappings for [Article 53: Obligations for Providers of Gen | 1.(d) | draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. | The CycloneDX model card's parameter object allows for a description of the model's Training [Approach](0x22-Design-Model-Card-Parameters.md#approach).

**Note**: CycloneDX, as a Bills-of-Materials standard, accounts for each dataset as its own, fully described, component. See [Declaring Datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets). | | 2. | The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. | N/A | | 3. | Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. | N/A | -| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](https://artificialintelligenceact.eu/article/56/) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | In short, article 56 references further creation of new "Codes of Practice" that provide:
• a means to ensure that the information, referred to in Article 53, is kept up to date.
• an adequate level of detail for the summary about the content used for training;
• identification of the type and nature of the systemic risks at Union level, including their sources, where appropriate;
• measures, procedures and modalities for the assessment and management of the systemic risks at Union level, including the documentation thereof, which shall be proportionate to the risks.

As these codes are developed, future revisions of this guide will provide updates to facilitate compliance using CycloneDX. | -| 5. | For the purpose of facilitating compliance with [Annex XI](https://artificialintelligenceact.eu/annex/11/), in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/) to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | | +| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](https://artificialintelligenceact.eu/article/56/) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | In short, Article 56 references further creation of new "Codes of Practice" that provide:
• a means to ensure that the information, referred to in Article 53, is kept up to date.
• an adequate level of detail for the summary about the content used for training;
• identification of the type and nature of the systemic risks at Union level, including their sources, where appropriate;
• measures, procedures and modalities for the assessment and management of the systemic risks at Union level, including the documentation thereof, which shall be proportionate to the risks.

As these codes are developed, future revisions of this guide will provide updates to facilitate compliance using CycloneDX. | +| 5. | For the purpose of facilitating compliance with [Annex XI](https://artificialintelligenceact.eu/annex/11/), in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/) to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | In short, Article 97 provides for *"The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.* which would *"enter into force upon only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification*.

As any additional "delegated acts" are developed, future revisions of this guide will provide updates to facilitate compliance using CycloneDX.| | 6. | The Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/)(2) to amend [Annexes XI](https://artificialintelligenceact.eu/annex/11) and [XII](https://artificialintelligenceact.eu/annex/12) in light of evolving technological developments. | | | 7. | Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in [Article 78](https://artificialintelligenceact.eu/article/78/). | | From a6a0c7c49f04da2d3226a014938a206a2d5b8a37 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 5 May 2026 17:10:09 -0500 Subject: [PATCH 030/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 1e95d378..6af95114 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -31,21 +31,21 @@ This section contains mappings for [Article 53: Obligations for Providers of Gen ##### Mappings -| Section | Text | Guide references | +| Section | Text | Guide references & commentary | | --- | --- | --- | | 1. | Providers of general-purpose AI models shall: | N/A | | 1.(a) | draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation, which shall contain, at a minimum, the information set out in [Annex XI](https://artificialintelligenceact.eu/annex/11/) for the purpose of providing it, upon request, to the AI Office and the national competent authorities; | See [Annex XI: mappings](#annex-xi-mappings) | | 1.(b) | draw up, keep up-to-date and make available information and documentation to providers of AI systems who intend to integrate the general-purpose AI model into their AI systems. Without prejudice to the need to observe and protect intellectual property rights and confidential business information or trade secrets in accordance with Union and national law, the information and documentation shall: | This effectively describes the AI/ML BOM document in its entirety. | | 1.(b).(i) | enable providers of AI systems to have a good understanding of the capabilities and limitations of the general-purpose AI model and to comply with their obligations pursuant to this Regulation; and | [Model design considerations](0x24-Design-Model-Card-Considerations.md#model-design-considerations) | | 1.(b).(ii) |contain, at a minimum, the elements set out in [Annex XII](https://artificialintelligenceact.eu/annex/12/); | Annex XII: "Technical Documentation for Providers of General-Purpose AI Models to Downstream Providers that Integrate the Model into Their AI System"
**Note**: CycloneDX can fully describe an AI/ML model that is part of, or used by, an application or service via contextual or referential inclusion as components in a Software Bill-of-Materials (SBOM) or Software-as-a-Service Bill-of-Materials (SaaSBOM). | -| 1.(c) | put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of [Directive (EU) 2019/790](https://eur-lex.europa.eu/eli/dir/2019/790/oj/eng); | **Intention**: *Article 4 in Directive 2019/790 (CDSMD), the European Union legislator intended to both encourage innovation and to provide more legal certainty for text and data mining (TDM) activities.*
- See: Oxford: Journal of Intellectual Property Law & Practice["The text and data mining opt-out in Article 4(3) CDSMD: Adequate veto right for rightholders or a suffocating blanket for European artificial intelligence innovations?"](https://academic.oup.com/jiplp/article/19/5/453/7614898)

CycloneDX enables various methods of conveying non-normative and legal information. Primarily, this is accomplished via `externalReferences`, component `properties`, as well as through explicit `licenses` objects and `copyright` fields. | +| 1.(c) | put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of [Directive (EU) 2019/790](https://eur-lex.europa.eu/eli/dir/2019/790/oj/eng); | **Intention**: *Article 4 in Directive 2019/790 (CDSMD), the European Union legislator intended to both encourage innovation and to provide more legal certainty for text and data mining (TDM) activities.*
• See commentary: [Oxford: Journal of Intellectual Property Law & Practice - "The text and data mining opt-out in Article 4(3) CDSMD: Adequate veto right for rightholders or a suffocating blanket for European artificial intelligence innovations?"](https://academic.oup.com/jiplp/article/19/5/453/7614898)
CycloneDX enables various methods of conveying non-normative and legal information. Primarily, this is accomplished via `externalReferences`, component `properties`, as well as through explicit `licenses` objects and `copyright` fields. | | 1.(d) | draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. | The CycloneDX model card's parameter object allows for a description of the model's Training [Approach](0x22-Design-Model-Card-Parameters.md#approach).

**Note**: CycloneDX, as a Bills-of-Materials standard, accounts for each dataset as its own, fully described, component. See [Declaring Datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets). | | 2. | The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. | N/A | | 3. | Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. | N/A | -| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](https://artificialintelligenceact.eu/article/56/) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | In short, Article 56 references further creation of new "Codes of Practice" that provide:
• a means to ensure that the information, referred to in Article 53, is kept up to date.
• an adequate level of detail for the summary about the content used for training;
• identification of the type and nature of the systemic risks at Union level, including their sources, where appropriate;
• measures, procedures and modalities for the assessment and management of the systemic risks at Union level, including the documentation thereof, which shall be proportionate to the risks.

As these codes are developed, future revisions of this guide will provide updates to facilitate compliance using CycloneDX. | -| 5. | For the purpose of facilitating compliance with [Annex XI](https://artificialintelligenceact.eu/annex/11/), in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/) to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | In short, Article 97 provides for *"The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.* which would *"enter into force upon only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification*.

As any additional "delegated acts" are developed, future revisions of this guide will provide updates to facilitate compliance using CycloneDX.| -| 6. | The Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/)(2) to amend [Annexes XI](https://artificialintelligenceact.eu/annex/11) and [XII](https://artificialintelligenceact.eu/annex/12) in light of evolving technological developments. | | -| 7. | Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in [Article 78](https://artificialintelligenceact.eu/article/78/). | | +| 4. | Providers of general-purpose AI models may rely on codes of practice within the meaning of [Article 56](https://artificialintelligenceact.eu/article/56/) to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. | In short, Article 56 references further creation of new "Codes of Practice" that provide:
• a means to ensure that the information, referred to in Article 53, is kept up to date.
• an adequate level of detail for the summary about the content used for training;
• identification of the type and nature of the systemic risks at Union level, including their sources, where appropriate;
• measures, procedures and modalities for the assessment and management of the systemic risks at Union level, including the documentation thereof, which shall be proportionate to the risks.
As these codes are developed, future revisions of this guide will provide updates to facilitate compliance using CycloneDX. | +| 5. | For the purpose of facilitating compliance with [Annex XI](https://artificialintelligenceact.eu/annex/11/), in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/) to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. | In short, Article 97 provides for *"The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.* which would *"enter into force upon only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification*.
As any additional "delegated acts" are developed, future revisions of this guide will provide updates to facilitate compliance using CycloneDX.| +| 6. | The Commission is empowered to adopt delegated acts in accordance with [Article 97](https://artificialintelligenceact.eu/article/97/)(2) to amend [Annexes XI](https://artificialintelligenceact.eu/annex/11) and [XII](https://artificialintelligenceact.eu/annex/12) in light of evolving technological developments. | *See commentary provided to paragraph 5.* | +| 7. | Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in [Article 78](https://artificialintelligenceact.eu/article/78/). | In short, Article 78 provides assurances to providers that their *"the intellectual property rights and confidential business information or trade secrets of a natural or legal person, including source code"* will remain confidential and protected by law when handled by regulators and officials.
The CycloneDX Bills-of-Materials (BOMs) format can be used to convey any information a provider chooses to encode subject to their legal discretion. | --- From 5f17f17d7269e6ea4b8ef47448554e985558c622 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 12 May 2026 09:43:41 -0500 Subject: [PATCH 031/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ...x40-Design-Additional-Model-Information.md | 39 +++++++++++++++++++ ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/ML-BOM/en/0x40-Design-Additional-Model-Information.md b/ML-BOM/en/0x40-Design-Additional-Model-Information.md index 3a1e0a70..bc5d3823 100644 --- a/ML-BOM/en/0x40-Design-Additional-Model-Information.md +++ b/ML-BOM/en/0x40-Design-Additional-Model-Information.md @@ -7,6 +7,7 @@ Currently, the v1.7 CycloneDX specification may not have specific objects or fie For convenience, here are links to the specific sections for some of these acknowledged informational areas: * [Using CycloneDX AI/ML properties](#using-cyclonedx-aiml-properties) + * [Declaring a model's modalities](#declaring-a-models-modalities) * [Annotating a model's supported languages](#annotating-a-models-supported-languages) * [Providing free-form tags for search](#providing-free-form-tags-for-search) * [Tokenizers and prompt templates](#tokenizers-and-prompt-templates) @@ -20,6 +21,44 @@ For convenience, here are links to the specific sections for some of these ackno This section includes discussion and examples of supported AI/ML-related metadata properties that can be used to classify models in their model card information. This method utilizes reserved [AI/ML property names](https://github.com/CycloneDX/cyclonedx-property-taxonomy/cdx/ai-ml.md) registered under the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). +## Declaring a model's modalities + +Models are trained to support processing and analysis of one or more types types of input data for specific tasks or data modalities. + +* **Property name**: The CycloneDX reserved property taxonomy name to use to annotate a model with its supported modalities is: `cdx:ai-ml:model:modality` + +* **Property value**: The values for this property includes: + + * `text` - Natural Language Processing (NLP) and specializations such as Natural Language Understanding (NLU) for tasks like translation, summarization, conversation, classification and sentiment analysis. + * `code` - Specialized text-based modality used for software engineering and logic. + * `instruct` - Specialized text-based fine-tuned for understanding and executing natural language directives (i.e., instruction following). + * `image` (vision) - Computer vision for object detection, generation, and classification as well as document processing. + * `video` - Video processing tasks to extract structured information, including object detection, action recognition, scene detection, and temporal understanding. + * `audio` - Audio processing tasks such as Automatic Speech Recognition (ASR), Speech-to-Text, music generation, and sound pattern recognition. + * `sensor` (telemetry) - Processes data from specialized sensors or hardware, such as LiDAR for autonomous vehicles or IoT sensor feeds. + * `biometric` - Specialized sensor-based modality used for analyzing biological traits for tasks such as facial recognition, fingerprint scanning, or voice authentication. + * `genomic` (telemetry) - Processes high-dimensional data used in drug discovery and medical research. + * `_undefined:` - `` placeholder, used to provide an arbitrary model modality name. + +###### Example: Tagging a model with its modalities + +```json +"component": +{ + "type": "machine-learning-model", + "bom-ref": "pkg:huggingface/FakeAI/CoderModel", + // ..., + "properties": [ + { + "name": "cdx:ai-ml:model:modality:code", + }, + { + "name": "cdx:ai-ml:model:modality:instruct", + } + ] +} +``` + ## Annotating a model's supported languages Models can be trained in one or more languages (i.e., multilingual models). diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 6af95114..b8612f33 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -63,7 +63,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(b) | the acceptable use policies applicable; | Reference Qwen usage policy page:
- https://qwen.ai/usagepolicy | Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)| | 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release information can be provided using the `releaseNotes` fields in the model's component:
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) |the architecture and number of parameters; | The model parameters object includes fields for model architecture:
[Model metadata](#model-metadata)
- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | -| 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | | | +| 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | Modality:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | | 1.1.(f) | the licence. | | | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | | | From da957e7b3100a6d1e1c901c71a1191f26e3fa5bf Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 12 May 2026 10:03:58 -0500 Subject: [PATCH 032/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x20-Design-Model-Component-Metadata.md | 13 ++++++++++++- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x20-Design-Model-Component-Metadata.md b/ML-BOM/en/0x20-Design-Model-Component-Metadata.md index 6cb8ec40..61e2868b 100644 --- a/ML-BOM/en/0x20-Design-Model-Component-Metadata.md +++ b/ML-BOM/en/0x20-Design-Model-Component-Metadata.md @@ -59,8 +59,18 @@ The CycloneDX JSON pseudocode below shows how an ML model would be declared as t "bom-ref": "pkg:huggingface/Qwen/Qwen-7B@ef3c5c9", "purl": "pkg:huggingface/Qwen/Qwen-7B@ef3c5c9c57b252f3149c1408daf4d649ec8b6c85", "version": "ef3c5c9c57b252f3149c1408daf4d649ec8b6c85", + "licenses": [ + { + "license": { + "name": "Tongyi Qianwen LICENSE AGREEMENT", + "text": { + "content": "By clicking to agree or by using or distributing any portion or element of the Tongyi Qianwen Materials, ..." + } + } + } + ] // ... - } + }, // ... } // ... @@ -70,6 +80,7 @@ The CycloneDX JSON pseudocode below shows how an ML model would be declared as t ###### Field discussion * **bom-ref** - Please note the `bom-ref` value includes the first seven characters of the larger hash value from the `purl` component identifier which is sufficient for local identification within the BOM itself. +* **license** - The `licenses` object shown in the example is a "custom" license which, in this case, we chose to provide the unencoded license text. It is preferable, when possible to use an SPDX license identifier and supply it in the `id` field of the `license` (e.g., `"license": { "id": "Apache-2.0" }` ). #### Model repositories as components diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index b8612f33..a5244172 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -64,7 +64,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release information can be provided using the `releaseNotes` fields in the model's component:
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) |the architecture and number of parameters; | The model parameters object includes fields for model architecture:
[Model metadata](#model-metadata)
- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | Modality:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | -| 1.1.(f) | the licence. | | | +| 1.1.(f) | the licence. | [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
- See example which uses the CycloneDX `license` object.| [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | | | | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | | | From 2119954c53133008f0c1edb34080450d3298681b Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 12 May 2026 10:05:01 -0500 Subject: [PATCH 033/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x93_Appendix-C_Complete_Example.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ML-BOM/en/0x93_Appendix-C_Complete_Example.md b/ML-BOM/en/0x93_Appendix-C_Complete_Example.md index 34e609e8..ff48f430 100644 --- a/ML-BOM/en/0x93_Appendix-C_Complete_Example.md +++ b/ML-BOM/en/0x93_Appendix-C_Complete_Example.md @@ -31,6 +31,16 @@ This appendix includes a complete AI/ML BOM example that combines most of the is "name": "Qwen/Qwen-7B", "version": "ef3c5c9c57b252f3149c1408daf4d649ec8b6c85", "description": "Qwen-7B is a Transformer-based large language model, which is pretrained on a large volume of data, including web texts, books, codes, etc.", + "licenses": [ + { + "license": { + "name": "Tongyi Qianwen LICENSE AGREEMENT", + "text": { + "content": "By clicking to agree or by using or distributing any portion or element of the Tongyi Qianwen Materials, ..." + } + } + } + ] "releaseNotes": [ { "type": "major", From 45595816bd03693ab6e8ab0cd79c081f87d7ed48 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 12 May 2026 10:05:11 -0500 Subject: [PATCH 034/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x93_Appendix-C_Complete_Example.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x93_Appendix-C_Complete_Example.md b/ML-BOM/en/0x93_Appendix-C_Complete_Example.md index ff48f430..a0b32f22 100644 --- a/ML-BOM/en/0x93_Appendix-C_Complete_Example.md +++ b/ML-BOM/en/0x93_Appendix-C_Complete_Example.md @@ -40,7 +40,7 @@ This appendix includes a complete AI/ML BOM example that combines most of the is } } } - ] + ], "releaseNotes": [ { "type": "major", From 2f4ed6f530e61b9fac8421f63ab0dae0185801d6 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 12 May 2026 10:32:49 -0500 Subject: [PATCH 035/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index a5244172..6fc23e41 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -65,9 +65,9 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(d) |the architecture and number of parameters; | The model parameters object includes fields for model architecture:
[Model metadata](#model-metadata)
- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | Modality:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | | 1.1.(f) | the licence. | [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
- See example which uses the CycloneDX `license` object.| [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | -| 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | | -| 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | | | -| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | | | +| 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | +| 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | +| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | | 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | | | | 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | | | | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | | | From 48365c30311720be16793c471a19a3066e9a4132 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 12 May 2026 12:21:58 -0500 Subject: [PATCH 036/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 6fc23e41..0a17ad34 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -123,9 +123,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 2.3.(vii) | Summary of the most relevant domain names crawled | | | | 2.3.(viii) | Additional comments *(optional)* | *e.g., domain names, URLs and the sources of individual works* | | | 2.4 | User data *(information about user data collected by all services and products of the provider, including through mail services, social media platforms, content platforms)* | The following subsections only apply if user information sources were used. | | | -| 2.4.(i) | provide a general description of the -provider’s services or products that were used to -collect the user data | | | +| 2.4.(i) | provide a general description of the provider’s services or products that were used to collect the user data | | | | 2.4.(ii) | Additional comments *(optional)* | | | | 2.5 | Synthetic data | The following subsections only apply if synthetic information sources were used. | | | | 2.5.(i) | modality of the synthetic data | | | | From cd4aae67caeceb89dd82c8274e0e014b9ec4a152 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 12 May 2026 12:31:19 -0500 Subject: [PATCH 037/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 0a17ad34..5f5b040b 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -70,7 +70,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | | 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | | | | 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | | | -| 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | | | +| 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | | | | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | | | From 29445644ee3e91c1be885457cff62b1f452481ac Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 12 May 2026 14:14:24 -0500 Subject: [PATCH 038/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 5f5b040b..8ba63b29 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -72,7 +72,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | | | | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | -| 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | | | +| 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
- [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
- [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | [metaadata.component.modelCard.quantitativeAanlaysis](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
- [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
- [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [worfklows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | | | | 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | | | From a772157969f181d15e9d8e61e8b6e9c4bc6f10f6 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 12 May 2026 14:33:40 -0500 Subject: [PATCH 039/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 8ba63b29..07f0fdca 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -68,12 +68,12 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | -| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | | | -| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | | | +| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
- [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
- [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | TODO | +| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | -| 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
- [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
- [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | [metaadata.component.modelCard.quantitativeAanlaysis](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
- [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
- [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [worfklows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | -| 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | | | +| 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
- [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
- [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | [metadata.component.modelCard.quantitativeAnalysis](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
- [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
- [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | +| 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments)
- TODO | - [metadata.component.modelCard.considerations.fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments)
- TODO | | 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | | | #### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 From 094deeb68690a4cd5cd5758df5dff6b7ffb5b01e Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 13 May 2026 08:01:07 -0500 Subject: [PATCH 040/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 07f0fdca..8ef8f022 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -68,8 +68,8 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | -| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
- [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
- [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | TODO | -| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| +| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
[Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
- [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
- [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | TODO | +| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Training workflows, tasks, steps and resources:
[Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
- [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
- [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | [metadata.component.modelCard.quantitativeAnalysis](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
- [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
- [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | From 088d372eee4b69ed260d8b3ba3aa1adf066c2e89 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 13 May 2026 15:07:25 -0500 Subject: [PATCH 041/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 8ef8f022..c1ac2428 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -64,7 +64,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release information can be provided using the `releaseNotes` fields in the model's component:
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) |the architecture and number of parameters; | The model parameters object includes fields for model architecture:
[Model metadata](#model-metadata)
- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | Modality:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | -| 1.1.(f) | the licence. | [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
- See example which uses the CycloneDX `license` object.| [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | +| 1.1.(f) | the licence. | CycloneDX provides a robust means of how to describe a license associated with a component:
[Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
- See example which uses the CycloneDX `license` object.| [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | @@ -73,7 +73,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
- [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
- [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | [metadata.component.modelCard.quantitativeAnalysis](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
- [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
- [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | -| 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments)
- TODO | - [metadata.component.modelCard.considerations.fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments)
- TODO | +| 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
[Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | - [metadata.component.modelCard.considerations.fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | | 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | | | #### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 From 15b54b07f3bab5fd7b07b8f7f89837c1ccdcce28 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 13 May 2026 15:08:30 -0500 Subject: [PATCH 042/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index c1ac2428..0007006a 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -56,7 +56,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings | Section | Text | Guide references | Relevant schema | -| --- | --- | --- | --- | +| --- | --- | --------------- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name
- version
- description
- supplier
- manufacturer
- publisher | | | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | The model's model card object includes many considerations including intended use cases and users:
[Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | [component.modelCard.considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
- [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | From 1aab308a33d6f30f7db61778cc0d9c2b3b6d6d6a Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 13 May 2026 15:41:36 -0500 Subject: [PATCH 043/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ...x40-Design-Additional-Model-Information.md | 27 +++++++++++++++++-- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 16 +++++------ 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/ML-BOM/en/0x40-Design-Additional-Model-Information.md b/ML-BOM/en/0x40-Design-Additional-Model-Information.md index bc5d3823..a8b18aed 100644 --- a/ML-BOM/en/0x40-Design-Additional-Model-Information.md +++ b/ML-BOM/en/0x40-Design-Additional-Model-Information.md @@ -9,6 +9,7 @@ For convenience, here are links to the specific sections for some of these ackno * [Using CycloneDX AI/ML properties](#using-cyclonedx-aiml-properties) * [Declaring a model's modalities](#declaring-a-models-modalities) * [Annotating a model's supported languages](#annotating-a-models-supported-languages) + * [Providing a model's usage policy](#providing-a-models-usage-policy) * [Providing free-form tags for search](#providing-free-form-tags-for-search) * [Tokenizers and prompt templates](#tokenizers-and-prompt-templates) * [Including manufacturing information for the ML model](#including-manufacturing-information-for-the-ml-model) @@ -50,10 +51,10 @@ Models are trained to support processing and analysis of one or more types types // ..., "properties": [ { - "name": "cdx:ai-ml:model:modality:code", + "name": "cdx:ai-ml:model:modality:code" }, { - "name": "cdx:ai-ml:model:modality:instruct", + "name": "cdx:ai-ml:model:modality:instruct" } ] } @@ -120,6 +121,28 @@ This section describes how to "tag" model components with non-standard keywords * **properties** - The tag values shown above might be used to search for models in a catalog that are compatible with the `pytorch` framework and (the Hugging Face) `transformers` library. The `text-to-speech` and `speech-to-speech` tags could identify the model with those input/output capabilities. +## Providing a model's usage policy + +Model usage policies can be provided using `externalReferences` associated with the model's component definition. + +###### Example: Providing a link to a model's usage policy + +```json +"component": { + "type": "machine-learning-model", + "bom-ref": "pkg:huggingface/Qwen/Qwen-7B@ef3c5c9", + // ..., + "externalReferences": [ + { + "url": "https://qwen.ai/usagepolicy", + "type": "documentation", + "comment": "Usage policy" + } + ], + // ... +} +``` + ## Tokenizers and prompt templates Tokenizers provide the preprocessing (encoding) and postprocessing (decoding) functions to convert input and output information to tokens that the associated ML model was trained on and used for inference. diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 0007006a..62b3611f 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -55,16 +55,16 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings -| Section | Text | Guide references | Relevant schema | -| --- | --- | --------------- | --- | -| 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53)(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | -| 1.1 | A general description of the general-purpose AI model including: | [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name
- version
- description
- supplier
- manufacturer
- publisher | | -| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | The model's model card object includes many considerations including intended use cases and users:
[Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | [component.modelCard.considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
- [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | -| 1.1.(b) | the acceptable use policies applicable; | Reference Qwen usage policy page:
- https://qwen.ai/usagepolicy | Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)| -| 1.1.(c) | the date of release and methods of distribution; | [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release information can be provided using the `releaseNotes` fields in the model's component:
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | +| Section | Section text | Guide references | Relevant schema (v1.7)| +| --- | --- | --- | --- | +| 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | +| 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name
- version
- description
- supplier
- manufacturer
- publisher | +| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | The model's model card object includes many considerations including intended use cases and users:
bull; [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | [component.modelCard.considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
- [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | +| 1.1.(b) | the acceptable use policies applicable; | • Use policies:
[Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy) | Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
**Note**: multiple references to usage policies can be provided. | +| 1.1.(c) | the date of release and methods of distribution; | Release information:
[Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) |the architecture and number of parameters; | The model parameters object includes fields for model architecture:
[Model metadata](#model-metadata)
- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | Modality:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | -| 1.1.(f) | the licence. | CycloneDX provides a robust means of how to describe a license associated with a component:
[Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
- See example which uses the CycloneDX `license` object.| [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | +| 1.1.(f) | the licence. | Component license:
[Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
- See example which uses the CycloneDX `license` object.| CycloneDX provides multiple, robust options for recording license information:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | From 42569aad724a5e400fc7d12a97a8ac11a587b679 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 13 May 2026 16:05:33 -0500 Subject: [PATCH 044/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 62b3611f..6eccd527 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -59,17 +59,17 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name
- version
- description
- supplier
- manufacturer
- publisher | -| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | The model's model card object includes many considerations including intended use cases and users:
bull; [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases)
- Use cases | [component.modelCard.considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
- [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | -| 1.1.(b) | the acceptable use policies applicable; | • Use policies:
[Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy) | Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
**Note**: multiple references to usage policies can be provided. | +| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | Use cases and users:
• [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases) | [component.modelCard.considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
- [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | +| 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy) | Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
**Note**: multiple references to published usage policies can be provided. | | 1.1.(c) | the date of release and methods of distribution; | Release information:
[Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | -| 1.1.(d) |the architecture and number of parameters; | The model parameters object includes fields for model architecture:
[Model metadata](#model-metadata)
- [Architecture family](#architecture-family)
- [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | -| 1.1.(e) |the modality (e.g. text, image) and format of inputs and outputs; | Modality:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | -| 1.1.(f) | the licence. | Component license:
[Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
- See example which uses the CycloneDX `license` object.| CycloneDX provides multiple, robust options for recording license information:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | +| 1.1.(d) |the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | +| 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | +| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
- See example which uses the CycloneDX `license` object.| CycloneDX provides multiple, robust options for recording license information:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | -| 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | -| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | -| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
[Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
- [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
- [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | TODO | -| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Training workflows, tasks, steps and resources:
[Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| +| 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing tested workflows, tasks, steps and resources to be used for inference:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | +| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | +| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
- [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
- [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | TODO | +| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
- [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
- [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | [metadata.component.modelCard.quantitativeAnalysis](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
- [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
- [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | From ab53236c4552da8eb5e6ac156d17c973c828ae14 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 13 May 2026 16:22:47 -0500 Subject: [PATCH 045/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 6eccd527..f0c26dfa 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -60,13 +60,13 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name
- version
- description
- supplier
- manufacturer
- publisher | | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | Use cases and users:
• [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases) | [component.modelCard.considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
- [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | -| 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy) | Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
**Note**: multiple references to published usage policies can be provided. | +| 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
**Note**: multiple references to published usage policies can be provided. | | 1.1.(c) | the date of release and methods of distribution; | Release information:
[Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | -| 1.1.(d) |the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | +| 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | -| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
- See example which uses the CycloneDX `license` object.| CycloneDX provides multiple, robust options for recording license information:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | +| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
- _See example which uses the CycloneDX `license` object.| CycloneDX provides multiple, robust options for recording license information_:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | -| 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing tested workflows, tasks, steps and resources to be used for inference:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | +| 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | | 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
- [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
- [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | TODO | | 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| From 1884e2e57162fd697cc84b3ff3e6ec72ae6d0a9b Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 13 May 2026 16:34:41 -0500 Subject: [PATCH 046/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index f0c26dfa..f2db5d21 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -67,8 +67,8 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
- _See example which uses the CycloneDX `license` object.| CycloneDX provides multiple, robust options for recording license information_:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | -| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | -| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
- [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
- [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | TODO | +| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.modelCard.considerations.technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
• [metadata.modelCard.considerations.performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
• [metadata.modelCard.considerations.ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
[formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | +| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
- [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | TODO | | 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | From 7c9f6e3bd3dd26b3822b01b6db67076487db671b Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 10:49:17 -0500 Subject: [PATCH 047/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index f2db5d21..c1cffeaa 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -58,18 +58,18 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | Section | Section text | Guide references | Relevant schema (v1.7)| | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | -| 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | [metadata:component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
- type: `"machine-learning-model"`
- name
- version
- description
- supplier
- manufacturer
- publisher | -| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | Use cases and users:
• [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases) | [component.modelCard.considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
- [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
- [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | -| 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
**Note**: multiple references to published usage policies can be provided. | +| 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | +| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | Use cases and users:
• [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases) | • [component.modelCard.considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
   ▪ [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | +| 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)

**Note**: multiple references to published usage policies can be provided. | | 1.1.(c) | the date of release and methods of distribution; | Release information:
[Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | | 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
- _See example which uses the CycloneDX `license` object.| CycloneDX provides multiple, robust options for recording license information_:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | -| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.modelCard.considerations.technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
• [metadata.modelCard.considerations.performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
• [metadata.modelCard.considerations.ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
[formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | -| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
- [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | TODO | -| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology)| [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
- [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| +| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.Considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
   ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
   ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | +| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
- [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | Detailed data preparation workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology) | +| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed training workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
- [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
- [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | [metadata.component.modelCard.quantitativeAnalysis](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
- [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
- [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | From 21e20356a34f7a1854a2d7850ec78d528f61c994 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 13:33:52 -0500 Subject: [PATCH 048/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index c1cffeaa..95f7cbf4 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -60,13 +60,13 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | Use cases and users:
• [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases) | • [component.modelCard.considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
   ▪ [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | -| 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
- [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)

**Note**: multiple references to published usage policies can be provided. | -| 1.1.(c) | the date of release and methods of distribution; | Release information:
[Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
[metadata.component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
- type
- description
- timestamp
- notes
- etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | +| 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
•  [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)

**Note**: multiple references to published usage policies can be provided. | +| 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | -| 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | -| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
- _See example which uses the CycloneDX `license` object.| CycloneDX provides multiple, robust options for recording license information_:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | +| 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | +| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
See example which uses the CycloneDX `license` object.| CycloneDX provides multiple, robust options for recording license information*:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | -| 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | [formulation](https://cyclonedx.org/docs/1.7/json/#formulation)
- [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
- [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | +| 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.Considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
   ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
   ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | | 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
- [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | Detailed data preparation workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology) | | 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed training workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| From 76ae86b20f9b32fda9d3c7c832ddde00d26c174a Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 14:22:18 -0500 Subject: [PATCH 049/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 95f7cbf4..648163ee 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -61,9 +61,9 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | Use cases and users:
• [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases) | • [component.modelCard.considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
   ▪ [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | | 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
•  [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)

**Note**: multiple references to published usage policies can be provided. | -| 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.
**Note:** *Components support multiple releases notes for the associated model/version.* | -| 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
- [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
- [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | -| 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | +| 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | +| 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
   ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
   ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | +| 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| • [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | | 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
See example which uses the CycloneDX `license` object.| CycloneDX provides multiple, robust options for recording license information*:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | From c2c5e6cef822b65d81b6858917144fed3daa44d8 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 14:26:03 -0500 Subject: [PATCH 050/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 648163ee..34fc887e 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -64,13 +64,13 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
   ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
   ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| • [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | -| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
See example which uses the CycloneDX `license` object.| CycloneDX provides multiple, robust options for recording license information*:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | +| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
See example which uses the CycloneDX `license` object.| CycloneDX provides multiple, robust options for recording license information:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | -| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.Considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
   ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
   ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | +| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.Considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
   ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
   ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | | 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
- [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | Detailed data preparation workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology) | | 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed training workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| -| 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | +| 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | Energy consumptions, energy provider information along with CO2 costs and CO2 cost offsets:
[Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
- [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
- [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | [metadata.component.modelCard.quantitativeAnalysis](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
- [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
- [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
[Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | - [metadata.component.modelCard.considerations.fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | From 6fcf65154492dc680a5fda51904e768ea3eee21e Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 14:39:29 -0500 Subject: [PATCH 051/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 34fc887e..5a6af712 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -63,8 +63,8 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
•  [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)

**Note**: multiple references to published usage policies can be provided. | | 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
   ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
   ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | -| 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| • [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | -| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
See example which uses the CycloneDX `license` object.| CycloneDX provides multiple, robust options for recording license information:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | +| 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| • [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | +| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
  ▪ See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.Considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
   ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
   ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | From 76802897bf0dadb82e753dba0422b2ea2bee4434 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 14:48:45 -0500 Subject: [PATCH 052/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 5a6af712..021a9a71 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -64,13 +64,13 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
   ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
   ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| • [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | -| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
  ▪ See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
[metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | +| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
  ▪ See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.Considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
   ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
   ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | -| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
- [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | Detailed data preparation workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology) | -| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
• [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed training workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| -| 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | Energy consumptions, energy provider information along with CO2 costs and CO2 cost offsets:
[Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | +| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
  ▪ [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
  ▪ [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | Detailed data preparation workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology) | +| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
  ▪ [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
  ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
  ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed training workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| +| 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | Per-activity energy consumptions, energy provider information, CO2 costs and CO2 cost offsets:
[Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | • [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
- [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
- [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | [metadata.component.modelCard.quantitativeAnalysis](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
- [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
- [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
[Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | - [metadata.component.modelCard.considerations.fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | From 05168bb64e76ec1fe955bd45f3abdecf921352c2 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 14:50:02 -0500 Subject: [PATCH 053/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 021a9a71..75a4bb29 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -55,7 +55,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings -| Section | Section text | Guide references | Relevant schema (v1.7)| +| Section | Section text |   Guide references   | Relevant schema (v1.7)| | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | From c4246c1765333227c7395ee27480901ebf3fe738 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 14:52:03 -0500 Subject: [PATCH 054/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 75a4bb29..1d7aeb8a 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -55,7 +55,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings -| Section | Section text |   Guide references   | Relevant schema (v1.7)| +| Section | Section text |       Guide references       | Relevant schema (v1.7)| | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | From adfaebc09396b0cae2fe51dbe923cad1305a6c7f Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 14:53:05 -0500 Subject: [PATCH 055/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 1d7aeb8a..88463e97 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -55,7 +55,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings -| Section | Section text |       Guide references       | Relevant schema (v1.7)| +|     Section     | Section text |       Guide references       | Relevant schema (v1.7)| | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | From f043e7d6b39e9230f3f939259e9af71ec34bd7e3 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 14:57:54 -0500 Subject: [PATCH 056/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 88463e97..49ee4d63 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -55,7 +55,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings -|     Section     | Section text |       Guide references       | Relevant schema (v1.7)| +|         Section         | Section text |       Guide references       | Relevant schema (v1.7)| | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | From d8a3cbf7de7690c110a29ec51a15858d9df689fe Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 15:00:52 -0500 Subject: [PATCH 057/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 49ee4d63..8b393340 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -55,7 +55,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings -|         Section         | Section text |       Guide references       | Relevant schema (v1.7)| +| Section | Section text         | Guide references        | Relevant schema (v1.7)| | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | From ce087175557eb2347f46875e9d98be26793379d3 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 15:01:42 -0500 Subject: [PATCH 058/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 8b393340..0cd8ad5c 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -55,7 +55,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings -| Section | Section text         | Guide references        | Relevant schema (v1.7)| +| Section | Section text             | Guide references             | Relevant schema (v1.7)| | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | From eb5c2f5254677d6a87e99675a2a4111b756104f2 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 15:03:02 -0500 Subject: [PATCH 059/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 0cd8ad5c..60955f31 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -55,7 +55,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings -| Section | Section text             | Guide references             | Relevant schema (v1.7)| +| Section | Section text           | Guide references           | Relevant schema (v1.7)| | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | From 6c39ffce856a15bca6f3b1e515b6001e38721add Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 15:04:53 -0500 Subject: [PATCH 060/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 60955f31..a74fb449 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -55,7 +55,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings -| Section | Section text           | Guide references           | Relevant schema (v1.7)| +| Section | Section text       | Guide references       | Relevant schema (v1.7) | | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | From f5300d596a9f550629005fb3e5351136a713ce27 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 15:07:37 -0500 Subject: [PATCH 061/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index a74fb449..8f27fce2 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -55,7 +55,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings -| Section | Section text       | Guide references       | Relevant schema (v1.7) | +| Section | Section text       | Guide references     | Relevant schema (v1.7) | | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | @@ -64,7 +64,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
   ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
   ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| • [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | -| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
  ▪ See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | +| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
  ▪ _See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object._ | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.Considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
   ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
   ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | From 6086180c94bc33db83e8d60939f95a2748c581b7 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 15:08:33 -0500 Subject: [PATCH 062/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 8f27fce2..4107a24d 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -55,7 +55,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings -| Section | Section text       | Guide references     | Relevant schema (v1.7) | +| Section | Section text       | Guide references   | Relevant schema (v1.7) | | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | From c976cbfee1e212590bc8f12a0904dfba9520be45 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 15:13:59 -0500 Subject: [PATCH 063/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 4107a24d..a966e78d 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -55,7 +55,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings -| Section | Section text       | Guide references   | Relevant schema (v1.7) | +| Section     | Section text           | Guide references       | Relevant schema (v1.7) | | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | From 4152a7207a3fc925e7b9d081f8a934a191f1f8eb Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 15:15:57 -0500 Subject: [PATCH 064/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index a966e78d..684dfd01 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -55,10 +55,10 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t # Annex XI mappings -| Section     | Section text           | Guide references       | Relevant schema (v1.7) | +| Section | Section text | Guide references | Relevant schema (v1.7) | | --- | --- | --- | --- | -| 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | -| 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | +| 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | +| 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | Use cases and users:
• [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases) | • [component.modelCard.considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
   ▪ [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | | 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
•  [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)

**Note**: multiple references to published usage policies can be provided. | | 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | From 42c7f5ea1bb9678b23eea1a542c7430c9c750572 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 15:18:07 -0500 Subject: [PATCH 065/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 684dfd01..e65274f2 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -62,7 +62,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | Use cases and users:
• [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases) | • [component.modelCard.considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
   ▪ [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | | 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
•  [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)

**Note**: multiple references to published usage policies can be provided. | | 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | -| 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
   ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
   ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | +| 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.]()
• [modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
   ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
   ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| • [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | | 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
  ▪ _See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object._ | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | From 21a6b2e1dfc7b033b2c4de31863513d5cda6484c Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 15:26:26 -0500 Subject: [PATCH 066/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index e65274f2..01e95f82 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -62,18 +62,18 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | Use cases and users:
• [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases) | • [component.modelCard.considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
   ▪ [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | | 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
•  [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)

**Note**: multiple references to published usage policies can be provided. | | 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | -| 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.]()
• [modelCard.modelParameters](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
   ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
   ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | +| 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   • [modelParameters.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
       ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
       ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| • [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | | 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
  ▪ _See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object._ | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | -| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.Considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
   ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
   ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | -| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
- [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
  ▪ [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
  ▪ [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | Detailed data preparation workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology) | +| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
     ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
   ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | +| 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
     ▪ [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
     ▪ [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | Detailed data preparation workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology) | | 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
  ▪ [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
  ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
  ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed training workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | Per-activity energy consumptions, energy provider information, CO2 costs and CO2 cost offsets:
[Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | • [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
- [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
- [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | [metadata.component.modelCard.quantitativeAnalysis](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
- [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
- [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | -| 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
[Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | - [metadata.component.modelCard.considerations.fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | +| 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
[Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | | 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | | | #### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 From 352acaf137f669b3419c117838d28254d66109e4 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 15:29:48 -0500 Subject: [PATCH 067/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 01e95f82..01e44369 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -59,7 +59,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | | 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | -| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | Use cases and users:
• [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases) | • [component.modelCard.considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
   ▪ [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
   ▪ [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | +| 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | Use cases and users:
• [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
     ▪ [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | | 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
•  [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)

**Note**: multiple references to published usage policies can be provided. | | 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   • [modelParameters.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
       ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
       ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | @@ -67,7 +67,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
  ▪ _See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object._ | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | -| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
     ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
   ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | +| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
     ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
   ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | | 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
     ▪ [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
     ▪ [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | Detailed data preparation workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology) | | 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
  ▪ [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
  ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
  ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed training workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | Per-activity energy consumptions, energy provider information, CO2 costs and CO2 cost offsets:
[Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | • [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | From 64f9b68ab0e2e3a288012439fd6a388e1a768e70 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 14 May 2026 15:50:01 -0500 Subject: [PATCH 068/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 01e44369..8df2048a 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -67,13 +67,13 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
  ▪ _See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object._ | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | -| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
     ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
   ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | +| 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
     ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
     ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | | 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
     ▪ [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
     ▪ [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | Detailed data preparation workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology) | | 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
  ▪ [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
  ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
  ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed training workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| -| 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | Per-activity energy consumptions, energy provider information, CO2 costs and CO2 cost offsets:
[Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | • [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
- [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
- [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity) - e.g., `data-collection`, `training`, `fine-tuning`, etc.
- [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
- [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
- [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
- [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset) | +| 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | Per-activity energy consumptions, energy provider information, CO2 costs and CO2 cost offsets:
• [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | • [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
   ▪ [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
     ▪ [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity)
     ▪ [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
     ▪ [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
     ▪ [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
     ▪ [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset)

**Note**: _Energy consumptions can be reported on a per-activity basis (e.g., `data-collection`, `training`, `fine-tuning`, etc.) and can correspond to declared workflows._| | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | -| 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
- [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
- [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | [metadata.component.modelCard.quantitativeAnalysis](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
- [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
- [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | -| 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
[Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | +| 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | • [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
   ▪ [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
   ▪ [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [quantitativeAnalysis.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
       ▪ [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
       ▪ [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | +| 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
• [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | | 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | | | #### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 From 427fe2d052d8530d202a2d2b5d9a0457586713ed Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 15 May 2026 09:04:39 -0500 Subject: [PATCH 069/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 8df2048a..7496f775 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -69,12 +69,12 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
     ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
     ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | | 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
     ▪ [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
     ▪ [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | Detailed data preparation workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology) | -| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
  ▪ [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
  ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
  ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed training workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| +| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
   ▪ [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed training workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | Per-activity energy consumptions, energy provider information, CO2 costs and CO2 cost offsets:
• [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | • [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
   ▪ [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
     ▪ [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity)
     ▪ [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
     ▪ [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
     ▪ [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
     ▪ [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset)

**Note**: _Energy consumptions can be reported on a per-activity basis (e.g., `data-collection`, `training`, `fine-tuning`, etc.) and can correspond to declared workflows._| | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | • [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
   ▪ [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
   ▪ [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [quantitativeAnalysis.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
       ▪ [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
       ▪ [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
• [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | -| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | | | +| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies)
Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | #### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 From 2f9f2eed78d1d889787f7afe9528ce07d6099e56 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 15 May 2026 11:35:48 -0500 Subject: [PATCH 070/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 7496f775..cc8c09c4 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -74,7 +74,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | • [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
   ▪ [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
   ▪ [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [quantitativeAnalysis.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
       ▪ [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
       ▪ [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
• [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | -| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies)
Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | +| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies)
Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)
Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | #### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 From 05e36cb52fcb12fe7cf05bfddc8dcfdb84967aae Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 15 May 2026 11:37:12 -0500 Subject: [PATCH 071/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index cc8c09c4..6808846b 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -74,7 +74,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | • [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
   ▪ [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
   ▪ [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [quantitativeAnalysis.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
       ▪ [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
       ▪ [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
• [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | -| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies)
Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)
Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | +| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies)

Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | #### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 From da73ea47fcc1d6052dc21c85dc6308c76936e67f Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 15 May 2026 11:38:53 -0500 Subject: [PATCH 072/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 6808846b..6926154f 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -72,7 +72,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
   ▪ [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed training workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | Per-activity energy consumptions, energy provider information, CO2 costs and CO2 cost offsets:
• [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | • [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
   ▪ [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
     ▪ [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity)
     ▪ [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
     ▪ [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
     ▪ [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
     ▪ [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset)

**Note**: _Energy consumptions can be reported on a per-activity basis (e.g., `data-collection`, `training`, `fine-tuning`, etc.) and can correspond to declared workflows._| | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | -| 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | • [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
   ▪ [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
   ▪ [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [quantitativeAnalysis.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
       ▪ [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
       ▪ [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | +| 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | Describing and recording results for performance (evaluation) tests:
• [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
   ▪ [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
   ▪ [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [quantitativeAnalysis.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
       ▪ [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
       ▪ [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
• [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | | 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies)

Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | From 28f010f019e663559944f722b5e7ee7abaf3669c Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 15 May 2026 12:28:17 -0500 Subject: [PATCH 073/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 6926154f..342200d3 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -89,10 +89,10 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t ##### Mappings -| Section | Text | Commentary | Guide references | +| Section | Text | Guide references | CycloneDX Commentary | | --- | --- | --- | --- | -| 1. | General information | | | -| 1.1 | Provider identification | | | +| 1. | General information | See [Annex XI, Section 1.1](#annex-xi-mappings),
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | The majority of this information would be provided within the CycloneDX [component.metadata](https://cyclonedx.org/docs/1.7/json/#metadata) for the model. | +| 1.1 | Provider identification | See [Annex XI, Section 1.1](#annex-xi-mappings),
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | Manufacturer, supplier and publisher information can be provided within the model's metadata:
• [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) - _The organization that built or created the model._
• [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) - _The organization the supplied the model for use_
• [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) - _The organization that published the model_ | | 1.1.(i) | Provider name and contact details | | | | 1.1.(ii) | Authorised representative name and contact details | | | | 1.2 | Model identification | | | From f163c9a69371f6847e68ce792e24caaf7daf52ef Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 15 May 2026 12:40:07 -0500 Subject: [PATCH 074/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 342200d3..95b6b511 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -87,15 +87,15 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t *In order to increase transparency on the data that is used in the pre-training and training of general-purpose AI models, including text and data protected by copyright law, it is adequate that providers of such models draw up and make publicly available a sufficiently detailed summary of the content used for training the general-purpose AI model.* -##### Mappings +##### Template mappings | Section | Text | Guide references | CycloneDX Commentary | | --- | --- | --- | --- | | 1. | General information | See [Annex XI, Section 1.1](#annex-xi-mappings),
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | The majority of this information would be provided within the CycloneDX [component.metadata](https://cyclonedx.org/docs/1.7/json/#metadata) for the model. | | 1.1 | Provider identification | See [Annex XI, Section 1.1](#annex-xi-mappings),
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | Manufacturer, supplier and publisher information can be provided within the model's metadata:
• [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) - _The organization that built or created the model._
• [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) - _The organization the supplied the model for use_
• [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) - _The organization that published the model_ | -| 1.1.(i) | Provider name and contact details | | | -| 1.1.(ii) | Authorised representative name and contact details | | | -| 1.2 | Model identification | | | +| 1.1.(i) | Provider name and contact details | See template mapping section 1.1 (above) | Both the [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) and [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) information includes:
• name, address, url and multiple (i.e., an array of), detailed [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information which accounts for multiple points-of-contact.

[publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) information supports a textual description. | +| 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | +| 1.2 | Model identification | | | | 1.2.(i) | Versioned model name(s) | | | | 1.2.(ii) | Model dependencies | | | | 1.2.(iii) | Date of placement of the model on the Union market: | | | From 5ab54d14abf2f0d44f5386ce7ab64f76c07a24f7 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 15 May 2026 13:12:03 -0500 Subject: [PATCH 075/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 95b6b511..8b9860ac 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -63,7 +63,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
•  [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)

**Note**: multiple references to published usage policies can be provided. | | 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   • [modelParameters.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
       ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
       ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | -| 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs)| • [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | +| 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs) | • [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | | 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
  ▪ _See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object._ | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | @@ -95,7 +95,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.1 | Provider identification | See [Annex XI, Section 1.1](#annex-xi-mappings),
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | Manufacturer, supplier and publisher information can be provided within the model's metadata:
• [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) - _The organization that built or created the model._
• [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) - _The organization the supplied the model for use_
• [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) - _The organization that published the model_ | | 1.1.(i) | Provider name and contact details | See template mapping section 1.1 (above) | Both the [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) and [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) information includes:
• name, address, url and multiple (i.e., an array of), detailed [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information which accounts for multiple points-of-contact.

[publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) information supports a textual description. | | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | -| 1.2 | Model identification | | | +| 1.2 | Model identification | | The model component information includes support to the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | | 1.2.(i) | Versioned model name(s) | | | | 1.2.(ii) | Model dependencies | | | | 1.2.(iii) | Date of placement of the model on the Union market: | | | From b81ec6a72e54866fe26df51437188b2b6ab624d0 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 15 May 2026 13:18:01 -0500 Subject: [PATCH 076/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 8b9860ac..8a580244 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -63,7 +63,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
•  [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)

**Note**: multiple references to published usage policies can be provided. | | 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   • [modelParameters.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
       ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
       ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | -| 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs) | • [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | +| 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs) | Inputs & Outputs:
• [modelCard.modelParameters.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
   ▪ [inputs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_inputs)
   ▪ [outputs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_outputs)
Modality/modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | | 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
  ▪ _See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object._ | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | From 058602869bc55c45b829f3547dfd368a1767679b Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 15 May 2026 13:24:57 -0500 Subject: [PATCH 077/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 8a580244..c187ea95 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -63,7 +63,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
•  [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)

**Note**: multiple references to published usage policies can be provided. | | 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   • [modelParameters.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
       ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
       ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | -| 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)
Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs) | Inputs & Outputs:
• [modelCard.modelParameters.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
   ▪ [inputs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_inputs)
   ▪ [outputs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_outputs)
Modality/modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | +| 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs) | Inputs & Outputs:
• [modelCard.modelParameters.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
   ▪ [inputs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_inputs)
   ▪ [outputs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_outputs)
Modality/modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | | 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
  ▪ _See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object._ | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | @@ -95,7 +95,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.1 | Provider identification | See [Annex XI, Section 1.1](#annex-xi-mappings),
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | Manufacturer, supplier and publisher information can be provided within the model's metadata:
• [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) - _The organization that built or created the model._
• [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) - _The organization the supplied the model for use_
• [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) - _The organization that published the model_ | | 1.1.(i) | Provider name and contact details | See template mapping section 1.1 (above) | Both the [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) and [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) information includes:
• name, address, url and multiple (i.e., an array of), detailed [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information which accounts for multiple points-of-contact.

[publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) information supports a textual description. | | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | -| 1.2 | Model identification | | The model component information includes support to the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | +| 1.2 | Model identification | | The model component information includes support to the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | | 1.2.(i) | Versioned model name(s) | | | | 1.2.(ii) | Model dependencies | | | | 1.2.(iii) | Date of placement of the model on the Union market: | | | From 8d9546bf2483debfe2f011e92bb3e75ab859a95e Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 15 May 2026 13:37:17 -0500 Subject: [PATCH 078/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x20-Design-Model-Component-Metadata.md | 2 +- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x20-Design-Model-Component-Metadata.md b/ML-BOM/en/0x20-Design-Model-Component-Metadata.md index 61e2868b..d9253345 100644 --- a/ML-BOM/en/0x20-Design-Model-Component-Metadata.md +++ b/ML-BOM/en/0x20-Design-Model-Component-Metadata.md @@ -435,7 +435,7 @@ It is important to capture any of these transformations in the model's lineage ( * **ancestors** - `ancestors` entries are themselves CycloneDX `component` objects. It should be noted that these models may have their own ML-BOMs, which can be located via their identifiers (e.g., `purl`) or via `externalReferences` for readers to follow. -##### Declaring known descendents +##### Declaring known descendants If, at the time an ML-BOM is created for a model, its downstream model variants (e.g., finetunings, quantizations, etc., derived from the model) are known, these can also be recorded within the `pedigree` object as `descendants` in a similar manner. diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index c187ea95..570f68d6 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -95,7 +95,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.1 | Provider identification | See [Annex XI, Section 1.1](#annex-xi-mappings),
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | Manufacturer, supplier and publisher information can be provided within the model's metadata:
• [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) - _The organization that built or created the model._
• [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) - _The organization the supplied the model for use_
• [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) - _The organization that published the model_ | | 1.1.(i) | Provider name and contact details | See template mapping section 1.1 (above) | Both the [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) and [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) information includes:
• name, address, url and multiple (i.e., an array of), detailed [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information which accounts for multiple points-of-contact.

[publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) information supports a textual description. | | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | -| 1.2 | Model identification | | The model component information includes support to the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | +| 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support to the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | | 1.2.(i) | Versioned model name(s) | | | | 1.2.(ii) | Model dependencies | | | | 1.2.(iii) | Date of placement of the model on the Union market: | | | From a64827db4a3bd9e2a47630a1de9fae83e43d54b2 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 15 May 2026 14:23:45 -0500 Subject: [PATCH 079/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 570f68d6..884347f0 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -96,7 +96,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.1.(i) | Provider name and contact details | See template mapping section 1.1 (above) | Both the [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) and [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) information includes:
• name, address, url and multiple (i.e., an array of), detailed [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information which accounts for multiple points-of-contact.

[publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) information supports a textual description. | | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support to the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | -| 1.2.(i) | Versioned model name(s) | | | +| 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique to the model component.
| **Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | | 1.2.(ii) | Model dependencies | | | | 1.2.(iii) | Date of placement of the model on the Union market: | | | | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | **Note**: *Multi-model models may require modality information for each sub-model in v2.0* | | | From fc041d1f862ef33d700678f1d827d017111953f1 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 15 May 2026 18:03:15 -0500 Subject: [PATCH 080/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 884347f0..2e74295e 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -58,7 +58,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | Section | Section text | Guide references | Relevant schema (v1.7) | | --- | --- | --- | --- | | 1 | Information to be provided by all providers of general-purpose AI models
The technical documentation referred to in [Article 53](https://artificialintelligenceact.eu/article/53) (1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: | N/A | N/A | -| 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | +| 1.1 | A general description of the general-purpose AI model including: | CycloneDX describes models as components:
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | • [metadata:component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"machine-learning-model"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [version](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_version)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier)
   ▪ [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer)
   ▪ Component [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) | | 1.1.(a) | the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; | Use cases and users:
• [Considerations: Users & use cases](0x24-Design-Model-Card-Considerations.md#users--use-cases) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [users](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_users)
     ▪ [useCases](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_useCases) | | 1.1.(b) | the acceptable use policies applicable; | Use policies:
• [Providing a model's usage policy](0x40-Design-Additional-Model-Information.md#providing-a-models-usage-policy)
_- See example for the Qwen model._| Usage policies can be provided as a CycloneDX external reference.
•  [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)

**Note**: multiple references to published usage policies can be provided. | | 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | @@ -93,10 +93,10 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | --- | --- | --- | --- | | 1. | General information | See [Annex XI, Section 1.1](#annex-xi-mappings),
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | The majority of this information would be provided within the CycloneDX [component.metadata](https://cyclonedx.org/docs/1.7/json/#metadata) for the model. | | 1.1 | Provider identification | See [Annex XI, Section 1.1](#annex-xi-mappings),
• [Declaring ML models](0x20-Design-Model-Component-Metadata.md#declaring-ml-models) | Manufacturer, supplier and publisher information can be provided within the model's metadata:
• [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) - _The organization that built or created the model._
• [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) - _The organization the supplied the model for use_
• [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) - _The organization that published the model_ | -| 1.1.(i) | Provider name and contact details | See template mapping section 1.1 (above) | Both the [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) and [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) information includes:
• name, address, url and multiple (i.e., an array of), detailed [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information which accounts for multiple points-of-contact.

[publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) information supports a textual description. | +| 1.1.(i) | Provider name and contact details | See template mapping section 1.1 (above) | Both the [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) and [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) information includes:
• name, address, url and multiple (i.e., an array of), detailed [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information which accounts for multiple points-of-contact.

Component [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) information supports a textual description. | | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | -| 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support to the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | -| 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique to the model component.
| **Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | +| 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | +| 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique to the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) fields.
This is shown in the guide here:
• [TODO]()

If a model is derived from another model, that relationship would be described by pedigree:
•  [TBD:Declaring a model's pedigree](#declaring-a-models-pedigree) | **Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | | 1.2.(ii) | Model dependencies | | | | 1.2.(iii) | Date of placement of the model on the Union market: | | | | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | **Note**: *Multi-model models may require modality information for each sub-model in v2.0* | | | From 09e43562f92865486a25702365f1855c2dfca38a Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 18 May 2026 08:28:32 -0500 Subject: [PATCH 081/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 2e74295e..33c92b6d 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -96,7 +96,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.1.(i) | Provider name and contact details | See template mapping section 1.1 (above) | Both the [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) and [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) information includes:
• name, address, url and multiple (i.e., an array of), detailed [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information which accounts for multiple points-of-contact.

Component [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) information supports a textual description. | | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | -| 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique to the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) fields.
This is shown in the guide here:
• [TODO]()

If a model is derived from another model, that relationship would be described by pedigree:
•  [TBD:Declaring a model's pedigree](#declaring-a-models-pedigree) | **Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | +| 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique to the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
•  [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | **Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | | 1.2.(ii) | Model dependencies | | | | 1.2.(iii) | Date of placement of the model on the Union market: | | | | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | **Note**: *Multi-model models may require modality information for each sub-model in v2.0* | | | From 8363d6c43ecb88188bae80dace23b39ed6a3f7d4 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 18 May 2026 09:06:03 -0500 Subject: [PATCH 082/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 33c92b6d..0ee1b216 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -97,8 +97,8 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | | 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique to the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
•  [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | **Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | -| 1.2.(ii) | Model dependencies | | | -| 1.2.(iii) | Date of placement of the model on the Union market: | | | +| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components) | | +| 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | | | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | **Note**: *Multi-model models may require modality information for each sub-model in v2.0* | | | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | | | | 1.3.(ii) | Training data size | | | From 43150dced6bb34dc51e83e46a162fe2f3ff3bb6b Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 18 May 2026 09:17:52 -0500 Subject: [PATCH 083/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 0ee1b216..a329aa70 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -96,7 +96,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.1.(i) | Provider name and contact details | See template mapping section 1.1 (above) | Both the [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) and [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) information includes:
• name, address, url and multiple (i.e., an array of), detailed [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information which accounts for multiple points-of-contact.

Component [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) information supports a textual description. | | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | -| 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique to the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
•  [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | **Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | +| 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique to the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
Model pedigree:[component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | | 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components) | | | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | | | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | **Note**: *Multi-model models may require modality information for each sub-model in v2.0* | | | From 07474340fa6fe5b185000aaa307bec17274fec72 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 18 May 2026 09:29:39 -0500 Subject: [PATCH 084/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index a329aa70..98c1d075 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -96,9 +96,9 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.1.(i) | Provider name and contact details | See template mapping section 1.1 (above) | Both the [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) and [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) information includes:
• name, address, url and multiple (i.e., an array of), detailed [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information which accounts for multiple points-of-contact.

Component [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) information supports a textual description. | | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | -| 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique to the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
Model pedigree:[component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | +| 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique to the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | | 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components) | | -| 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | | +| 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Dataset dependencies:
• []()
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | **Note**: *Multi-model models may require modality information for each sub-model in v2.0* | | | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | | | | 1.3.(ii) | Training data size | | | From d08761297d3ed8e9cede339dcb41d819097ae585 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 18 May 2026 14:18:44 -0500 Subject: [PATCH 085/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 98c1d075..debc5e50 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -96,9 +96,9 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.1.(i) | Provider name and contact details | See template mapping section 1.1 (above) | Both the [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) and [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) information includes:
• name, address, url and multiple (i.e., an array of), detailed [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information which accounts for multiple points-of-contact.

Component [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) information supports a textual description. | | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | -| 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique to the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | -| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components) | | -| 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Dataset dependencies:
• []()
| +| 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique attributes of the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | +| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model datasets:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | +| 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | **Note**: *Multi-model models may require modality information for each sub-model in v2.0* | | | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | | | | 1.3.(ii) | Training data size | | | From fdd5a809a854e24bdf647f0f2708500a5ae41ac9 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 18 May 2026 14:28:04 -0500 Subject: [PATCH 086/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index debc5e50..9f8b5342 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -100,7 +100,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model datasets:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | **Note**: *Multi-model models may require modality information for each sub-model in v2.0* | | | -| 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | | | +| 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
[Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities) | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md) | | 1.3.(ii) | Training data size | | | | 1.3.(ii) | Types of content | | | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | | From aeff41405b5949aee922e735bb2b83d0a50c9362 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 18 May 2026 14:46:11 -0500 Subject: [PATCH 087/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 9f8b5342..61e09020 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -99,9 +99,9 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique attributes of the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | | 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model datasets:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| -| 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | **Note**: *Multi-model models may require modality information for each sub-model in v2.0* | | | +| 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | **Note**: *Multi-model models may require modality information for each sub-model in v2.0* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
[Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities) | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md) | -| 1.3.(ii) | Training data size | | | +| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
[Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
external references to documentation
• properties, customized for domain-specific requirements. | | | 1.3.(ii) | Types of content | | | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | | | 2.1 | Publicly available datasets | | | From a36ec1e107250bcd7841b3c7f2110f4671b7237c Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 18 May 2026 14:56:23 -0500 Subject: [PATCH 088/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 61e09020..e004ea40 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -100,8 +100,8 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model datasets:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | **Note**: *Multi-model models may require modality information for each sub-model in v2.0* | N/A | N/A | -| 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
[Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities) | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md) | -| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
[Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
external references to documentation
• properties, customized for domain-specific requirements. | | +| 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
[Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities) | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | +| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
[Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
external references to documentation
• properties, customized for domain-specific requirements. | Dataset component(s): [component.](https://cyclonedx.org/docs/1.7/json/#components)
Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties) | | 1.3.(ii) | Types of content | | | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | | | 2.1 | Publicly available datasets | | | From e7315509f639cd7f7854c91fa7a33b1bce2af3d4 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 08:07:06 -0500 Subject: [PATCH 089/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x22-Design-Model-Card-Parameters.md | 2 ++ ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 8 ++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ML-BOM/en/0x22-Design-Model-Card-Parameters.md b/ML-BOM/en/0x22-Design-Model-Card-Parameters.md index 9969c8cc..a592323b 100644 --- a/ML-BOM/en/0x22-Design-Model-Card-Parameters.md +++ b/ML-BOM/en/0x22-Design-Model-Card-Parameters.md @@ -12,6 +12,8 @@ This section will feature guidance on filling out information in the Cyclone mod * [External references](#external-references) * [Datasets](#datasets) - The datasets used to train and evaluate the model. * [Declaring datasets](#declaring-datasets) + * [Datasets as in-line information](#datasets-as-in-line-information) + * [Datasets as data component references](#datasets-as-data-component-references) * [Inputs & Outputs](#inputs--outputs) - Describes the input and output data types (formats) of the model. * [Declaring other properties](#declaring-other-properties) * [Configuration parameters & hyperparameters](#configuration-parameters--hyperparameters) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index e004ea40..94a80af4 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -99,10 +99,10 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique attributes of the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | | 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model datasets:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| -| 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | **Note**: *Multi-model models may require modality information for each sub-model in v2.0* | N/A | N/A | -| 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
[Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities) | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | -| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
[Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
external references to documentation
• properties, customized for domain-specific requirements. | Dataset component(s): [component.](https://cyclonedx.org/docs/1.7/json/#components)
Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties) | -| 1.3.(ii) | Types of content | | | +| 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | +| 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
[Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | +| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
[Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
external references to documentation
• properties, customized for domain-specific requirements. | Dataset component(s): [component.](https://cyclonedx.org/docs/1.7/json/#components)
Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | +| 1.3.(iii) | Types of content | A description of the types of content used to train a model would be provided as CycloneDX data components.

• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | | | 2.1 | Publicly available datasets | | | | 2.2 | Private non-publicly available datasets obtained from third parties | | | From 68d515b6cfcde0b73cf4f305ffaa3990776a669b Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 08:19:44 -0500 Subject: [PATCH 090/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x22-Design-Model-Card-Parameters.md | 2 -- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/ML-BOM/en/0x22-Design-Model-Card-Parameters.md b/ML-BOM/en/0x22-Design-Model-Card-Parameters.md index a592323b..9969c8cc 100644 --- a/ML-BOM/en/0x22-Design-Model-Card-Parameters.md +++ b/ML-BOM/en/0x22-Design-Model-Card-Parameters.md @@ -12,8 +12,6 @@ This section will feature guidance on filling out information in the Cyclone mod * [External references](#external-references) * [Datasets](#datasets) - The datasets used to train and evaluate the model. * [Declaring datasets](#declaring-datasets) - * [Datasets as in-line information](#datasets-as-in-line-information) - * [Datasets as data component references](#datasets-as-data-component-references) * [Inputs & Outputs](#inputs--outputs) - Describes the input and output data types (formats) of the model. * [Declaring other properties](#declaring-other-properties) * [Configuration parameters & hyperparameters](#configuration-parameters--hyperparameters) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 94a80af4..9b29f931 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -102,7 +102,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
[Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | | 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
[Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
external references to documentation
• properties, customized for domain-specific requirements. | Dataset component(s): [component.](https://cyclonedx.org/docs/1.7/json/#components)
Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | -| 1.3.(iii) | Types of content | A description of the types of content used to train a model would be provided as CycloneDX data components.

• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | | +| 1.3.(iii) | Types of content | A description of the types of content used to train a model would be provided as CycloneDX data components.

• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type) - `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | | | 2.1 | Publicly available datasets | | | | 2.2 | Private non-publicly available datasets obtained from third parties | | | From 99e1366740f67f245bb10ead132308282abf8220 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 08:46:15 -0500 Subject: [PATCH 091/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 9b29f931..ffba7dfb 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -100,11 +100,11 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model datasets:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | -| 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
[Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | -| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
[Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
external references to documentation
• properties, customized for domain-specific requirements. | Dataset component(s): [component.](https://cyclonedx.org/docs/1.7/json/#components)
Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | -| 1.3.(iii) | Types of content | A description of the types of content used to train a model would be provided as CycloneDX data components.

• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type) - `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | -| 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | | -| 2.1 | Publicly available datasets | | | +| 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | +| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
external references to documentation
• properties, customized for domain-specific requirements. | Dataset component(s): [component.](https://cyclonedx.org/docs/1.7/json/#components)

Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | +| 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.

• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
Additional content information can be provided via external documentation and referenced in the model's component declaration.

External references:
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
• External references:
[metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | +| 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | +| 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | | | 2.2 | Private non-publicly available datasets obtained from third parties | | | | 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | | | | 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | **Note**: *modalities covered by license may need future consideration for v2.0* | From ebfaf0d64b680ab93246e6fd7968bbe69307474c Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 08:51:08 -0500 Subject: [PATCH 092/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index ffba7dfb..41c0fe8d 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -101,8 +101,8 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | -| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
external references to documentation
• properties, customized for domain-specific requirements. | Dataset component(s): [component.](https://cyclonedx.org/docs/1.7/json/#components)

Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | -| 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.

• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
Additional content information can be provided via external documentation and referenced in the model's component declaration.

External references:
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
• External references:
[metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | +| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements)_. | Dataset component(s): [component.](https://cyclonedx.org/docs/1.7/json/#components)

Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | +| 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.

External references:
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
• External references:
[metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | | 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | | | 2.2 | Private non-publicly available datasets obtained from third parties | | | From bc43cfb51d9256aa9e1e2032e84d672645a31864 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 08:54:11 -0500 Subject: [PATCH 093/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 41c0fe8d..fc06c063 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -102,7 +102,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | | 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements)_. | Dataset component(s): [component.](https://cyclonedx.org/docs/1.7/json/#components)

Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | -| 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.

External references:
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
• External references:
[metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | +| 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)

• External references:
[metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | | 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | | | 2.2 | Private non-publicly available datasets obtained from third parties | | | From 89099a85a19bd9e1923ca0acd9135adca790a289 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 09:03:07 -0500 Subject: [PATCH 094/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index fc06c063..7c652578 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -101,8 +101,8 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | -| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements)_. | Dataset component(s): [component.](https://cyclonedx.org/docs/1.7/json/#components)

Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | -| 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)

• External references:
[metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | +| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements)_. | Dataset component(s):
[component](https://cyclonedx.org/docs/1.7/json/#components)

Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | +| 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
etc.

• Model component's external references:
[metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | | 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | | | 2.2 | Private non-publicly available datasets obtained from third parties | | | From 43ada7a13176e01724a562c8d5e8e513b78a2783 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 09:14:37 -0500 Subject: [PATCH 095/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 7c652578..c5775094 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -101,8 +101,8 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | -| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements)_. | Dataset component(s):
[component](https://cyclonedx.org/docs/1.7/json/#components)

Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | -| 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
etc.

• Model component's external references:
[metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | +| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements)_. | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)

Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | +| 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ etc.

• Model component's external references:
[metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | | 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | | | 2.2 | Private non-publicly available datasets obtained from third parties | | | From b239c224c889b7cac98dfd1eeef3ec8b117aa8ea Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 09:22:30 -0500 Subject: [PATCH 096/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index c5775094..90ef46ad 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -101,10 +101,10 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | -| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements)_. | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)

Model pedigree:
  • [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
  • [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
  • [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | -| 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ etc.

• Model component's external references:
[metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | +| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements)_. | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | +| 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ etc.

Model component's external references:
• [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | -| 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | | +| 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | | 2.2 | Private non-publicly available datasets obtained from third parties | | | | 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | | | | 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | **Note**: *modalities covered by license may need future consideration for v2.0* | From fed6a2687b7e23c0f5d23f76d40c75cb06ef8adf Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 09:27:57 -0500 Subject: [PATCH 097/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 90ef46ad..de75ec4c 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -105,7 +105,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ etc.

Model component's external references:
• [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | | 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | -| 2.2 | Private non-publicly available datasets obtained from third parties | | | +| 2.2 | Private non-publicly available datasets obtained from third parties | Private datasets information would be provided similarly to public datasets.

See references and commentary as for _public_ data.
• See [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 "Publicly available data" (above) | | | 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | | | | 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | **Note**: *modalities covered by license may need future consideration for v2.0* | | 2.2.2 | Private datasets obtained from other third parties | | | From 90c5e08107e6a387981a0dcc1b4d14fe03b46ab1 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 09:31:42 -0500 Subject: [PATCH 098/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index de75ec4c..26fc0742 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -101,11 +101,11 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | -| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements)_. | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | +| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements)_. | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | | 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ etc.

Model component's external references:
• [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | -| 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing._ | -| 2.2 | Private non-publicly available datasets obtained from third parties | Private datasets information would be provided similarly to public datasets.

See references and commentary as for _public_ data.
• See [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 "Publicly available data" (above) | | +| 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each public dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | +| 2.2 | Private non-publicly available datasets obtained from third parties | Private datasets information would be provided similarly to public datasets.

See references and commentary as for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | | 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | | | | 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | **Note**: *modalities covered by license may need future consideration for v2.0* | | 2.2.2 | Private datasets obtained from other third parties | | | From ba48a0cf7949412c2116a28dcd183ce9cfe6aba2 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 09:32:58 -0500 Subject: [PATCH 099/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 26fc0742..f9b6c2a4 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -106,7 +106,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | | 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each public dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | | 2.2 | Private non-publicly available datasets obtained from third parties | Private datasets information would be provided similarly to public datasets.

See references and commentary as for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | -| 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | | | +| 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial datasets information would be provided similarly to public datasets.

See references and commentary as for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | | 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | **Note**: *modalities covered by license may need future consideration for v2.0* | | 2.2.2 | Private datasets obtained from other third parties | | | | 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | | | From c71cbe9c949c850026148984f5cc03178e529c71 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 09:40:39 -0500 Subject: [PATCH 100/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index f9b6c2a4..29e4b997 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -64,7 +64,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.1.(c) | the date of release and methods of distribution; | Release information:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release dates and methods are part of CycloneDX are provided using the `releaseNotes` fields in the model's component:
• [metadata.component.releaseNotes.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
   ▪ [type]()
   ▪ [description]()
   ▪ [timestamp]()
   ▪ [notes]()
   ▪ etc.

**Note:** *Components support multiple releases notes for the associated model/version.* | | 1.1.(d) | the architecture and number of parameters; | Model architecture:
• [Architecture family](#architecture-family)
• [Model architecture](#model-architecture)
| • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   • [modelParameters.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
       ▪ [architectureFamily](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_architectureFamily)
       ▪ [modelArchitecture](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_modelArchitecture) | | 1.1.(e) | the modality (e.g. text, image) and format of inputs and outputs; | Modality/modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

Inputs & Outputs
• [Inputs & Outputs](0x22-Design-Model-Card-Parameters.md#inputs--outputs) | Inputs & Outputs:
• [modelCard.modelParameters.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters)
   ▪ [inputs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_inputs)
   ▪ [outputs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_outputs)
Modality/modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties) | -| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
  ▪ _See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object._ | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | +| 1.1.(f) | the licence. | Component license:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ _See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object._ | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses) | | 1.2 | A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: | N/A | N/A | | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
     ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
     ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | @@ -105,9 +105,9 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ etc.

Model component's external references:
• [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | | 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each public dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | -| 2.2 | Private non-publicly available datasets obtained from third parties | Private datasets information would be provided similarly to public datasets.

See references and commentary as for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | -| 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial datasets information would be provided similarly to public datasets.

See references and commentary as for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | -| 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | **Note**: *modalities covered by license may need future consideration for v2.0* | +| 2.2 | Private non-publicly available datasets obtained from third parties | Private dataset information would be provided similarly to public datasets.

See references and commentary as for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | +| 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial dataset information would be provided similarly to public datasets.

See references and commentary as for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | +| 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ _See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object._ | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | TODO | | 2.2.2 | Private datasets obtained from other third parties | | | | 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | | | | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | | | From 9118ca77d2286afad700b65ebb75333537dce86a Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 09:58:31 -0500 Subject: [PATCH 101/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 29e4b997..a6720936 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -105,8 +105,8 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ etc.

Model component's external references:
• [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | | 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each public dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | -| 2.2 | Private non-publicly available datasets obtained from third parties | Private dataset information would be provided similarly to public datasets.

See references and commentary as for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | -| 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial dataset information would be provided similarly to public datasets.

See references and commentary as for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | +| 2.2 | Private non-publicly available datasets obtained from third parties | Private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | +| 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | | 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ _See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object._ | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | TODO | | 2.2.2 | Private datasets obtained from other third parties | | | | 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | | | From eb9f193a725d38746e3e1033c90431238d304c53 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 12:58:13 -0500 Subject: [PATCH 102/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index a6720936..18bd0585 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -97,7 +97,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | | 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique attributes of the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | -| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model datasets:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | +| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model components (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Nested relationships:
• [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies) | | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | From 56da200e76d1de0521ced7e8ed97afba99a504f4 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:08:50 -0500 Subject: [PATCH 103/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 18bd0585..fed77786 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -2,6 +2,14 @@ This appendix provides a mapping between the [EU’s AI Act](https://artificialintelligenceact.eu/) prose requirements, as well as the more prescriptive [Explanatory Notice and Template for the Public Summary of Training Content for general-purpose AI models](https://digital-strategy.ec.europa.eu/en/library/explanatory-notice-and-template-public-summary-training-content-general-purpose-ai-models), and how they are shown to be fulfilled using CycloneDX ML-BOM as documented in specific sections of this guide. +These mappings include: + +* [Article 53: Obligations for Providers of General-Purpose AI Models](#article-53-obligations-for-providers-of-general-purpose-ai-models) +* [ANNEX XI: Technical Documentation Referred to in Article 53](#annex-xi-mappings) +* [Annex: Template for the Public Summary of Training Content for General-Purpose AI models](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53) + +--- + ### Summary of the EU AI Act The AI Act requires model providers to report extensive information on the models they produce to be used for risk assessment and compliance purposes. This act, effectively endorses moving away from the current non-normative publication of model cards and research papers (or similar or documentation) towards normative and standardized methods such as AI/ML Bills-of-Materials (AI/ML-BOMs). Specifically, AIBOMs are recognized as a key method for creating the technical documentation required by the EU AI Act (Article 11 and Annex IV). @@ -20,16 +28,17 @@ Some of these model documentation requirements include: On July 24, 2025, the European Commission released the mandatory Explanatory Notice and Template for the Public Summary of Training Content for general-purpose AI (GPAI) models, a key compliance step under [Article 53](https://artificialintelligenceact.eu/article/53/)(1)(d) of the EU AI Act.This template serves as a mandatory minimum baseline for all GPAI providers, including those using open-source licenses, to publicly disclose information about their training data. +--- + ### EU AI Act & Explanatory template mappings This section provides mappings of the EU AI Act's written and templated requirements to sections of this guide that show how CycloneDX can accommodate these requirements. #### Article 53: Obligations for Providers of General-Purpose AI Models +This section contains mappings to guide sections along with commentary for the EU AI Act [Article 53: Obligations for Providers of General-Purpose AI Models](https://artificialintelligenceact.eu/article/53/) which is part of [Chapter V: General-Purpose AI Models](https://artificialintelligenceact.eu/chapter/5/). -This section contains mappings for [Article 53: Obligations for Providers of General-Purpose AI Models](https://artificialintelligenceact.eu/article/53/) which is part of [Chapter V: General-Purpose AI Models](https://artificialintelligenceact.eu/chapter/5/). - -##### Mappings +##### Article 53 mappings | Section | Text | Guide references & commentary | | --- | --- | --- | @@ -76,6 +85,8 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
• [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | | 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies)

Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | +--- + #### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 The Explanatory Notice and Template seeks to address From a4492ee48d3693f7ec556360bb6ec238cb583515 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:10:06 -0500 Subject: [PATCH 104/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index fed77786..1d91823d 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -30,15 +30,15 @@ On July 24, 2025, the European Commission released the mandatory Explanatory Not --- -### EU AI Act & Explanatory template mappings +## EU AI Act & Explanatory template mappings This section provides mappings of the EU AI Act's written and templated requirements to sections of this guide that show how CycloneDX can accommodate these requirements. -#### Article 53: Obligations for Providers of General-Purpose AI Models +### Article 53: Obligations for Providers of General-Purpose AI Models This section contains mappings to guide sections along with commentary for the EU AI Act [Article 53: Obligations for Providers of General-Purpose AI Models](https://artificialintelligenceact.eu/article/53/) which is part of [Chapter V: General-Purpose AI Models](https://artificialintelligenceact.eu/chapter/5/). -##### Article 53 mappings +#### Article 53 mappings | Section | Text | Guide references & commentary | | --- | --- | --- | @@ -58,11 +58,11 @@ This section contains mappings to guide sections along with commentary for the E --- -#### ANNEX XI: Technical Documentation Referred to in Article 53(1), Point (a) – Technical Documentation for Providers of General-Purpose AI Models +### ANNEX XI: Technical Documentation Referred to in Article 53(1), Point (a) – Technical Documentation for Providers of General-Purpose AI Models This section contains mappings for [ANNEX XI: Technical Documentation Referred to in Article 53](https://artificialintelligenceact.eu/annex/11/). -# Annex XI mappings +#### Annex XI mappings | Section | Section text | Guide references | Relevant schema (v1.7) | | --- | --- | --- | --- | @@ -87,7 +87,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t --- -#### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 +### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 The Explanatory Notice and Template seeks to address relevant legal text from [Article 53](https://artificialintelligenceact.eu/article/53/)(1)(d) of the AI Act: @@ -98,7 +98,7 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t *In order to increase transparency on the data that is used in the pre-training and training of general-purpose AI models, including text and data protected by copyright law, it is adequate that providers of such models draw up and make publicly available a sufficiently detailed summary of the content used for training the general-purpose AI model.* -##### Template mappings +#### Template mappings | Section | Text | Guide references | CycloneDX Commentary | | --- | --- | --- | --- | From fd5cca69155ac46ffe6a7faf52f431cb6c1f598b Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:11:43 -0500 Subject: [PATCH 105/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 1d91823d..94b3f97d 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -89,8 +89,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t ### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 -The Explanatory Notice and Template seeks to address -relevant legal text from [Article 53](https://artificialintelligenceact.eu/article/53/)(1)(d) of the AI Act: +This section provides mappings for the Explanatory Notice and Template which seek to address relevant legal text from [Article 53](https://artificialintelligenceact.eu/article/53/)(1)(d) of the AI Act: *Providers of general-purpose AI models shall […] draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office.* From 6a358fa88b9a90c339a87c02874b4d69b49ba469 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:12:08 -0500 Subject: [PATCH 106/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 94b3f97d..11b74020 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -91,11 +91,11 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t This section provides mappings for the Explanatory Notice and Template which seek to address relevant legal text from [Article 53](https://artificialintelligenceact.eu/article/53/)(1)(d) of the AI Act: -*Providers of general-purpose AI models shall […] draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office.* +_Providers of general-purpose AI models shall […] draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office._ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of the AI Act: -*In order to increase transparency on the data that is used in the pre-training and training of general-purpose AI models, including text and data protected by copyright law, it is adequate that providers of such models draw up and make publicly available a sufficiently detailed summary of the content used for training the general-purpose AI model.* +_In order to increase transparency on the data that is used in the pre-training and training of general-purpose AI models, including text and data protected by copyright law, it is adequate that providers of such models draw up and make publicly available a sufficiently detailed summary of the content used for training the general-purpose AI model._ #### Template mappings From da5f16ecaf1d1f525c5540f6ffb547be209c9178 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:12:51 -0500 Subject: [PATCH 107/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 11b74020..c6de1c7a 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -89,7 +89,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t ### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 -This section provides mappings for the Explanatory Notice and Template which seek to address relevant legal text from [Article 53](https://artificialintelligenceact.eu/article/53/)(1)(d) of the AI Act: +This section provides mappings for the "Explanatory Notice" and "Template for the Public Summary of Training Content" which seek to address relevant legal text from [Article 53](https://artificialintelligenceact.eu/article/53/)(1)(d) of the AI Act: _Providers of general-purpose AI models shall […] draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office._ From f4e629d6222931cc78cba546781a9da08ae38d4f Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:13:21 -0500 Subject: [PATCH 108/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index c6de1c7a..6eab4805 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -89,7 +89,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t ### Annex: Template for the Public Summary of Training Content for General-Purpose AI models required by Article 53 -This section provides mappings for the "Explanatory Notice" and "Template for the Public Summary of Training Content" which seek to address relevant legal text from [Article 53](https://artificialintelligenceact.eu/article/53/)(1)(d) of the AI Act: +This section provides mappings for the _"Explanatory Notice"_ and _"Template for the Public Summary of Training Content"_ which seek to address relevant legal text from [Article 53](https://artificialintelligenceact.eu/article/53/)(1)(d) of the AI Act: _Providers of general-purpose AI models shall […] draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office._ From 65ea3d32ad392894878696e3d9d157b467ad970a Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:15:54 -0500 Subject: [PATCH 109/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 6eab4805..73f3c9b1 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -117,7 +117,7 @@ _In order to increase transparency on the data that is used in the pre-training | 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each public dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | | 2.2 | Private non-publicly available datasets obtained from third parties | Private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | | 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | -| 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ _See [Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom) which uses the CycloneDX `license` object._ | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | TODO | +| 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ See: _[Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom)_ which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | TODO | | 2.2.2 | Private datasets obtained from other third parties | | | | 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | | | | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | | | From f9a111009c2452187189074c40a9bc0ee00309a2 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:19:17 -0500 Subject: [PATCH 110/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 73f3c9b1..8f557b46 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -115,7 +115,7 @@ _In order to increase transparency on the data that is used in the pre-training | 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ etc.

Model component's external references:
• [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | | 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each public dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | -| 2.2 | Private non-publicly available datasets obtained from third parties | Private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | +| 2.2 | Private non-publicly available datasets obtained from third parties | Private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See: _"Guide references" and "CycloneDX Commentary"_ in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | | 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | | 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ See: _[Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom)_ which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | TODO | | 2.2.2 | Private datasets obtained from other third parties | | | From 0716bb1be7d19ba11997a02b4aab36cdf249edf0 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:23:20 -0500 Subject: [PATCH 111/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 8f557b46..33090cb3 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -83,7 +83,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | Describing and recording results for performance (evaluation) tests:
• [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
   ▪ [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
   ▪ [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [quantitativeAnalysis.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
       ▪ [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
       ▪ [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
• [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | -| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies)

Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | +| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies)

Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
[tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
[runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | --- From a5c8471e37e1bf095bb15d94639c57d6a670de11 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:24:04 -0500 Subject: [PATCH 112/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 33090cb3..dec91d9e 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -107,7 +107,7 @@ _In order to increase transparency on the data that is used in the pre-training | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | | 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique attributes of the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | -| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model components (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Nested relationships:
• [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies) | +| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | Model components (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Nested relationships:
• [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies) | | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | From 68e636ef667b6c1b2e3f6bf8da758bf193bcc8ef Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:31:34 -0500 Subject: [PATCH 113/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index dec91d9e..e6f91fb9 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -83,7 +83,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | Describing and recording results for performance (evaluation) tests:
• [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
   ▪ [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
   ▪ [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [quantitativeAnalysis.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
       ▪ [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
       ▪ [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
• [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | -| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies)

Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
[tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
[runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | +| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
[tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
[runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | --- From cac052ac7a10809b529d9254c135da099a43e636 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:32:31 -0500 Subject: [PATCH 114/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index e6f91fb9..8bb522fa 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -83,7 +83,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | Describing and recording results for performance (evaluation) tests:
• [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
   ▪ [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
   ▪ [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [quantitativeAnalysis.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
       ▪ [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
       ▪ [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
• [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | -| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
[tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
[runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | +| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | --- From 6bd839e76f39f194eb9a0f2777d8ad61401b183a Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:36:17 -0500 Subject: [PATCH 115/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 8bb522fa..63175fa0 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -107,7 +107,7 @@ _In order to increase transparency on the data that is used in the pre-training | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | | 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique attributes of the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | -| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | Model components (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Nested relationships:
• [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies) | +| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | Model component and service compositions (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)
| | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | From 2a72fbb3b501b3f558aac61287863550ba3f1ba6 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:38:06 -0500 Subject: [PATCH 116/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 63175fa0..f0140754 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -83,7 +83,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | Describing and recording results for performance (evaluation) tests:
• [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
   ▪ [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
   ▪ [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [quantitativeAnalysis.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
       ▪ [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
       ▪ [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | | 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
• [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | -| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | +| 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical (nested) relationships (for assemblies):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | --- @@ -107,7 +107,7 @@ _In order to increase transparency on the data that is used in the pre-training | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | | 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique attributes of the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | -| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | Model component and service compositions (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical relationships (for assemblies or standalone):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)
| +| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | Model component and service compositions (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical (nested) relationships (for assemblies):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)
| | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | From 3aa9b22d1afba9d83f49469ac241f4be8126c91b Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:38:33 -0500 Subject: [PATCH 117/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index f0140754..69dcda0c 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -106,7 +106,7 @@ _In order to increase transparency on the data that is used in the pre-training | 1.1.(i) | Provider name and contact details | See template mapping section 1.1 (above) | Both the [manufacturer](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_manufacturer) and [supplier](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier) information includes:
• name, address, url and multiple (i.e., an array of), detailed [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information which accounts for multiple points-of-contact.

Component [publisher](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_publisher) information supports a textual description. | | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | -| 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique attributes of the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)
Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | +| 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique attributes of the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | | 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | Model component and service compositions (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical (nested) relationships (for assemblies):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)
| | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | From f263a68ac0bb67c7e23143e8aed3bff9e7a18b20 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:40:01 -0500 Subject: [PATCH 118/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 69dcda0c..94438032 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -111,7 +111,7 @@ _In order to increase transparency on the data that is used in the pre-training | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | -| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements)_. | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | +| 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements such as data sizes)_. | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | | 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ etc.

Model component's external references:
• [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | | 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each public dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | From bbd732639f00a5b47dc91e76148d90189b576ba3 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:43:51 -0500 Subject: [PATCH 119/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 94438032..df89b254 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -115,10 +115,10 @@ _In order to increase transparency on the data that is used in the pre-training | 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ etc.

Model component's external references:
• [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | | 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each public dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | -| 2.2 | Private non-publicly available datasets obtained from third parties | Private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See: _"Guide references" and "CycloneDX Commentary"_ in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | -| 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | N/A | -| 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ See: _[Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom)_ which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | TODO | -| 2.2.2 | Private datasets obtained from other third parties | | | +| 2.2 | Private non-publicly available datasets obtained from third parties | Private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See: _"Guide references" and "CycloneDX Commentary"_ in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | +| 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | +| 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ See: _[Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom)_ which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | | +| 2.2.2 | Private datasets obtained from other third parties | Third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | | | | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | | | | 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | | | From 23701f1aa89577cb745125f54d63f9d58d6b5a65 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:45:31 -0500 Subject: [PATCH 120/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index df89b254..d80194d2 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -78,7 +78,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.2.(a) | the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; | Detailing inference workflows, tasks, steps and resources to be used testing and production:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed inference and testing workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: The CycloneDX `formulation` object can be used to convey `workflows` for such things as `inference` in the context of various target frameworks or their runtime topologies. | | 1.2.(b) | the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; | Considerations when designing the model:
• [Technical limitations](#technical-limitations)
• [Performance tradeoffs](#performance-tradeoffs)
• [Ethical considerations](#ethical-considerations)

Describing design, data preparation and training workflows along with detailed tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
• [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Considerations:
• [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [technicalLimitations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_technicalLimitations)
     ▪ [performanceTradeoffs](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_performanceTradeoffs)
     ▪ [ethicalConsiderations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_ethicalConsiderations)

Detailed workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | | 1.2.(c) | information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; | Data or dataset declaration, provenance and pedigree:
• [Datasets](0x22-Design-Model-Card-Parameters.md#datasets)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
     ▪ [datasets as component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references)
     ▪ [datasets as in-line declarations](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information) | Detailed data preparation workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology) | -| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
   ▪ [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed training workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | TODO (Formulation)| +| 1.2.(d) | the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; | Detailing training workflows, tasks, steps and resources:
• [Including manufacturing information for the ML model](0x40-Design-Additional-Model-Information.md#including-manufacturing-information-for-the-ml-model)
   ▪ [Declaring hardware and software training components](0x40-Design-Additional-Model-Information.md#declaring-hardware-and-software-training-components)
   ▪ [Providing training workflow details](0x40-Design-Additional-Model-Information.md#providing-training-workflow-details)
   ▪ [Declaring the runtime topology](0x40-Design-Additional-Model-Information.md#declaring-the-runtime-topology) | Detailed training workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [steps](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_steps)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks_items_runtimeTopology)

**Note**: CycloneDX v2.0 will have extensible workflow `taskTypes` that will include an AI/ML taxonomy with values for such things as `training` or `fine-tuning`. | | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | Per-activity energy consumptions, energy provider information, CO2 costs and CO2 cost offsets:
• [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | • [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
   ▪ [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
     ▪ [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity)
     ▪ [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
     ▪ [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
     ▪ [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
     ▪ [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset)

**Note**: _Energy consumptions can be reported on a per-activity basis (e.g., `data-collection`, `training`, `fine-tuning`, etc.) and can correspond to declared workflows._| | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | Describing and recording results for performance (evaluation) tests:
• [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
   ▪ [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
   ▪ [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [quantitativeAnalysis.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
       ▪ [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
       ▪ [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | @@ -117,7 +117,7 @@ _In order to increase transparency on the data that is used in the pre-training | 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each public dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | | 2.2 | Private non-publicly available datasets obtained from third parties | Private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See: _"Guide references" and "CycloneDX Commentary"_ in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | -| 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ See: _[Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom)_ which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | | +| 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ See: _[Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom)_ which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | | 2.2.2 | Private datasets obtained from other third parties | Third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | | | | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | | | From 6713afe61e7f3baf0520e572588833803974e125 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:50:56 -0500 Subject: [PATCH 121/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index d80194d2..616347c0 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -110,7 +110,7 @@ _In order to increase transparency on the data that is used in the pre-training | 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | Model component and service compositions (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical (nested) relationships (for assemblies):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)
| | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | -| 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | +| 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | | 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements such as data sizes)_. | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | | 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ etc.

Model component's external references:
• [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | @@ -119,7 +119,7 @@ _In order to increase transparency on the data that is used in the pre-training | 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ See: _[Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom)_ which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | | 2.2.2 | Private datasets obtained from other third parties | Third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | -| 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | | | +| 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | | Modalities:
• [component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties) | | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | | | | 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | | | | 2.2.2.(iv) | Additional comments *(optional)* | *e.g. the period of data collection, size of the datasets and further details* | | From 94a03304f3136e199115000e353ebf65a25b5e4e Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 13:53:55 -0500 Subject: [PATCH 122/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 616347c0..e34a4be5 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -119,7 +119,7 @@ _In order to increase transparency on the data that is used in the pre-training | 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ See: _[Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom)_ which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | | 2.2.2 | Private datasets obtained from other third parties | Third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | -| 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | | Modalities:
• [component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties) | +| 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | Model data component modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities) | Data component modalities as properties:
• [component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | | | | 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | | | | 2.2.2.(iv) | Additional comments *(optional)* | *e.g. the period of data collection, size of the datasets and further details* | | From 5c0d61dfe6785170c99152c81a9b02ed7db9d5bb Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 14:02:28 -0500 Subject: [PATCH 123/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index e34a4be5..a8cb7d44 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -119,7 +119,7 @@ _In order to increase transparency on the data that is used in the pre-training | 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ See: _[Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom)_ which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | | 2.2.2 | Private datasets obtained from other third parties | Third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | -| 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | Model data component modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities) | Data component modalities as properties:
• [component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | +| 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | Model data component modalities are declared in the same way as for the model component itself:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities) | Data component modalities as properties:
• [component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | | | | 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | | | | 2.2.2.(iv) | Additional comments *(optional)* | *e.g. the period of data collection, size of the datasets and further details* | | From 6ebd3a5e04cd0ecd8e6f6b806c04569de3d3851f Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 14:03:28 -0500 Subject: [PATCH 124/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index a8cb7d44..fe8b2123 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -120,7 +120,7 @@ _In order to increase transparency on the data that is used in the pre-training | 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ See: _[Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom)_ which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | | 2.2.2 | Private datasets obtained from other third parties | Third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | Model data component modalities are declared in the same way as for the model component itself:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities) | Data component modalities as properties:
• [component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | -| 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | | | +| 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | Publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | | | | 2.2.2.(iv) | Additional comments *(optional)* | *e.g. the period of data collection, size of the datasets and further details* | | | 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)* | The following subsections only apply if "crawlers were used for data collection". | | From 5e920eaf14a8985a01136ed1560b2f7bd042f21a Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 14:19:06 -0500 Subject: [PATCH 125/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index fe8b2123..7eb86144 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -114,14 +114,14 @@ _In order to increase transparency on the data that is used in the pre-training | 1.3.(ii) | Training data size | The CycloneDX component can be used to describe a training dataset with any level of detail required. In general, this section describes the general method on how to declare public and private datasets:
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additionally, other types of information about each component dataset can be provided via various fields such as:
• pedigree
• external references to documentation
• properties _(customized for tagging information to domain-specific requirements such as data sizes)_. | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | | 1.3.(iii) | Types of content | A discrete description of the types of content used to train a model would be provided as CycloneDX data components.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)

Additional content information can be provided via external documentation and referenced in the model's component declaration.
• [Providing links to papers & articles](0x22-Design-Model-Card-Parameters.md#providing-links-to-papers--articles) | Dataset components, their descriptions and external references to documentation:
• [component.](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_type): `"data"`
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ etc.

Model component's external references:
• [metadata.component.externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences) | | 2 | List of data sources *(information about specific sources of data used to train the general-purpose AI model)* | N/A | N/A | -| 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Ideally, each public dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | +| 2.1 | Publicly available datasets | Each _public_ dataset used to train a model would be provided as CycloneDX data component.
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as in-line information](0x22-Design-Model-Card-Parameters.md#datasets-as-in-line-information)
   ▪ [Datasets as data component references](#datasets-as-data-component-references) | Dataset component(s):
• [component](https://cyclonedx.org/docs/1.7/json/#components)
   ▪ [type]: `"data"`
   ▪ [name](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_name)
   ▪ [description](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_description)
   ▪ [pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)
   ▪ [externalReferences](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences)
   ▪ [properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)
   ▪ etc.

**Note**: _Ideally, each public dataset would have its own independent Bill-of-Materials that fully described the details of its design, dependencies (i.e., data sources) and manufacturing which could be referenced by the AI/ML BOM._ | | 2.2 | Private non-publicly available datasets obtained from third parties | Private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See: _"Guide references" and "CycloneDX Commentary"_ in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.1 | Datasets commercially licensed by rightsholders or their representatives | Commercial dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.1.(i) | concluded transactional commercial licensing agreement (modalities covered by license) | License information would be provided in the CycloneDX data component:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
   ▪ See: _[Example: Declaring an ML model in an ML-BOM](0x20-Design-Model-Component-Metadata.md#example-declaring-an-ml-model-in-an-ml-bom)_ which uses the CycloneDX `license` object. | CycloneDX provides multiple, robust options for recording license information:
• [metadata.licenses](https://cyclonedx.org/docs/1.7/json/#metadata_licenses)

**Note**: *modality-specific licensing may have considerations in future CycloneDX versions.* | | 2.2.2 | Private datasets obtained from other third parties | Third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | Model data component modalities are declared in the same way as for the model component itself:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities) | Data component modalities as properties:
• [component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | Publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | -| 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | | | +| 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | Non-publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(iv) | Additional comments *(optional)* | *e.g. the period of data collection, size of the datasets and further details* | | | 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)* | The following subsections only apply if "crawlers were used for data collection". | | | 2.3.(i) | specify crawler name(s)/identifier(s) | | | From 39b73b987f5ab09a21e71c335ca15889c1e0b9dc Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 14:23:32 -0500 Subject: [PATCH 126/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 7eb86144..d3d541d6 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -107,7 +107,7 @@ _In order to increase transparency on the data that is used in the pre-training | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | | 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique attributes of the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | -| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | Model component and service compositions (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical (nested) relationships (for assemblies):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)
| +| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | Model component and service compositions (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical (nested) relationships (for assemblies):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Explicit declaration of model datasets used (using CycloneDX data component references):
• [modelCard.modelParameters.datasets](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_datasets)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)
| | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | From 1660d2767d7b0df689620395bd58f9c771754d68 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 14:28:13 -0500 Subject: [PATCH 127/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index d3d541d6..fd850012 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -107,7 +107,7 @@ _In order to increase transparency on the data that is used in the pre-training | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | | 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique attributes of the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | -| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets) | Model component and service compositions (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical (nested) relationships (for assemblies):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Explicit declaration of model datasets used (using CycloneDX data component references):
• [modelCard.modelParameters.datasets](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_datasets)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)
| +| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as data component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references) | Model component and service compositions (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical (nested) relationships (for assemblies):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Explicit declaration of model datasets used (using CycloneDX data component references):
• [modelCard.modelParameters.datasets](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_datasets)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)
| | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | From e206bb3a35b10ee5100cbed080f796f7ebdde4ab Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 14:29:48 -0500 Subject: [PATCH 128/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index fd850012..685d5933 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -107,7 +107,7 @@ _In order to increase transparency on the data that is used in the pre-training | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | | 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique attributes of the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | -| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
   ▪ [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as data component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references) | Model component and service compositions (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical (nested) relationships (for assemblies):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Explicit declaration of model datasets used (using CycloneDX data component references):
• [modelCard.modelParameters.datasets](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_datasets)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)
| +| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as data component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references) | Model component and service compositions (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical (nested) relationships (for assemblies):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Explicit declaration of model datasets used (using CycloneDX data component references):
• [modelCard.modelParameters.datasets](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_datasets)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)
| | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | From 8e1e6e23d359237d2e4892e46c1f4aba97edfc75 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 14:35:26 -0500 Subject: [PATCH 129/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 685d5933..e34fa9f3 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -122,16 +122,16 @@ _In order to increase transparency on the data that is used in the pre-training | 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | Model data component modalities are declared in the same way as for the model component itself:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities) | Data component modalities as properties:
• [component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | Publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | Non-publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | -| 2.2.2.(iv) | Additional comments *(optional)* | *e.g. the period of data collection, size of the datasets and further details* | | +| 2.2.2.(iv) | Additional comments *(optional)*

_e.g., the period of data collection, size of the datasets and further details_ | | | | 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)* | The following subsections only apply if "crawlers were used for data collection". | | -| 2.3.(i) | specify crawler name(s)/identifier(s) | | | -| 2.3.(ii) | Purposes of the crawler(s) | | | -| 2.3.(iii) | General description of crawler behaviour | | | -| 2.3.(iv) | Period of data collection | | | -| 2.3.(v) | Comprehensive description of the type of content and online sources crawled | | | -| 2.3.(vi) | Type of modality covered | | | -| 2.3.(vii) | Summary of the most relevant domain names crawled | | | -| 2.3.(viii) | Additional comments *(optional)* | *e.g., domain names, URLs and the sources of individual works* | | +| 2.3.(i) | specify crawler name(s)/identifier(s) | TODO | | +| 2.3.(ii) | Purposes of the crawler(s) | N/A | N/A | +| 2.3.(iii) | General description of crawler behaviour | N/A | N/A | +| 2.3.(iv) | Period of data collection | N/A | N/A | +| 2.3.(v) | Comprehensive description of the type of content and online sources crawled | N/A | N/A | +| 2.3.(vi) | Type of modality covered | N/A | N/A | +| 2.3.(vii) | Summary of the most relevant domain names crawled | N/A | N/A | +| 2.3.(viii) | Additional comments *(optional)*

_e.g., domain names, URLs and the sources of individual works_ | N/A | N/A | | 2.4 | User data *(information about user data collected by all services and products of the provider, including through mail services, social media platforms, content platforms)* | The following subsections only apply if user information sources were used. | | | | 2.4.(i) | provide a general description of the provider’s services or products that were used to collect the user data | | | | 2.4.(ii) | Additional comments *(optional)* | | | From 9964f3fcaafac67cee6adb803c6a5c4f682b0fcd Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 14:51:05 -0500 Subject: [PATCH 130/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index e34fa9f3..102e1c15 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -122,7 +122,7 @@ _In order to increase transparency on the data that is used in the pre-training | 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | Model data component modalities are declared in the same way as for the model component itself:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities) | Data component modalities as properties:
• [component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | Publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | Non-publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | -| 2.2.2.(iv) | Additional comments *(optional)*

_e.g., the period of data collection, size of the datasets and further details_ | | | +| 2.2.2.(iv) | Additional comments *(optional)*

_e.g., the period of data collection, size of the datasets and further details_ | CycloneDX Bills-of-Materials (e.g., an AI/ML BOM) supports `annotations` that allow for comments (made by people, organizations, or tools) about any object with a `bom-ref` such as `components`, `services` or the BOM itself. | Annotations;
• [annotations](https://cyclonedx.org/docs/1.7/json/#annotations)
   ▪ [subjects](https://cyclonedx.org/docs/1.7/json/#annotations_items_subjects) - _list of references (e.g, components, services, etc.) the annotation applies to._
   ▪ [annotator](https://cyclonedx.org/docs/1.7/json/#annotations_items_annotator) - _The organization, person, component, or service which created the textual content of the annotation._
   ▪ [timestamp](https://cyclonedx.org/docs/1.7/json/#annotations_items_timestamp)
   ▪ [text](https://cyclonedx.org/docs/1.7/json/#annotations_items_text) - _The textual content of the annotation._
   ▪ [signature](https://cyclonedx.org/docs/1.7/json/#annotations_items_signature) _(optional)_ - _digital signature of the signer._

**Note**: _Each annotation can optionally have its own unique `bom-ref` which allows reference from other annotations._ | | 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)* | The following subsections only apply if "crawlers were used for data collection". | | | 2.3.(i) | specify crawler name(s)/identifier(s) | TODO | | | 2.3.(ii) | Purposes of the crawler(s) | N/A | N/A | From 1ed0e6ceffa7fa3a72f85cb33bcd6cf37962aa15 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 17:13:51 -0500 Subject: [PATCH 131/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 102e1c15..3548a56a 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -107,7 +107,7 @@ _In order to increase transparency on the data that is used in the pre-training | 1.1.(ii) | Authorised representative name and contact details | See template mapping section 1.1.(i) (above) | Each [contact](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_supplier_contact) information includes:
• name, email address and phone | | 1.2 | Model identification | A discussion of model identifiers with examples:
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)| The model component information includes support for the [Package-URL (PURL) Specification](https://github.com/package-url/purl-spec) specification which provides syntax for identifying a model from various source repositories:
• [metadata.component.](https://cyclonedx.org/docs/1.7/json/#metadata_component)
   ▪ [purl](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_purl)

**Note**: _In addition, CycloneDX the means to provide identifiers from registered proprietary or other publication sources via the [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy)._ | | 1.2.(i) | Versioned model name(s) | A model's name, identifiers and version are considered unique attributes of the model component. These are provided in the [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component) field as shown here:
• [Describing models as components](0x20-Design-Model-Component-Metadata.md#describing-models-as-components)
• [Model identifiers](0x20-Design-Model-Component-Metadata.md#model-identifiers)

If a model is derived from another model, that relationship would be described by pedigree:
• [Declaring a model's pedigree](0x20-Design-Model-Component-Metadata.md#declaring-a-models-pedigree) | Model name, version and identifiers:
• [metadata.component](https://cyclonedx.org/docs/1.7/json/#metadata_component)

Model pedigree:
• [component.pedigree](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_pedigree)

**Note**: _An AI/ML Bill-of-Materials is intended to represent a single identifiable model. For each separate version published or supplied from a different source, it should be represented by its own unique AI/ML-BOM which can capture its pedigree, including any changes from the original model by reference to its AI/ML BOM via pedigree fields._ | -| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as data component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references) | Model component and service compositions (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical (nested) relationships (for assemblies):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Explicit declaration of model datasets used (using CycloneDX data component references):
• [modelCard.modelParameters.datasets](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_datasets)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)
| +| 1.2.(ii) | Model dependencies | Dependencies of a model needs to consider both the datasets used for training and/or finetuning as well as listing dependencies on tokenizers, templates and any configurations. Accounting for these resources are respectively shown in the following sections:
• [Model repositories as components](0x20-Design-Model-Component-Metadata.md#model-repositories-as-components)
• [Declaring datasets](0x22-Design-Model-Card-Parameters.md#declaring-datasets)
   ▪ [Datasets as data component references](0x22-Design-Model-Card-Parameters.md#datasets-as-data-component-references) | Model component and service compositions (e.g., datasets, tensor data, tokenizers, configurations, etc.):
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical (nested) relationships (for assemblies):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Explicit declaration of model datasets used (using CycloneDX data component references):
• [modelCard.modelParameters.datasets](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_modelParameters_datasets)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology) | | 1.2.(iii) | Date of placement of the model on the Union market: | This information would be provided in the model's release notes:
• [Providing model release notes](0x20-Design-Model-Component-Metadata.md#providing-model-release-notes) | Release notes:
• [component.releaseNotes](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_releaseNotes)
| | 1.3. | Modalities, overall training data size and other characteristic *(general information about the overall training data after pre-processing and before the training of the model)* | N/A | N/A | | 1.3.(i) | Modality *(e.g., text, image, audio, video, other)* | Model modalities:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities)

**Note**: *Multi-model models should include modality information for each sub-model.* | Modalities:
• [metadata.component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | @@ -123,8 +123,8 @@ _In order to increase transparency on the data that is used in the pre-training | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | Publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | Non-publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(iv) | Additional comments *(optional)*

_e.g., the period of data collection, size of the datasets and further details_ | CycloneDX Bills-of-Materials (e.g., an AI/ML BOM) supports `annotations` that allow for comments (made by people, organizations, or tools) about any object with a `bom-ref` such as `components`, `services` or the BOM itself. | Annotations;
• [annotations](https://cyclonedx.org/docs/1.7/json/#annotations)
   ▪ [subjects](https://cyclonedx.org/docs/1.7/json/#annotations_items_subjects) - _list of references (e.g, components, services, etc.) the annotation applies to._
   ▪ [annotator](https://cyclonedx.org/docs/1.7/json/#annotations_items_annotator) - _The organization, person, component, or service which created the textual content of the annotation._
   ▪ [timestamp](https://cyclonedx.org/docs/1.7/json/#annotations_items_timestamp)
   ▪ [text](https://cyclonedx.org/docs/1.7/json/#annotations_items_text) - _The textual content of the annotation._
   ▪ [signature](https://cyclonedx.org/docs/1.7/json/#annotations_items_signature) _(optional)_ - _digital signature of the signer._

**Note**: _Each annotation can optionally have its own unique `bom-ref` which allows reference from other annotations._ | -| 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)* | The following subsections only apply if "crawlers were used for data collection". | | -| 2.3.(i) | specify crawler name(s)/identifier(s) | TODO | | +| 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)*

_The following subsections only apply if "crawlers were used for data collection"._ | Although this guide does not provide specific examples for describing _data crawling_ workflows, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data crawling processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)| +| 2.3.(i) | specify crawler name(s)/identifier(s) | N/A | N/A | | 2.3.(ii) | Purposes of the crawler(s) | N/A | N/A | | 2.3.(iii) | General description of crawler behaviour | N/A | N/A | | 2.3.(iv) | Period of data collection | N/A | N/A | From e110b93eb052ccbebfed362914894ee959ca1094 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 20 May 2026 17:15:45 -0500 Subject: [PATCH 132/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 3548a56a..5508467c 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -82,7 +82,7 @@ This section contains mappings for [ANNEX XI: Technical Documentation Referred t | 1.2.(e) | known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. | Per-activity energy consumptions, energy provider information, CO2 costs and CO2 cost offsets:
• [Energy Consumptions](0x24-Design-Model-Card-Considerations.md#energy-consumptions) | • [Environmental Considerations](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations)
   ▪ [Energy Consumptions](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions)
     ▪ [activity](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activity)
     ▪ [energyProviders](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_energyProviders)
     ▪ [activityEnergyCost](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost)
     ▪ [co2CostEquivalent](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostEquivalent)
     ▪ [co2CostOffset](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_co2CostOffset)

**Note**: _Energy consumptions can be reported on a per-activity basis (e.g., `data-collection`, `training`, `fine-tuning`, etc.) and can correspond to declared workflows._| | 2 | Additional information to be provided by providers of general-purpose AI models with systemic risk | N/A | N/A | | 2.1 | A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. | Describing and recording results for performance (evaluation) tests:
• [Model quantitative analysis](0x23-Design-Model-Card-Quantitative-Analysis.md#model-quantitative-analysis)
   ▪ [Performance Metrics](0x23-Design-Model-Card-Quantitative-Analysis.md#performance-metrics)
   ▪ [Graphics](0x23-Design-Model-Card-Quantitative-Analysis.md#graphics) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
   ▪ [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     ▪ [quantitativeAnalysis.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis)
       ▪ [performanceMetrics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_performanceMetrics)
       ▪ [graphics](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_quantitativeAnalysis_graphics)

**Note:** Evaluation processes can be encoded as [formulation](https://cyclonedx.org/docs/1.7/json/#formulation) [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows), and their compositional `tasks`, `steps`, `tools`, `inputs`, `outputs` and more. | -| 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, Ethical considerations and Fairness assessments can be recorded as shown in these sections:
• [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | +| 2.2 | Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. | Additionally, "Ethical considerations" and "Fairness assessments" can be documented as shown in these sections:
• [Fairness assessments](0x24-Design-Model-Card-Considerations.md#fairness-assessments) | • [metadata.component.modelCard.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard)
    [considerations.](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations)
     • [fairnessAssessments](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_modelCard_considerations_fairnessAssessments) | | 2.3 | Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. | The composition of model components, including data:
• [Declaring ML Models](#declaring-ml-models)
   • [Describing models as components](#describing-models-as-components)
   • [Model repositories as components](#model-repositories-as-components)
   • [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly) | Component and service relationships:
• [compositions.](https://cyclonedx.org/docs/1.7/json/#compositions) (nested relationships)
   • [assemblies](https://cyclonedx.org/docs/1.7/json/#compositions_items_assemblies)
   • [dependencies](https://cyclonedx.org/docs/1.7/json/#compositions_items_dependencies) (required, non-transitive relationships)

Hierarchical (nested) relationships (for assemblies):
• [metadata.component.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [components.components](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_components)
• [services.services](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_services_items_services)

Direct dependencies:
• [dependencies](https://cyclonedx.org/docs/1.7/json/#dependencies)

Process and data flows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _When models are incorporated into hardware and software systems, CycloneDX supports of declaring full dependency relationships as well as detailing service and data processing workflows._ | --- From 8265a4a565f978917135d216c84a330400b6d151 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 May 2026 09:14:27 -0500 Subject: [PATCH 133/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 5508467c..2daf7e86 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -123,7 +123,7 @@ _In order to increase transparency on the data that is used in the pre-training | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | Publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | Non-publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(iv) | Additional comments *(optional)*

_e.g., the period of data collection, size of the datasets and further details_ | CycloneDX Bills-of-Materials (e.g., an AI/ML BOM) supports `annotations` that allow for comments (made by people, organizations, or tools) about any object with a `bom-ref` such as `components`, `services` or the BOM itself. | Annotations;
• [annotations](https://cyclonedx.org/docs/1.7/json/#annotations)
   ▪ [subjects](https://cyclonedx.org/docs/1.7/json/#annotations_items_subjects) - _list of references (e.g, components, services, etc.) the annotation applies to._
   ▪ [annotator](https://cyclonedx.org/docs/1.7/json/#annotations_items_annotator) - _The organization, person, component, or service which created the textual content of the annotation._
   ▪ [timestamp](https://cyclonedx.org/docs/1.7/json/#annotations_items_timestamp)
   ▪ [text](https://cyclonedx.org/docs/1.7/json/#annotations_items_text) - _The textual content of the annotation._
   ▪ [signature](https://cyclonedx.org/docs/1.7/json/#annotations_items_signature) _(optional)_ - _digital signature of the signer._

**Note**: _Each annotation can optionally have its own unique `bom-ref` which allows reference from other annotations._ | -| 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)*

_The following subsections only apply if "crawlers were used for data collection"._ | Although this guide does not provide specific examples for describing _data crawling_ workflows, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data crawling processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)| +| 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)*

_The following subsections only apply if "crawlers were used for data collection"._ | Although this guide does not provide specific examples for describing data collection workflows using _data crawling_ techniques, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | | 2.3.(i) | specify crawler name(s)/identifier(s) | N/A | N/A | | 2.3.(ii) | Purposes of the crawler(s) | N/A | N/A | | 2.3.(iii) | General description of crawler behaviour | N/A | N/A | @@ -132,7 +132,7 @@ _In order to increase transparency on the data that is used in the pre-training | 2.3.(vi) | Type of modality covered | N/A | N/A | | 2.3.(vii) | Summary of the most relevant domain names crawled | N/A | N/A | | 2.3.(viii) | Additional comments *(optional)*

_e.g., domain names, URLs and the sources of individual works_ | N/A | N/A | -| 2.4 | User data *(information about user data collected by all services and products of the provider, including through mail services, social media platforms, content platforms)* | The following subsections only apply if user information sources were used. | | | +| 2.4 | User data *(information about user data collected by all services and products of the provider, including through mail services, social media platforms, content platforms)* | The following subsections only apply if user information sources were used. | Although this guide does not provide specific examples for describing data collection workflows that target _user data_, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | | 2.4.(i) | provide a general description of the provider’s services or products that were used to collect the user data | | | | 2.4.(ii) | Additional comments *(optional)* | | | | 2.5 | Synthetic data | The following subsections only apply if synthetic information sources were used. | | | From 4ed09684864ae121075e8b42485154cb5c91601a Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 May 2026 10:05:12 -0500 Subject: [PATCH 134/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 41 ++++++++++++------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 2daf7e86..6dc3e199 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -97,6 +97,17 @@ As well as [Recital 107](https://artificialintelligenceact.eu/recital/107/) of t _In order to increase transparency on the data that is used in the pre-training and training of general-purpose AI models, including text and data protected by copyright law, it is adequate that providers of such models draw up and make publicly available a sufficiently detailed summary of the content used for training the general-purpose AI model._ +#### Template mapping notes + +Subsections under Section 2, _"Lists of data sources"_, require similar information around data or datasets and their collection processes using different techniques and from different sources. Therefore, much of the _"Guide references"_ and _"CycloneDX Commentary"_ text will be similar across the following subsections: + +* 2.1, Publicly available datasets +* 2.2, Private non-publicly available datasets obtained from third parties +* 2.3, Data crawled and scraped from online sources +* 2.4, User data +* 2.5, Synthetic data +* 2.6, Other data sources + #### Template mappings | Section | Text | Guide references | CycloneDX Commentary | @@ -122,9 +133,9 @@ _In order to increase transparency on the data that is used in the pre-training | 2.2.2.(i) | Specify the modality(ies) of the content covered by the datasets concerned. | Model data component modalities are declared in the same way as for the model component itself:
• [Declaring a model's modalities](0x40-Design-Additional-Model-Information.md#declaring-a-models-modalities) | Data component modalities as properties:
• [component.properties](https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_properties)

**Note**: _Utilizes property values defined in the the [CycloneDX Property Taxonomy for AI/ML](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/ai-ml.md)_ | | 2.2.2.(ii) | If publicly known, list private datasets obtained from other third parties | Publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | Non-publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | -| 2.2.2.(iv) | Additional comments *(optional)*

_e.g., the period of data collection, size of the datasets and further details_ | CycloneDX Bills-of-Materials (e.g., an AI/ML BOM) supports `annotations` that allow for comments (made by people, organizations, or tools) about any object with a `bom-ref` such as `components`, `services` or the BOM itself. | Annotations;
• [annotations](https://cyclonedx.org/docs/1.7/json/#annotations)
   ▪ [subjects](https://cyclonedx.org/docs/1.7/json/#annotations_items_subjects) - _list of references (e.g, components, services, etc.) the annotation applies to._
   ▪ [annotator](https://cyclonedx.org/docs/1.7/json/#annotations_items_annotator) - _The organization, person, component, or service which created the textual content of the annotation._
   ▪ [timestamp](https://cyclonedx.org/docs/1.7/json/#annotations_items_timestamp)
   ▪ [text](https://cyclonedx.org/docs/1.7/json/#annotations_items_text) - _The textual content of the annotation._
   ▪ [signature](https://cyclonedx.org/docs/1.7/json/#annotations_items_signature) _(optional)_ - _digital signature of the signer._

**Note**: _Each annotation can optionally have its own unique `bom-ref` which allows reference from other annotations._ | +| 2.2.2.(iv) | Additional comments *(optional)*

_e.g., the period of data collection, size of the datasets and further details_ | CycloneDX Bills-of-Materials (e.g., an AI/ML BOM) supports `annotations` that allow for comments (made by people, organizations, or tools) about any object with a `bom-ref` such as `components`, `services` or the BOM itself. | Comments using annotations:
• [annotations](https://cyclonedx.org/docs/1.7/json/#annotations)
   ▪ [subjects](https://cyclonedx.org/docs/1.7/json/#annotations_items_subjects) - _list of references (e.g, components, services, etc.) the annotation applies to._
   ▪ [annotator](https://cyclonedx.org/docs/1.7/json/#annotations_items_annotator) - _The organization, person, component, or service which created the textual content of the annotation._
   ▪ [timestamp](https://cyclonedx.org/docs/1.7/json/#annotations_items_timestamp)
   ▪ [text](https://cyclonedx.org/docs/1.7/json/#annotations_items_text) - _The textual content of the annotation._
   ▪ [signature](https://cyclonedx.org/docs/1.7/json/#annotations_items_signature) _(optional)_ - _digital signature of the signer._

**Note**: _Each annotation can optionally have its own unique `bom-ref` which allows reference from other annotations._ | | 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)*

_The following subsections only apply if "crawlers were used for data collection"._ | Although this guide does not provide specific examples for describing data collection workflows using _data crawling_ techniques, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | -| 2.3.(i) | specify crawler name(s)/identifier(s) | N/A | N/A | +| 2.3.(i) | specify crawler name(s)/identifier(s) | The _data crawler_ would be declared as a CycloneDX component with its name and identifiers provided as described for a model component. See applicable references in the following table sections (above):
• 1.2, "Model identification"
• 1.2.(i), "Versioned model name(s)" | N/A | | 2.3.(ii) | Purposes of the crawler(s) | N/A | N/A | | 2.3.(iii) | General description of crawler behaviour | N/A | N/A | | 2.3.(iv) | Period of data collection | N/A | N/A | @@ -133,18 +144,18 @@ _In order to increase transparency on the data that is used in the pre-training | 2.3.(vii) | Summary of the most relevant domain names crawled | N/A | N/A | | 2.3.(viii) | Additional comments *(optional)*

_e.g., domain names, URLs and the sources of individual works_ | N/A | N/A | | 2.4 | User data *(information about user data collected by all services and products of the provider, including through mail services, social media platforms, content platforms)* | The following subsections only apply if user information sources were used. | Although this guide does not provide specific examples for describing data collection workflows that target _user data_, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | -| 2.4.(i) | provide a general description of the provider’s services or products that were used to collect the user data | | | -| 2.4.(ii) | Additional comments *(optional)* | | | -| 2.5 | Synthetic data | The following subsections only apply if synthetic information sources were used. | | | -| 2.5.(i) | modality of the synthetic data | | | | -| 2.5.(ii) | specify the general-purpose AI model(s) used to generate the synthetic data if available on the market | | | | -| 2.5.(iii) | Information about other AI models, including provider’s own AI model(s) not available on the market, used to generate synthetic data to train the model | | | | -| 2.5.(iv) | Additional comments *(optional)* | | | -| 2.6 | Other sources of data | The following subsections only apply if other information sources were used. | | | -| 2.6.(i) | provide a narrative description of these data sources and the data | | | -| 2.5.(ii) | Additional comments *(optional)* | | | -| 3 | Data processing aspects The following subsections only apply if synthetic information sources were used. | N/A | | -| 3.1 | Respect of reservation of rights from text and data mining exception or limitation | *(measures implemented by the provider to identify and comply with the reservation of rights from the text and data mining (TDM) exception or limitation expressed pursuant to Article 4(3))* | | -| 3.1.(i) | Additional comments *(optional)* | | | +| 2.4.(i) | provide a general description of the provider’s services or products that were used to collect the user data | N/A | N/A | +| 2.4.(ii) | Additional comments *(optional)* | N/A | N/A | +| 2.5 | Synthetic data | The following subsections only apply if synthetic information sources were used. | N/A | N/A | +| 2.5.(i) | modality of the synthetic data | N/A | N/A | +| 2.5.(ii) | specify the general-purpose AI model(s) used to generate the synthetic data if available on the market | N/A | N/A | +| 2.5.(iii) | Information about other AI models, including provider’s own AI model(s) not available on the market, used to generate synthetic data to train the model | N/A | N/A | +| 2.5.(iv) | Additional comments *(optional)* | N/A | N/A | +| 2.6 | Other sources of data | The following subsections only apply if other information sources were used. | N/A | N/A | +| 2.6.(i) | provide a narrative description of these data sources and the data | N/A | N/A | +| 2.5.(ii) | Additional comments *(optional)* | N/A | N/A | +| 3 | Data processing aspects The following subsections only apply if synthetic information sources were used. | N/A | N/A | +| 3.1 | Respect of reservation of rights from text and data mining exception or limitation | *(measures implemented by the provider to identify and comply with the reservation of rights from the text and data mining (TDM) exception or limitation expressed pursuant to Article 4(3))* | N/A | +| 3.1.(i) | Additional comments *(optional)* | N/A | N/A | | 3.2 | Removal of illegal content | *measures taken to avoid or remove illegal content under Union law from the training data (such as blacklists, keywords, and model-based classifiers), without requiring disclosure of specific details about the provider’s internal business practices or trade secrets* | | | 3.3 | Other information *(optional)* | *Other relevant information about data processing* | | From d078620fd919eeef06d539bda756fb47f550f3fd Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 May 2026 10:35:58 -0500 Subject: [PATCH 135/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 6dc3e199..0d037005 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -135,7 +135,7 @@ Subsections under Section 2, _"Lists of data sources"_, require similar informat | 2.2.2.(iii) | General description of non-publicly known private datasets obtained from third parties | Non-publicly known, third-party, private dataset information would be provided similarly to public datasets.

See references and commentary for _public_ data.
• See "Guide references" and "CycloneDX Commentary" in [Annex: Template for the Public Summary of Training Content](#annex-template-for-the-public-summary-of-training-content-for-general-purpose-ai-models-required-by-article-53), Section 2.1 _"Publicly available data"_ (above) | _See referenced section._ | | 2.2.2.(iv) | Additional comments *(optional)*

_e.g., the period of data collection, size of the datasets and further details_ | CycloneDX Bills-of-Materials (e.g., an AI/ML BOM) supports `annotations` that allow for comments (made by people, organizations, or tools) about any object with a `bom-ref` such as `components`, `services` or the BOM itself. | Comments using annotations:
• [annotations](https://cyclonedx.org/docs/1.7/json/#annotations)
   ▪ [subjects](https://cyclonedx.org/docs/1.7/json/#annotations_items_subjects) - _list of references (e.g, components, services, etc.) the annotation applies to._
   ▪ [annotator](https://cyclonedx.org/docs/1.7/json/#annotations_items_annotator) - _The organization, person, component, or service which created the textual content of the annotation._
   ▪ [timestamp](https://cyclonedx.org/docs/1.7/json/#annotations_items_timestamp)
   ▪ [text](https://cyclonedx.org/docs/1.7/json/#annotations_items_text) - _The textual content of the annotation._
   ▪ [signature](https://cyclonedx.org/docs/1.7/json/#annotations_items_signature) _(optional)_ - _digital signature of the signer._

**Note**: _Each annotation can optionally have its own unique `bom-ref` which allows reference from other annotations._ | | 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)*

_The following subsections only apply if "crawlers were used for data collection"._ | Although this guide does not provide specific examples for describing data collection workflows using _data crawling_ techniques, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | -| 2.3.(i) | specify crawler name(s)/identifier(s) | The _data crawler_ would be declared as a CycloneDX component with its name and identifiers provided as described for a model component. See applicable references in the following table sections (above):
• 1.2, "Model identification"
• 1.2.(i), "Versioned model name(s)" | N/A | +| 2.3.(i) | specify crawler name(s)/identifier(s) | The _data crawler_ would be declared as a CycloneDX component with its name and identifiers provided as described for a model component.

See applicable references in the following table sections (above):
• 1.2, "Model identification"
• 1.2.(i), "Versioned model name(s)" | N/A | | 2.3.(ii) | Purposes of the crawler(s) | N/A | N/A | | 2.3.(iii) | General description of crawler behaviour | N/A | N/A | | 2.3.(iv) | Period of data collection | N/A | N/A | From 7bfcee88cc741ce5515d1616c064031d8c9b7109 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 May 2026 10:58:04 -0500 Subject: [PATCH 136/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 0d037005..047f40ad 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -136,7 +136,7 @@ Subsections under Section 2, _"Lists of data sources"_, require similar informat | 2.2.2.(iv) | Additional comments *(optional)*

_e.g., the period of data collection, size of the datasets and further details_ | CycloneDX Bills-of-Materials (e.g., an AI/ML BOM) supports `annotations` that allow for comments (made by people, organizations, or tools) about any object with a `bom-ref` such as `components`, `services` or the BOM itself. | Comments using annotations:
• [annotations](https://cyclonedx.org/docs/1.7/json/#annotations)
   ▪ [subjects](https://cyclonedx.org/docs/1.7/json/#annotations_items_subjects) - _list of references (e.g, components, services, etc.) the annotation applies to._
   ▪ [annotator](https://cyclonedx.org/docs/1.7/json/#annotations_items_annotator) - _The organization, person, component, or service which created the textual content of the annotation._
   ▪ [timestamp](https://cyclonedx.org/docs/1.7/json/#annotations_items_timestamp)
   ▪ [text](https://cyclonedx.org/docs/1.7/json/#annotations_items_text) - _The textual content of the annotation._
   ▪ [signature](https://cyclonedx.org/docs/1.7/json/#annotations_items_signature) _(optional)_ - _digital signature of the signer._

**Note**: _Each annotation can optionally have its own unique `bom-ref` which allows reference from other annotations._ | | 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)*

_The following subsections only apply if "crawlers were used for data collection"._ | Although this guide does not provide specific examples for describing data collection workflows using _data crawling_ techniques, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | | 2.3.(i) | specify crawler name(s)/identifier(s) | The _data crawler_ would be declared as a CycloneDX component with its name and identifiers provided as described for a model component.

See applicable references in the following table sections (above):
• 1.2, "Model identification"
• 1.2.(i), "Versioned model name(s)" | N/A | -| 2.3.(ii) | Purposes of the crawler(s) | N/A | N/A | +| 2.3.(ii) | Purposes of the crawler(s) | The crawler software would be declared as a CycloneDX `component` (or `service`) which can include its `description`, documentation via `externalReferences`, `properties` and `annotations`.

See section 2.1, "Publicly available datasets" (above) for how to include component information and section 2.2.2.(iv), "Additional comments" for `annotations`. | N/A | | 2.3.(iii) | General description of crawler behaviour | N/A | N/A | | 2.3.(iv) | Period of data collection | N/A | N/A | | 2.3.(v) | Comprehensive description of the type of content and online sources crawled | N/A | N/A | From f2594aaba148ec3dd5e0cd303f2e2fe94ed2c379 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 May 2026 11:07:16 -0500 Subject: [PATCH 137/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 047f40ad..d67c79c8 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -137,9 +137,9 @@ Subsections under Section 2, _"Lists of data sources"_, require similar informat | 2.3 | Data crawled and scraped from online sources *(excluding publicly available datasets already compiled by third parties and made available on platforms such as common crawl that are covered under Section 2.1)*

_The following subsections only apply if "crawlers were used for data collection"._ | Although this guide does not provide specific examples for describing data collection workflows using _data crawling_ techniques, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | | 2.3.(i) | specify crawler name(s)/identifier(s) | The _data crawler_ would be declared as a CycloneDX component with its name and identifiers provided as described for a model component.

See applicable references in the following table sections (above):
• 1.2, "Model identification"
• 1.2.(i), "Versioned model name(s)" | N/A | | 2.3.(ii) | Purposes of the crawler(s) | The crawler software would be declared as a CycloneDX `component` (or `service`) which can include its `description`, documentation via `externalReferences`, `properties` and `annotations`.

See section 2.1, "Publicly available datasets" (above) for how to include component information and section 2.2.2.(iv), "Additional comments" for `annotations`. | N/A | -| 2.3.(iii) | General description of crawler behaviour | N/A | N/A | -| 2.3.(iv) | Period of data collection | N/A | N/A | -| 2.3.(v) | Comprehensive description of the type of content and online sources crawled | N/A | N/A | +| 2.3.(iii) | General description of crawler behaviour | See referenced methods for annotations in Section 2.3.(i) (above) | N/A | +| 2.3.(iv) | Period of data collection | See referenced methods in Section 2.2.2.(iv) (above) | N/A | +| 2.3.(v) | Comprehensive description of the type of content and online sources crawled | Each content source the crawler software targeted would be declared as a CycloneDX `component` with the ability to describe the content names, identifiers and location.

See section 2.1, "Publicly available datasets" (above) for how to include component information. | N/A | | 2.3.(vi) | Type of modality covered | N/A | N/A | | 2.3.(vii) | Summary of the most relevant domain names crawled | N/A | N/A | | 2.3.(viii) | Additional comments *(optional)*

_e.g., domain names, URLs and the sources of individual works_ | N/A | N/A | From 37429a1787095d929bd94e08f33fea95216f3143 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 May 2026 11:09:22 -0500 Subject: [PATCH 138/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index d67c79c8..83c51840 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -140,7 +140,7 @@ Subsections under Section 2, _"Lists of data sources"_, require similar informat | 2.3.(iii) | General description of crawler behaviour | See referenced methods for annotations in Section 2.3.(i) (above) | N/A | | 2.3.(iv) | Period of data collection | See referenced methods in Section 2.2.2.(iv) (above) | N/A | | 2.3.(v) | Comprehensive description of the type of content and online sources crawled | Each content source the crawler software targeted would be declared as a CycloneDX `component` with the ability to describe the content names, identifiers and location.

See section 2.1, "Publicly available datasets" (above) for how to include component information. | N/A | -| 2.3.(vi) | Type of modality covered | N/A | N/A | +| 2.3.(vi) | Type of modality covered | Each content source can include modality `properties` as referenced in Section 2.2.2.(i) (above). | N/A | | 2.3.(vii) | Summary of the most relevant domain names crawled | N/A | N/A | | 2.3.(viii) | Additional comments *(optional)*

_e.g., domain names, URLs and the sources of individual works_ | N/A | N/A | | 2.4 | User data *(information about user data collected by all services and products of the provider, including through mail services, social media platforms, content platforms)* | The following subsections only apply if user information sources were used. | Although this guide does not provide specific examples for describing data collection workflows that target _user data_, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | From cc0e9e57a032bdd6216171f7f8d5dbea469aff67 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 May 2026 11:13:04 -0500 Subject: [PATCH 139/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 83c51840..7b68b007 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -141,7 +141,7 @@ Subsections under Section 2, _"Lists of data sources"_, require similar informat | 2.3.(iv) | Period of data collection | See referenced methods in Section 2.2.2.(iv) (above) | N/A | | 2.3.(v) | Comprehensive description of the type of content and online sources crawled | Each content source the crawler software targeted would be declared as a CycloneDX `component` with the ability to describe the content names, identifiers and location.

See section 2.1, "Publicly available datasets" (above) for how to include component information. | N/A | | 2.3.(vi) | Type of modality covered | Each content source can include modality `properties` as referenced in Section 2.2.2.(i) (above). | N/A | -| 2.3.(vii) | Summary of the most relevant domain names crawled | N/A | N/A | +| 2.3.(vii) | Summary of the most relevant domain names crawled | The BOM for the software crawler should have a detailed listing of all crawled sources represented as CycloneDX components (or services). This comprehensive information could be provided using the crawler's BOM itself or the BOM used to produce a summary view. | N/A | | 2.3.(viii) | Additional comments *(optional)*

_e.g., domain names, URLs and the sources of individual works_ | N/A | N/A | | 2.4 | User data *(information about user data collected by all services and products of the provider, including through mail services, social media platforms, content platforms)* | The following subsections only apply if user information sources were used. | Although this guide does not provide specific examples for describing data collection workflows that target _user data_, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | | 2.4.(i) | provide a general description of the provider’s services or products that were used to collect the user data | N/A | N/A | From e91f09da03c0d9d705f6dd4a930200257005bed0 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 May 2026 11:15:43 -0500 Subject: [PATCH 140/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 7b68b007..eb431d91 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -143,7 +143,7 @@ Subsections under Section 2, _"Lists of data sources"_, require similar informat | 2.3.(vi) | Type of modality covered | Each content source can include modality `properties` as referenced in Section 2.2.2.(i) (above). | N/A | | 2.3.(vii) | Summary of the most relevant domain names crawled | The BOM for the software crawler should have a detailed listing of all crawled sources represented as CycloneDX components (or services). This comprehensive information could be provided using the crawler's BOM itself or the BOM used to produce a summary view. | N/A | | 2.3.(viii) | Additional comments *(optional)*

_e.g., domain names, URLs and the sources of individual works_ | N/A | N/A | -| 2.4 | User data *(information about user data collected by all services and products of the provider, including through mail services, social media platforms, content platforms)* | The following subsections only apply if user information sources were used. | Although this guide does not provide specific examples for describing data collection workflows that target _user data_, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | +| 2.4 | User data *(information about user data collected by all services and products of the provider, including through mail services, social media platforms, content platforms)*

_The following subsections only apply if user information sources were used._ | Although this guide does not provide specific examples for describing data collection workflows that target _user data_, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | | 2.4.(i) | provide a general description of the provider’s services or products that were used to collect the user data | N/A | N/A | | 2.4.(ii) | Additional comments *(optional)* | N/A | N/A | | 2.5 | Synthetic data | The following subsections only apply if synthetic information sources were used. | N/A | N/A | From 4dad040846daabbaa4ccc66d4270afbc855df2a0 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 May 2026 12:01:27 -0500 Subject: [PATCH 141/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index eb431d91..cccdd864 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -142,7 +142,7 @@ Subsections under Section 2, _"Lists of data sources"_, require similar informat | 2.3.(v) | Comprehensive description of the type of content and online sources crawled | Each content source the crawler software targeted would be declared as a CycloneDX `component` with the ability to describe the content names, identifiers and location.

See section 2.1, "Publicly available datasets" (above) for how to include component information. | N/A | | 2.3.(vi) | Type of modality covered | Each content source can include modality `properties` as referenced in Section 2.2.2.(i) (above). | N/A | | 2.3.(vii) | Summary of the most relevant domain names crawled | The BOM for the software crawler should have a detailed listing of all crawled sources represented as CycloneDX components (or services). This comprehensive information could be provided using the crawler's BOM itself or the BOM used to produce a summary view. | N/A | -| 2.3.(viii) | Additional comments *(optional)*

_e.g., domain names, URLs and the sources of individual works_ | N/A | N/A | +| 2.3.(viii) | Additional comments *(optional)*

_e.g., domain names, URLs and the sources of individual works_ | See Section 2.2.2.(iv) (above) | N/A | | 2.4 | User data *(information about user data collected by all services and products of the provider, including through mail services, social media platforms, content platforms)*

_The following subsections only apply if user information sources were used._ | Although this guide does not provide specific examples for describing data collection workflows that target _user data_, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | | 2.4.(i) | provide a general description of the provider’s services or products that were used to collect the user data | N/A | N/A | | 2.4.(ii) | Additional comments *(optional)* | N/A | N/A | From eb50ce19540a94b01e1bd5001a0dd20927b82dae Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 May 2026 12:03:05 -0500 Subject: [PATCH 142/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index cccdd864..69dcaa5a 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -146,12 +146,12 @@ Subsections under Section 2, _"Lists of data sources"_, require similar informat | 2.4 | User data *(information about user data collected by all services and products of the provider, including through mail services, social media platforms, content platforms)*

_The following subsections only apply if user information sources were used._ | Although this guide does not provide specific examples for describing data collection workflows that target _user data_, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | | 2.4.(i) | provide a general description of the provider’s services or products that were used to collect the user data | N/A | N/A | | 2.4.(ii) | Additional comments *(optional)* | N/A | N/A | -| 2.5 | Synthetic data | The following subsections only apply if synthetic information sources were used. | N/A | N/A | +| 2.5 | Synthetic data

_ The following subsections only apply if synthetic information sources were used._ | N/A | N/A | | 2.5.(i) | modality of the synthetic data | N/A | N/A | | 2.5.(ii) | specify the general-purpose AI model(s) used to generate the synthetic data if available on the market | N/A | N/A | | 2.5.(iii) | Information about other AI models, including provider’s own AI model(s) not available on the market, used to generate synthetic data to train the model | N/A | N/A | | 2.5.(iv) | Additional comments *(optional)* | N/A | N/A | -| 2.6 | Other sources of data | The following subsections only apply if other information sources were used. | N/A | N/A | +| 2.6 | Other sources of data

_The following subsections only apply if other information sources were used._ | N/A | N/A | | 2.6.(i) | provide a narrative description of these data sources and the data | N/A | N/A | | 2.5.(ii) | Additional comments *(optional)* | N/A | N/A | | 3 | Data processing aspects The following subsections only apply if synthetic information sources were used. | N/A | N/A | From b63f8ca8873db1444d48552c2b437d7badefb014 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 May 2026 12:04:55 -0500 Subject: [PATCH 143/143] EU AI Act mapping draft Signed-off-by: Matt Rutkowski --- ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md index 69dcaa5a..3bbc5554 100644 --- a/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md +++ b/ML-BOM/en/0x92-Appendix-EU-AI-Act-mappings.md @@ -146,7 +146,7 @@ Subsections under Section 2, _"Lists of data sources"_, require similar informat | 2.4 | User data *(information about user data collected by all services and products of the provider, including through mail services, social media platforms, content platforms)*

_The following subsections only apply if user information sources were used._ | Although this guide does not provide specific examples for describing data collection workflows that target _user data_, the _training_ workflow example can be used to extrapolate how this may be done using CycloneDX. | Any data collection processes would be described using CycloneDX workflows:
• [formulation.](https://cyclonedx.org/docs/1.7/json/#formulation)
   ▪ [workflows](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows)
   ▪ [tasks](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_tasks)
   ▪ [runtimeTopology](https://cyclonedx.org/docs/1.7/json/#formulation_items_workflows_items_runtimeTopology)

**Note**: _Best practices would have the data collection processes, for the resultant subject named dataset, captured in a Manufacturing Bill-of-Materials (or MBOM) which could be referenced by an AI/ML BOM for a model that used that dataset for training or finetuning._ | | 2.4.(i) | provide a general description of the provider’s services or products that were used to collect the user data | N/A | N/A | | 2.4.(ii) | Additional comments *(optional)* | N/A | N/A | -| 2.5 | Synthetic data

_ The following subsections only apply if synthetic information sources were used._ | N/A | N/A | +| 2.5 | Synthetic data

_The following subsections only apply if synthetic information sources were used._ | N/A | N/A | | 2.5.(i) | modality of the synthetic data | N/A | N/A | | 2.5.(ii) | specify the general-purpose AI model(s) used to generate the synthetic data if available on the market | N/A | N/A | | 2.5.(iii) | Information about other AI models, including provider’s own AI model(s) not available on the market, used to generate synthetic data to train the model | N/A | N/A |