DoW’s Next Move on AI Risk
AI is no longer emerging inside the government. It is already in prototypes, pilots, and production systems. The question now is whether the Department of War (DoW) can manage the risks that come with it. The answer depends on whether DoW embraces AI Bills of Materials (AIBOMs) as the foundation for governance and oversight, just as it has already done with SBOMs for software.
A New Policy Era
The federal government has moved decisively. President Trump’s Executive Order 14179 (January 2025) reset AI policy, revoking Biden-era directives under EO 14110. OMB followed with M-25-21 on federal AI governance and M-25-22 on AI acquisition. Together they require “high-impact AI” designations, pre-deployment testing, impact assessments, continuous monitoring, and Chief AI Officers to lead governance.
Inside DoW, this overlays the Responsible AI Strategy, the CDAO toolkits (including for generative AI), and DoWD 3000.09 on autonomy in weapons systems. All of these demand lawful, ethical, testable AI. The policy scaffolding is clear. What is missing is a standard that makes it enforceable in practice.
DoW’s AI Risk Blind Spot and How to Fix It
Here is the uncomfortable truth: the Pentagon does not actually know what is inside many of the AI models its teams are deploying. Open-weight models, fine-tuned versions, and commercial APIs are flowing into systems without full visibility. Vendors are shipping AI features without disclosing the models, datasets, or licenses that power them. Oversight officials are left cobbling together inventories after the fact.
That is a governance failure, and it collides directly with OMB’s new mandates for testing, monitoring, and impact assessments.
The solution is straightforward. AIBOMs create a living inventory of models, datasets, and licenses, the missing evidence base for AI governance. If DoW adopted them today:
- Program security would finally know what is in the stack before sensitive data enters.
- Acquisition officials would gain leverage over vendors with contractual AIBOM requirements, upkeep obligations, and audit support.
- Governance leaders including CAIOs and auditors would have defensible evidence for Congress, GAO, and inspectors general.
- Incident responders could immediately pinpoint where a newly discovered vulnerability or risk in an open-weight model is deployed, reducing blast radius and accelerating remediation before adversaries exploit it.
This is what “good” looks like. Faster Authorities to Operate because assurance evidence is pre-packaged. Cleaner procurements because disclosure is contractual. Defensible audits because inventories are always current. Faster incident response because risk is traceable in real time.
Rethinking Risk Management
DoW officials already admit the Risk Management Framework (RMF) has drifted into a box-checking exercise. Senior leaders say they are ready to replace it with continuous monitoring, the only posture AI demands. The Software Fast Track (SWFT) program shows the path forward by prioritizing secure-by-design and ongoing assurance instead of static paperwork. AIBOMs can extend that approach to AI.
Why AIBOMs Are Mission Critical
- Continuity across shifting policy. EO 14179 reset direction and OMB rewrote the memos. AIBOMs endure across administrations and audits.
- Interoperability with SBOMs. DoW already relies on SBOMs to manage software risk. Extending the same practice to AI is seamless.
- Mission fit. Responsible AI strategies, autonomy directives, and evolving risk frameworks demand evidence of provenance, testing, oversight, and incident response capabilities. AIBOMs provide exactly that.
Bottom Line
The Pentagon has the policies. It has the urgency. What it does not yet have is a standard. AIBOMs can give DoW the transparency it is missing and the governance system it needs. Without them, AI risk management will remain reactive, fragmented, and indefensible. With them, DoW can deliver AI at speed and with trust.
Learn how Manifest is approaching AIBOMs and mission assurance, contact us.
