Skip to content

RFC-011: AIGP Vendor Trust Package — Reference Register

RFC-011: AIGP Vendor Trust Package — Reference Register

© 2024-2026 Kanjani AI Research & Causum. All rights reserved.


AI Supply Chain Accountability

# Reference Relevance to RFC
1 Ada Lovelace Institute. “Allocating Accountability in AI Supply Chains.” 2023. https://adalovelaceinstitute.org/resource/ai-supply-chains/ Foundational work on how to assign distinct responsibilities to different actors in AI supply chains — validates the Vendor Trust Package’s separation of enterprise accountability from vendor-delivered AI.
2 NTIA. “AI Accountability Policy Report: Ensure Accountability Across the AI Lifecycle and Value Chain.” U.S. Dept. of Commerce, 2024. https://www.ntia.gov/issues/artificial-intelligence/ai-accountability-policy-report/ U.S. government position that accountability should run with the AI system through its entire lifecycle — validates AIGP’s approach of extending governance from internal applications to purchased AI products.
3 IAPP. “AI Governance Vendor Report 2026.” International Association of Privacy Professionals, 2026. https://iapp.org/resources/article/ai-governance-vendor-report Industry report categorizing AI governance vendors into policy/compliance, tools/assurance, service, and advisory — validates the market need for a standardized vendor trust interface like the AIGP Trust Package.

AI Bill of Materials (AI-BOM)

# Reference Relevance to RFC
4 Bom, K. et al. “Blockchain-Enabled SBOM and the AIBOM Future.” arXiv:2307.02088, 2023. Coins the term “AI Bill of Materials” and extends SBOM concepts to AI systems — directly informs the AI Capability Bill of Materials (AI-BOM) component of the Vendor Trust Package.
5 Xia, B. et al. “Building an Open AIBOM Standard in the Wild.” arXiv:2510.07070, 2025. Experience report on AIBOM specification development as an extension of SPDX — validates AIGP’s approach of declaring AI capabilities as structured, machine-readable artifacts.
6 Fernandez, P. et al. “Operationalising Artificial Intelligence Bills of Materials for Verifiable AI Provenance and Lifecycle Assurance.” Frontiers in Computer Science, 2026. Proposes AIBOM schema extending CycloneDX with cryptographic validation and agent-driven automation — aligns with AIGP’s HMAC-signed evidence records and machine-verifiable provenance.
7 IBM Research. “Toward a Transparent Supply Chain for AI.” 2025. https://research.ibm.com/blog/ai-bill-of-materials IBM’s machine-readable disclosures for Granite 4.0 as a first step toward broader AI-BOM — industry precedent for the AI Capability Bill of Materials approach.
8 U.S. CISA & G7 Partners. “Minimum Elements for AI Software Bills of Materials.” 2026. Government guidance on AIBOM requirements — regulatory context validating the Vendor Trust Package’s structured capability disclosure.

Vendor Transparency and Trust

# Reference Relevance to RFC
9 Center for Democracy & Technology. “A Framework for Assessing AI Transparency in the Public Sector.” CDT, 2025. https://cdt.org/insights/a-framework-for-assessing-ai-transparency-in-the-public-sector/ Vendor transparency rubric for public administrators — validates AIGP’s tiered Disclosure Profile (Minimal/Standard/Regulated/Confidential Audit) approach.
10 Gartner. “Hold Your Vendors Contractually Accountable for Responsible AI.” 2021. https://www.gartner.com/en/documents/5734983 Analyst guidance on contractual AI accountability — validates the Customer Policy Binding mechanism as a machine-readable replacement for manual questionnaires.
11 Microsoft. “2025 Responsible AI Transparency Report.” 2025. https://blogs.microsoft.com/on-the-issues/2025/06/20/our-2025-responsible-ai-transparency-report/ Major vendor’s approach to AI governance transparency — industry precedent for the Vendor Manifest and Disclosure Profile components.
12 Future of Privacy Forum. “More Parties, More Risks, More Opportunity?” FPF, 2025. https://fpf.org/blog/more-parties-more-risks-more-opportunity/ Reports 30% of cybersecurity breaches originated from third-party relationships in 2025 (doubled from two years prior) — empirical evidence for the governance gap the Vendor Trust Package addresses.

Conformance and Standards

# Reference Relevance to RFC
13 ISO/IEC 42001:2023. “Information Technology — Artificial Intelligence — Management System.” ISO, 2023. International standard for AI management systems — the Vendor Trust Package’s framework mapping includes ISO 42001 alignment (Clauses 4-10, Annex A, Annex B).
14 NIST. “AI 100-1: Artificial Intelligence Risk Management Framework.” NIST, 2023. U.S. national AI risk framework — the Vendor Trust Package maps GOVERN/MAP/MEASURE/MANAGE functions to Trust Package components.
15 EU Regulation 2024/1689. “Artificial Intelligence Act.” European Parliament, 2024. EU AI regulation — the Vendor Trust Package maps to Art. 9-15 (high-risk), Art. 53 (GPAI), Art. 26 (deployer obligations).

Zero Trust and Disclosure Tiering

# Reference Relevance to RFC
16 Deloitte. “Trustworthy AI Governance in Practice.” 2024. https://www2.deloitte.com/us/en/pages/technology/articles/trustworthy-ai-governance-in-practice.html Industry guidance on operationalizing AI trustworthiness — context for the Vendor Trust Package’s progressive conformance levels (Observable → Governable → Enforceable).
17 Cloud Security Alliance. “Agentic Trust Framework: Zero Trust for AI Agents.” 2025. Zero Trust principles applied to AI — validates the Vendor Trust Package’s default-deny-on-timeout and runtime enforcement at Level 3 (AIGP Enforceable).

Last updated: June 2026