VERIK
Editorial · Agentic AI Governance
VERIK / V014 / 09 JUN 2026
Operating in the FogGovernance

The Bill of Materials That Was Promised

The G7 Cybersecurity Working Group concluded its plenary at the Agence nationale de la sécurité des systèmes d'information in Paris on May 27, 2026. Eleven days later, on June 8, the European Commission published its welcome statement on the G7 Cybersecurity Declaration, endorsing the priorities the working group had set out under the French presidency. The plenary readout from ANSSI names four priorities for 2026: migration to post-quantum cryptography, cybersecurity risks from and to artificial intelligence systems, telecommunications resilience, and protection of small and medium enterprises.

The deliverable that matters for the agentic governance arc is buried in the second priority. The G7 working group commissioned the Italian Agency for National Cybersecurity (ACN) and the German Federal Office for Information Security (BSI) to co-author a document titled Minimum Elements for a Software Bill of Materials for Artificial Intelligence. The UK government's published version of the G7 Digital and Technology Ministerial Declaration makes the deliverable explicit. The document is not yet final, but the political mandate is committed and the working track is funded.

This is the first time the institutional record on agentic risk has produced a named, jurisdictionally agreed-upon artifact for the supply-chain layer.

What the Declaration Names

The G7 Cybersecurity Declaration treats artificial intelligence as a dual-use object. The same systems that ANSSI describes as productivity infrastructure are the systems being weaponized in the threat actor's toolkit. The Commission's welcome statement cites the LLM-assisted vulnerability discovery problem and the LLM-assisted code generation problem in the same paragraph that endorses AI as a positive force for security operations. The framing is deliberate. The G7 is no longer treating these as separate workstreams. They are treated as a single surface with two faces.

Verik takes the declaration seriously and agrees with the structural diagnosis. The work this essay attempts is to extend it.

The declaration's center of gravity is the supply-chain artifact. A software bill of materials is, in the traditional sense, an enumeration of the components inside a binary. The artifact answers the question of what is in the box. The minimum elements specification, developed for conventional software by NTIA in 2021 and operationalized in successive CISA guidance, defines what fields a SBOM must carry to be useful for the consumer of the software. A SBOM for artificial intelligence is meant to do the analogous work for AI systems: enumerate the training data, the model weights, the dependencies, the fine-tuning artifacts, the evaluation environments.

The diagnosis the declaration makes is that the consumer of an AI system today cannot answer what is in the box. The vendor can answer it. The platform can answer it. The hyperscaler hosting the inference endpoint can answer it. The consumer, who is the entity assuming the deployment risk, cannot.

The Joyce Testimony as the Companion Document

Four days before the Commission published the welcome statement, the United States House Committee on Homeland Security received testimony at the hearing titled Cybersecurity of Critical Infrastructure: Meeting the Deepening Threat. The retired Director of Cybersecurity at the National Security Agency, Robert Joyce, delivered testimony that named the use of large language models in offensive cyber operations as already operational. The same week. The same diagnosis from two governance venues an ocean apart.

The G7 declaration and the Joyce testimony book-end the same surface. The Joyce testimony names the threat in operational language: large language models are reducing the cost and skill barrier for offensive operations, and adversaries are using them. The G7 declaration names the remediation direction: the consumer of an AI system needs a structured manifest of what is inside it before deployment risk can be assessed.

The distance between the two is the distance the agentic governance arc has been trying to close for eighteen months. The threat actor has tooling. The defender has language. The defender does not yet have an inspectable artifact.

What a SBOM for AI Can and Cannot Do

The declaration's commitment to the SBOM-for-AI specification is, on its own terms, a useful step. An inspectable manifest of training data sources, fine-tuning artifacts, weight provenance, and dependency lineage is the kind of artifact a regulator can compel and a consumer can verify. That is the function the NTIA minimum elements work performed for conventional software. It is also the function the Commission's revised Cybersecurity Act companion to the Cyber Resilience Act is now extending to embedded systems and connected products.

What a SBOM does well is what it has always done. It documents the provenance chain of an artifact at a moment in time. It is a structured statement of what the artifact contains as the artifact was constituted.

What a SBOM does less well is document the behavior of the system at runtime. The provenance chain answers the question of what is in the box at shipment. It does not answer the question of what the box does when the box is connected to other boxes, given delegated authority over tools, allowed to spawn subordinate agents, and turned loose on a workspace whose state changes faster than the manifest can be re-verified.

That second question is the agentic question. It is the question the model layer evaluators at the European AI Office's Scientific Panel are not directly tasked with, and the question the Joyce testimony was implicitly asking the committee to consider.

The Pivot from Artifact to Function

The structural critique the agentic governance arc has been developing is that institutional remediation tends to converge on artifacts rather than functions. The artifact is the thing that can be specified, audited, retained, and presented to a regulator. The function is the thing the artifact is supposed to perform.

The SBOM-for-AI is an artifact. It is well-designed, it has the right institutional sponsorship, and the working tracks at ACN and BSI are technically credible. The artifact will exist.

Whether the artifact carries the function depends on details the declaration does not yet specify. Does the SBOM-for-AI manifest extend to the runtime workspace where an agent operates? Does it cover the tool registry the agent calls? Does it cover the credentials the agent is issued and the revocation horizon those credentials are bound to? Does it cover the audit log the agent writes, the verifier that determines whether the agent did what was asked, the channel the agent uses to communicate with other agents in a multi-agent system?

These are not artifact questions. They are function questions. The SBOM specification, as it exists for conventional software, was scoped to artifact. The minimum elements work was concerned with what is in the box at shipment. The minimum elements work for AI will inherit that scope unless the working group expands it.

There are reasons the working group should expand it. The ANSSI plenary readout names the four priorities of 2026 in sequence, and three of the four (post-quantum migration, telecommunications resilience, SME protection) are scoped at the deployment layer rather than the artifact layer. The AI priority is the outlier. It is the only one of the four that has so far been answered with an artifact specification rather than a deployment specification.

That asymmetry is informative. The G7 has agreed on what the artifact must contain. It has not yet agreed on what the deployment substrate must instrument.

The 2027 Transition

The United States assumes the G7 presidency in 2027. The continuity question that follows is whether the SBOM-for-AI working track survives the transition with its scope intact or with its scope expanded. The pattern in past transitions has been that working tracks survive but their language drifts toward the priorities of the incoming presidency. The next presidency's priorities, on current public signals, will weight the deployment-substrate question more heavily than the artifact-manifest question.

If that drift occurs in the direction the institutional record currently points, the SBOM-for-AI specification may evolve into a deployment specification. If the drift does not occur, the specification will remain an artifact specification, and the function it was supposed to carry will need a different vehicle.

What remains on the table: - Whether the SBOM-for-AI minimum elements specification scopes the runtime workspace and audit log, or remains bounded to training-time artifact provenance. - Whether the ACN and BSI working tracks produce a specification consumers can verify, or one only platform providers can satisfy. - Whether the United States presidency in 2027 extends the SBOM-for-AI scope to deployment substrate or leaves it at artifact. - Whether the asymmetry between the artifact-anchored AI priority and the deployment-anchored telecommunications and SME priorities is corrected before 2027.

The policy instruments and the deployment tempo are not aligned.