🤖 AI Summary
Existing software and AI bills of materials (SBOMs/AIBOMs) fail to adequately capture the runtime privileges and associated risks of embodied agents, resulting in opaque capabilities. This work proposes AgentRiskBOM—the first machine-readable security bill of materials specifically designed for tool-using autonomous agents—which structurally describes their runtime authority across dimensions including autonomy, tool permissions, memory, credentials, approval mechanisms, audit signals, multi-agent communication, and external actions. Defined via JSON Schema, AgentRiskBOM is accompanied by a risk scenario library, a scoring engine, a drift detector, and a reporting tool. Evaluation across 13 open-source agents and 52 risk scenarios shows that AgentRiskBOM covers an average of 14 out of 16 capability dimensions, achieves 100% risk visibility—substantially outperforming SBOM (10.5%) and AIBOM (20.9%)—and enables the drift detector to accurately identify all 33 deployment variations.
📝 Abstract
Agentic AI systems retrieve private context, invoke tools, write files, call external services, coordinate with other agents, and may act without human approval. Existing bill of materials artifacts improve transparency for dependencies, model metadata, and training provenance, but leave an agentic transparency gap: capability opacity, the absence of a structured account of what a deployed agent can access, remember, change, delegate, and prove afterward. This paper introduces AgentRiskBOM, a security BOM for risk-scoping tool-using AI agents. It is an additive layer over SBOM, AIBOM, and MLBOM artifacts, referencing them where authoritative while adding fields for runtime authority: autonomy, tool permissions, memory, credential scope, approval gates, audit signals, inter-agent communication, and external action capability. We implement AgentRiskBOM as a JSON-schema artifact with a reproducible corpus, risk scenarios, scorer, diff detector, control mapper, and reports. We evaluate AgentRiskBOM on 13 open-source agents spanning coding, RAG, and multi-agent archetypes, plus 52 risk scenarios across 14 categories. The schema validates all 13 corpus artifacts. Coverage analysis gives AgentRiskBOM a native-equivalent score of 14 across 16 capability dimensions, vs. 1 for SBOM, 1.5 for AIBOM and 2 for MLBOM. Across modeled risk categories, AgentRiskBOM exposes 100% risk-category visibility vs. 10.5% for SBOM-like and 20.9% for AIBOM-like views. To test agentic authority drift, we inject 33 structured deployment mutations; the diff detector identifies the correct change type for all mutations. A secondary penalty-based scorer yields a Spearman correlation of 0.73 with the primary scorer, supporting rank-level consistency while showing that thresholds require human calibration. The results show that agentic AI security needs a machine-readable authority-and-risk artifact before incidents occur.