Safeguard
Tag

ai-bom

Safeguard articles tagged "ai-bom" — guides, analysis, and best practices for software supply chain and application security.

38 articles

SBOM

SPDX 3.0 Feature Overview for 2026

What changed in SPDX 3.0 and the 3.0.1 patch release: the profile model, AI and dataset profiles, serialization choices, and what to migrate first.

Mar 19, 20265 min read
SBOM & Compliance

VEX Statements: Eliminating SBOM Noise In 2026

An SBOM without VEX is a noise machine. Here is how disciplined VEX authoring cuts vulnerability backlogs by 70-90% while improving defensibility, not weakening it.

Mar 19, 20266 min read
AI Security

AI-BOM and ML-BOM: The State of Standards in 2026

Where AI-BOM and ML-BOM specifications stand in 2026, which formats have real adoption, and what to capture today even if the standards are still in motion.

Mar 18, 20265 min read
AI Security

AI Bill of Materials (ML-BOM) Standards in 2026

A senior engineer's survey of AI-BOM and ML-BOM standards in 2026, from CycloneDX ML components to SPDX 3.0 AI profile, and what to actually ship.

Mar 18, 20267 min read
SBOM & Compliance

AI-BOM And EU AI Act Article 10 Data Governance

Article 10 turns training data governance into a legal obligation. AI-BOM is how you prove it. A practical mapping of what the regulation expects to what the artefact captures.

Mar 14, 20267 min read
SBOM & Compliance

SBOM Cross-Vendor Normalisation: Enterprise Program

Vendor SBOMs arrive in every shape and size. Without disciplined normalisation, your ingest store is a junk drawer. Here is how mature programmes solve it.

Mar 9, 20267 min read
SBOM & Compliance

SBOM Incident Response: Finding Affected Products Fast

When a critical CVE drops, the only number that matters is minutes-to-blast-radius. Here is how a well-run SBOM programme answers the question in under five minutes.

Mar 4, 20267 min read
SBOM & Compliance

Signed SBOMs As Procurement Leverage

Unsigned SBOMs are paperwork. Signed SBOMs with in-toto attestations are leverage. Here is how mature procurement programmes use signing to harden vendor relationships.

Feb 27, 20267 min read
AI Security

Model Inventory Tracking: Griffin AI vs Mythos

You cannot secure what you cannot enumerate. Griffin AI maintains a typed inventory of every model, version, and deployment across a tenant. Mythos-class tools approximate the inventory in prose.

Feb 21, 20268 min read
AI Security

SLSA Provenance Consumption: Griffin AI vs Mythos

SLSA provenance is the cryptographic receipt of a build. Griffin AI verifies it, parses it, and uses it as typed evidence. Mythos-class tools describe it and forget to check the signature.

Feb 13, 20267 min read
AI Security

VEX Integration: Griffin AI vs Mythos

VEX is how you turn a vulnerability list into an actionable work queue. Griffin AI ingests VEX documents as structured statements that filter findings at policy time. Mythos-class tools read them as advisory prose and lose the filtering entirely.

Feb 5, 20267 min read
AI Security

AI-BOM Awareness: Griffin AI vs Mythos

AI-BOM is how you describe an AI system's supply chain — models, datasets, prompts, inference environments. Griffin AI ingests it as structured inventory. Mythos-class tools try to talk about AI while remaining blind to the AI systems they describe.

Jan 29, 20267 min read
ai-bom (Page 2) — Safeguard Blog