ai-bom
Safeguard articles tagged "ai-bom" — guides, analysis, and best practices for software supply chain and application security.
38 articles
SPDX 3.0 Feature Overview for 2026
What changed in SPDX 3.0 and the 3.0.1 patch release: the profile model, AI and dataset profiles, serialization choices, and what to migrate first.
VEX Statements: Eliminating SBOM Noise In 2026
An SBOM without VEX is a noise machine. Here is how disciplined VEX authoring cuts vulnerability backlogs by 70-90% while improving defensibility, not weakening it.
AI-BOM and ML-BOM: The State of Standards in 2026
Where AI-BOM and ML-BOM specifications stand in 2026, which formats have real adoption, and what to capture today even if the standards are still in motion.
AI Bill of Materials (ML-BOM) Standards in 2026
A senior engineer's survey of AI-BOM and ML-BOM standards in 2026, from CycloneDX ML components to SPDX 3.0 AI profile, and what to actually ship.
AI-BOM And EU AI Act Article 10 Data Governance
Article 10 turns training data governance into a legal obligation. AI-BOM is how you prove it. A practical mapping of what the regulation expects to what the artefact captures.
SBOM Cross-Vendor Normalisation: Enterprise Program
Vendor SBOMs arrive in every shape and size. Without disciplined normalisation, your ingest store is a junk drawer. Here is how mature programmes solve it.
SBOM Incident Response: Finding Affected Products Fast
When a critical CVE drops, the only number that matters is minutes-to-blast-radius. Here is how a well-run SBOM programme answers the question in under five minutes.
Signed SBOMs As Procurement Leverage
Unsigned SBOMs are paperwork. Signed SBOMs with in-toto attestations are leverage. Here is how mature procurement programmes use signing to harden vendor relationships.
Model Inventory Tracking: Griffin AI vs Mythos
You cannot secure what you cannot enumerate. Griffin AI maintains a typed inventory of every model, version, and deployment across a tenant. Mythos-class tools approximate the inventory in prose.
SLSA Provenance Consumption: Griffin AI vs Mythos
SLSA provenance is the cryptographic receipt of a build. Griffin AI verifies it, parses it, and uses it as typed evidence. Mythos-class tools describe it and forget to check the signature.
VEX Integration: Griffin AI vs Mythos
VEX is how you turn a vulnerability list into an actionable work queue. Griffin AI ingests VEX documents as structured statements that filter findings at policy time. Mythos-class tools read them as advisory prose and lose the filtering entirely.
AI-BOM Awareness: Griffin AI vs Mythos
AI-BOM is how you describe an AI system's supply chain — models, datasets, prompts, inference environments. Griffin AI ingests it as structured inventory. Mythos-class tools try to talk about AI while remaining blind to the AI systems they describe.