ai-bom
Safeguard articles tagged "ai-bom" — guides, analysis, and best practices for software supply chain and application security.
38 articles
AI risk management best practices: a lifecycle framework
NIST's AI RMF has four functions and MITRE ATLAS now tracks 84 adversarial techniques — most AI risk programs still only cover one lifecycle stage.
The emerging role of the AI security engineer
OWASP's 2025 LLM Top 10 ranks prompt injection #1 and calls it structurally unfixable by parameterization — a signal that AppSec skills alone no longer cover the job.
What AI Executive Orders Actually Mean for Enterprise Security Teams
The US revoked its AI safety EO in January 2025, but SBOM and evidence obligations under EO 14028 never went away — and the EU AI Act just got harder deadlines.
OWASP Top 10 for LLM Applications: A Practical Walkthrough
OWASP's 2025 LLM Top 10 added three new categories in one revision — here's what changed, why, and concrete mitigation patterns for each risk.
A vendor-neutral checklist for rolling out AI coding assistants safely
437,000+ downloads of a vulnerable mcp-remote bridge and a backdoored Postmark MCP server prove AI assistants are now a live supply-chain surface, not a theoretical one.
From SBOMs to AI BOMs: SPDX 3.0 Explained
SPDX 3.0 adds a formal AI profile for documenting ML models and datasets. Here's what changed, how it compares to CycloneDX, and why it matters now.
Evaluating AI Security Posture Management (AI-SPM) tools:...
A practical, criteria-based comparison of Safeguard and Mend.io for AI-SPM buyers: provenance verification, AI-BOM depth, and CI/CD policy enforcement.
Building A Defensible SBOM Program In 90 Days
A pragmatic 90-day blueprint for standing up an SBOM program that survives auditor scrutiny, procurement reviews, and incident response without burning out your platform team.
AI-BOM Explained: Tracking Models As Supply Chain
AI models are now first-class supply chain components. Here is how an AI-BOM captures lineage, datasets, runtimes, and evaluations in a way that survives audit.
SBOM-Driven Vendor Onboarding: Procurement Blueprint
Procurement that asks for a PDF security questionnaire is buying paperwork. SBOM-driven onboarding turns vendor risk into queryable, comparable, and enforceable data.
CycloneDX vs SPDX: Which Format For Your Program
A senior-engineer comparison of CycloneDX and SPDX in 2026, covering field coverage, tooling, AI-BOM support, VEX, and the practical trade-offs for your programme.
SBOM Quality: Fields Auditors Actually Check
Auditors do not score SBOMs on file count. They check a small set of fields that prove the artefact is real, current, and tied to a verifiable build. Here are the ones that matter.