Current AI's Gap Map: An SBOM-Style Inventory for the Open Source AI Stack
A $400m-backed non-profit has published a v0.1 index of 421 open source AI products across the model, product, and infrastructure layers — useful groundwork for anyone trying to reason about AI supply-chain risk, but not a security assessment in itself.
Key Takeaways
- Current AI, a non-profit founded at the Paris AI Action Summit in February 2025 with $400m in committed capital, has released Gap Map v0.1, cataloguing 421 open source AI products in depth out of over 24,626 projects evaluated.
- The map organises entries — 266 software tools/libraries, 85 models, 50 datasets, and 20 hardware projects from 228 organizations — into 14 categories across three stack layers: model components, product/UX, and infrastructure.
- For security and procurement teams, this is best read as an early SBOM-style reference for the AI supply chain, not a vetted trust list — it maps what exists and where gaps are, not what is safe to deploy.
- Treat any open source model, dataset, or inference tool sourced from the map the same way you'd treat any third-party dependency: verify provenance, licensing, and maintenance status before it enters a production pipeline.
Current AI describes itself as a "global partnership building a public option for AI." It was established as a non-profit at the AI Action Summit in Paris in February 2025 and says it has already secured $400 million in committed capital. Its first major public output, flagged by Simon Willison, is the Open Source AI Gap Map — an attempt to systematically index the state of open source AI.
What's actually in the map
Version 0.1 of the Gap Map documents 421 products in depth: 266 software tools and libraries, 85 models, 50 datasets, and 20 hardware projects, contributed by 228 organizations. These are organised into 14 categories spanning three layers of the stack — model components, product/UX tooling, and infrastructure. Current AI says the depth analysis draws from a much larger pool: it evaluated over 24,626 projects, from foundation models through inference backends, before selecting which to document in detail.
The stated goal is to identify where the open source AI ecosystem has genuine coverage and where it doesn't — for instance, the map's own category breakdown shows areas like training and synthetic datasets with no products rated "mature," versus categories like benchmark and evaluation datasets or orchestration/agent tooling with a double-digit number of mature entries.
Why this matters for security teams
Most organisations adopting open source AI today have no equivalent of a software bill of materials for the models, datasets, and inference tooling they pull in. Teams often can't answer basic supply-chain questions — who maintains this model checkpoint, what data was it trained on, is this inference server still patched — because there has been no shared index to check against. A structured map like this one, even at v0.1 and even with obvious gaps, gives security and platform teams a starting point for that kind of provenance work, in the same spirit as SBOM initiatives for traditional software supply chains.
That said, the Gap Map is a coverage index, not a security assessment. It says what exists and how the ecosystem is organised — it does not attest to a model's provenance chain, a dataset's licensing cleanliness, or an inference tool's patch history. Anyone using it to select a component for a production pipeline still needs to independently verify the underlying package registry, model card, and maintainer activity, the same due diligence already recommended for any third-party dependency pulled from npm, PyPI, or a model hub.
The practical takeaway
If your organisation is evaluating open source models or tooling, a resource like the Gap Map is a reasonable place to start scoping what's available and where the ecosystem is thin — but it doesn't replace your own dependency and provenance review. Treat every open source AI artifact the way you'd treat any other third-party code entering your build pipeline: pin versions, verify the source, and check for known compromise before it reaches production.
FAQ
Frequently Asked Questions
What is Current AI's Gap Map?
It's a v0.1 index published by the non-profit Current AI that catalogues 421 open source AI products — software tools, models, datasets, and hardware — in depth, organised into 14 categories across three layers of the AI stack, out of over 24,626 projects it evaluated.
Does the Gap Map assess security or safety of the listed projects?
No. It documents coverage and maturity within the open source AI ecosystem, not security posture, provenance verification, or licensing due diligence — those checks still need to be done separately for any component you adopt.
Who funds and runs Current AI?
Current AI is a non-profit founded at the AI Action Summit in Paris in February 2025, and it reports $400 million in committed capital backing its work, per its own site and reporting picked up by Simon Willison.
Sources
- 1Open Source AI Gap Map — Simon Willison
- 2Open Source AI Gap Map (v0.1) — Current AI
- 3Current AI — Current AI