Reference / Agent Action BOM

What Is an Agent Action BOM?

If security asks what a coding agent can touch, do not answer with a model list. An Agent Action BOM is the practical artifact that maps AI-assisted software delivery action paths: actor, owner, repo, workflow, credential, reachable actions, target systems, approval rule, and proof coverage.

Last updated: May 7, 2026

When to create one

Create the first Agent Action BOM when a team is about to let an AI-assisted workflow move beyond local suggestions. The trigger is not "AI exists." The trigger is action authority: output is rising, review capacity is limited, and the team needs conditions of trust it can defend later.

Definition

An Agent Action BOM answers a narrow operational question:

What can this AI-assisted engineering workflow touch or change?

The artifact follows the action path rather than only the model or code artifact:

agent/workflow -> repo/PR -> credential -> action -> target -> owner -> approval/proof

Why it exists

AI coding agents and automations can cross boundaries that are usually reviewed separately: repository permissions, CI/CD workflows, secrets, package managers, MCP tools, cloud APIs, release workflows, and production-adjacent systems.

A normal inventory can show that a tool exists. An Agent Action BOM should show what the tool or workflow can do, which review applies, and what evidence survives afterward.

Core fields

Actor and owner

Agent or workflow name, type, human owner, purpose, repo, PR, branch, and source location.

Credential

Token, service account, OAuth grant, CI secret, inherited identity, or short-lived credential.

Reachable actions

Read, write, deploy, delete, execute, secret access, package publish, cloud API, or database write.

Control and proof

Allowed, approval-required, or blocked actions plus evidence of approval, credential use, target system, and outcome.

Checklist version

If the artifact needs to fit into an AppSec review, security briefing, or platform standard, the minimum useful checklist is:

How it differs from an SBOM and an AI inventory

An SBOM lists software components. An AI inventory may list models, prompts, tools, datasets, providers, or approved applications.

An Agent Action BOM maps action authority. It is about what an AI-assisted workflow can touch or change across software delivery.

A first-pass example

A useful first pass can be written in plain language before it becomes a system of record:

Workflow: AI-assisted PR repair
Owner: Platform engineering
Repo: payments-api
Credential: CI token scoped to repo and branch
Reachable actions: read repo, write branch, run tests, comment on PR
Approval-required actions: change workflow files, publish package, deploy
Blocked actions: access production secrets, delete branches, bypass required checks
Proof: PR link, workflow run, credential identity, policy verdict, approver, test result

The value is not the format. The value is that AppSec, platform, and engineering can now discuss a concrete action path instead of arguing over whether the tool is generally safe.

Team questions

How to use it