RFC-011: AIGP Vendor Trust Package — Reference Register
RFC-011: AIGP Vendor Trust Package — Reference Register
© 2024-2026 Kanjani AI Research & Causum. All rights reserved.
AI Supply Chain Accountability
| # | Reference | Relevance to RFC |
|---|---|---|
| 1 | Ada Lovelace Institute. “Allocating Accountability in AI Supply Chains.” 2023. https://adalovelaceinstitute.org/resource/ai-supply-chains/ | Foundational work on how to assign distinct responsibilities to different actors in AI supply chains — validates the Vendor Trust Package’s separation of enterprise accountability from vendor-delivered AI. |
| 2 | NTIA. “AI Accountability Policy Report: Ensure Accountability Across the AI Lifecycle and Value Chain.” U.S. Dept. of Commerce, 2024. https://www.ntia.gov/issues/artificial-intelligence/ai-accountability-policy-report/ | U.S. government position that accountability should run with the AI system through its entire lifecycle — validates AIGP’s approach of extending governance from internal applications to purchased AI products. |
| 3 | IAPP. “AI Governance Vendor Report 2026.” International Association of Privacy Professionals, 2026. https://iapp.org/resources/article/ai-governance-vendor-report | Industry report categorizing AI governance vendors into policy/compliance, tools/assurance, service, and advisory — validates the market need for a standardized vendor trust interface like the AIGP Trust Package. |
AI Bill of Materials (AI-BOM)
| # | Reference | Relevance to RFC |
|---|---|---|
| 4 | Bom, K. et al. “Blockchain-Enabled SBOM and the AIBOM Future.” arXiv:2307.02088, 2023. | Coins the term “AI Bill of Materials” and extends SBOM concepts to AI systems — directly informs the AI Capability Bill of Materials (AI-BOM) component of the Vendor Trust Package. |
| 5 | Xia, B. et al. “Building an Open AIBOM Standard in the Wild.” arXiv:2510.07070, 2025. | Experience report on AIBOM specification development as an extension of SPDX — validates AIGP’s approach of declaring AI capabilities as structured, machine-readable artifacts. |
| 6 | Fernandez, P. et al. “Operationalising Artificial Intelligence Bills of Materials for Verifiable AI Provenance and Lifecycle Assurance.” Frontiers in Computer Science, 2026. | Proposes AIBOM schema extending CycloneDX with cryptographic validation and agent-driven automation — aligns with AIGP’s HMAC-signed evidence records and machine-verifiable provenance. |
| 7 | IBM Research. “Toward a Transparent Supply Chain for AI.” 2025. https://research.ibm.com/blog/ai-bill-of-materials | IBM’s machine-readable disclosures for Granite 4.0 as a first step toward broader AI-BOM — industry precedent for the AI Capability Bill of Materials approach. |
| 8 | U.S. CISA & G7 Partners. “Minimum Elements for AI Software Bills of Materials.” 2026. | Government guidance on AIBOM requirements — regulatory context validating the Vendor Trust Package’s structured capability disclosure. |
Vendor Transparency and Trust
| # | Reference | Relevance to RFC |
|---|---|---|
| 9 | Center for Democracy & Technology. “A Framework for Assessing AI Transparency in the Public Sector.” CDT, 2025. https://cdt.org/insights/a-framework-for-assessing-ai-transparency-in-the-public-sector/ | Vendor transparency rubric for public administrators — validates AIGP’s tiered Disclosure Profile (Minimal/Standard/Regulated/Confidential Audit) approach. |
| 10 | Gartner. “Hold Your Vendors Contractually Accountable for Responsible AI.” 2021. https://www.gartner.com/en/documents/5734983 | Analyst guidance on contractual AI accountability — validates the Customer Policy Binding mechanism as a machine-readable replacement for manual questionnaires. |
| 11 | Microsoft. “2025 Responsible AI Transparency Report.” 2025. https://blogs.microsoft.com/on-the-issues/2025/06/20/our-2025-responsible-ai-transparency-report/ | Major vendor’s approach to AI governance transparency — industry precedent for the Vendor Manifest and Disclosure Profile components. |
| 12 | Future of Privacy Forum. “More Parties, More Risks, More Opportunity?” FPF, 2025. https://fpf.org/blog/more-parties-more-risks-more-opportunity/ | Reports 30% of cybersecurity breaches originated from third-party relationships in 2025 (doubled from two years prior) — empirical evidence for the governance gap the Vendor Trust Package addresses. |
Conformance and Standards
| # | Reference | Relevance to RFC |
|---|---|---|
| 13 | ISO/IEC 42001:2023. “Information Technology — Artificial Intelligence — Management System.” ISO, 2023. | International standard for AI management systems — the Vendor Trust Package’s framework mapping includes ISO 42001 alignment (Clauses 4-10, Annex A, Annex B). |
| 14 | NIST. “AI 100-1: Artificial Intelligence Risk Management Framework.” NIST, 2023. | U.S. national AI risk framework — the Vendor Trust Package maps GOVERN/MAP/MEASURE/MANAGE functions to Trust Package components. |
| 15 | EU Regulation 2024/1689. “Artificial Intelligence Act.” European Parliament, 2024. | EU AI regulation — the Vendor Trust Package maps to Art. 9-15 (high-risk), Art. 53 (GPAI), Art. 26 (deployer obligations). |
Zero Trust and Disclosure Tiering
| # | Reference | Relevance to RFC |
|---|---|---|
| 16 | Deloitte. “Trustworthy AI Governance in Practice.” 2024. https://www2.deloitte.com/us/en/pages/technology/articles/trustworthy-ai-governance-in-practice.html | Industry guidance on operationalizing AI trustworthiness — context for the Vendor Trust Package’s progressive conformance levels (Observable → Governable → Enforceable). |
| 17 | Cloud Security Alliance. “Agentic Trust Framework: Zero Trust for AI Agents.” 2025. | Zero Trust principles applied to AI — validates the Vendor Trust Package’s default-deny-on-timeout and runtime enforcement at Level 3 (AIGP Enforceable). |
Last updated: June 2026