The slow rise of SBOMs meets the rapid advance of AI | CyberScoop<\/title> <meta name=\"description\" content=\"Despite progress from CISA and global regulators, SBOM adoption in the private sector remains slow as experts debate if AI-driven coding will improve or undermine software security and transparency.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/sbom-adoption-challenges-ai-coding-transparency\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"The slow rise of SBOMs meets the rapid advance of AI\"> <meta property=\"og:description\" content=\"Despite progress from CISA and global regulators, SBOM adoption in the private sector remains slow as experts debate if AI-driven coding will improve or undermine software security and transparency.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/sbom-adoption-challenges-ai-coding-transparency\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-11-24T11:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2025-11-24T19:51:49+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai-1.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1763493151g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1763502595g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1763439630g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86924\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86924\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsbom-adoption-challenges-ai-coding-transparency%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsbom-adoption-challenges-ai-coding-transparency%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86924 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/sbom-adoption-challenges-ai-coding-transparency\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.880681818182\">\n<div class=\"single-article__header-content\" readability=\"37.590361445783\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/sbom-adoption-challenges-ai-coding-transparency\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> Despite years of effort to make software safer and more transparent with SBOMs, the rise of AI coding assistants is fueling optimism\u2014and, some experts argue, \u201ckind of insane\u201d\u2014claims about a future with vulnerability-free software. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86924\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"A photo-illustration of computer code fading into a digital representation of a human head.\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai-1.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai-1.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai-1.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai-1.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai-1.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai-1.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai-1.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai-1.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai-1.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai-1.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Yuichiro Chino\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"116.53390742734\"><body readability=\"237.18094527827\"><\/p>\n<p>Open-source components power nearly all modern software, but they\u2019re often buried deep in massive codebases\u2014hiding severe vulnerabilities. For years, software bills of materials (SBOMs) have been the security community\u2019s key tool to shine a light on these hidden risks. Yet, despite government advancements in the US and Europe, SBOM adoption in the private sector remains sluggish. Now, some experts warn that the rapid rise of AI-assisted coding could soon eclipse the push to make software supply chains more transparent.<\/p>\n<p>\u201cI\u2019m a strong, strong supporter of SBOM, and yet we have this emerging thing that\u2019s happening that fundamentally undermines everything that we\u2019ve been working towards,\u201d Sounil Yu, chief AI officer of Knostic, told CyberScoop. \u201cIt is not a far-away future where we should expect to see a near infinite number of varieties of [CVE-free software packages] that AI coding systems are going to generate.\u201d<\/p>\n<p>Yu\u2019s optimistic vision, while shared by some, is roundly rejected by many veteran SBOM and software security experts, who say there will likely never be a day when AI can produce vulnerability-free software. <\/p>\n<p>\u201cPeople are imagining a future where there are no open-source dependencies or there are no reused dependencies, and therefore there\u2019s nothing to put in an SBOM because every piece of the code is bespoke,\u201d Brian Fox, the co-founder and CTO of Sonatype, told CyberScoop. \u201cI think that\u2019s kind of insane.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<h4 class=\"wp-block-heading\" id=\"h-where-sbom-policy-stands\">Where SBOM policy stands<\/h4>\n<p>Developed <a href=\"https:\/\/www.nist.gov\/itl\/executive-order-14028-improving-nations-cybersecurity\">under an executive order<\/a> issued under President Joe Biden, the National Telecommunications and Information Administration (NTIA) released the US government\u2019s first official software SBOM <a href=\"https:\/\/www.ntia.gov\/sites\/default\/files\/publications\/sbom_minimum_elements_report_0.pdf\">document<\/a>, The Minimum Elements For a Software Bill of Materials (SBOM), in July 2021. That foundational effort was subsequently transferred to the Cybersecurity and Infrastructure Security Agency (CISA).<\/p>\n<p>According to Allan Friedman, who is widely considered the \u201cfather\u201d of SBOM and spearheaded that document\u2019s creation, Biden\u2019s order was also clearly intended for SBOMs to be mandated for federal government suppliers under the FAR [Federal Acquisition Regulation], which could have created a transparency floor for all software providers looking to sell into the federal government.<\/p>\n<p>However, neither the National Institute of Standards and Technology (NIST) nor the Office of Management and Budget (OMB) fully spelled out what that requirement would look like, and the hoped-for FAR requirement ended up merely as part of a required software attestation form, according to Friedman, who is now a senior technical adviser at the Institute for Security and Technology (IST).<\/p>\n<p>Two recent developments at CISA have fostered hopes for more widespread and robust SBOMs. On Aug. 22, the agency <a href=\"https:\/\/www.cisa.gov\/news-events\/news\/cisa-issues-draft-software-bill-materials-guide-public-comment\">opened<\/a> a public comment period for an SBOM guide that aims to update the NTIA document to reflect evolving SBOM practices.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>On Sept. 3, CISA, in collaboration with NSA and 19 international partners, released joint guidance outlining<strong> <\/strong>the \u201cgrowing international consensus\u201d for what an SBOM should look like. Participants called the guidance \u201ca significant step forward in strengthening software supply chain transparency and security worldwide.\u201d<\/p>\n<p>As promising as some may find these developments, some experts believe they represent the last vestiges of the Biden administration\u2019s work. Former CISA employee Josh Corman, now an executive in residence for public safety and resilience at IST, told CyberScoop that the minimum elements update and the international framework were actions akin to \u201cthe body continuing to move without its head just because of prior commitments to the [Biden] White House.\u201d <\/p>\n<p>While SBOM work has stalled under the Trump administration, other experts believe there is more is to come from CISA. \u201c[CISA official] Nick Andersen and [CISA director nominee] Sean Plankey are both supporters of these initiatives,\u201d NetRise co-founder and CEO Tom Pace told CyberScoop. He added, \u201cI know that directly. I also know that we have multiple contracts with the federal civilian agencies, including CISA, that are moving forward for SBOM.\u201d<\/p>\n<p> CISA insists that it has not slowed its work on SBOM\u2014its efforts have increased.<\/p>\n<p>\u201cWe are actively involved in several SBOM-related initiatives, including the G7 Cybersecurity Working Group\u2019s Software Bill of Materials for Artificial Intelligence and the review of nearly 100 public comments on our draft SBOM Minimum Elements,\u201d CISA Director of Public Affairs Marci McCarthy told CyberScoop in a statement. \u201cThe recently released Shared Vision of SBOM highlights and reinforces our operational collaboration in action with both international and domestic partners to advance the use of SBOMs.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Aside from CISA\u2019s actions, other developments at the federal level promise to further advance SBOM. The Consolidated Appropriations Act of 2023 <a href=\"https:\/\/www.fda.gov\/medical-devices\/digital-health-center-excellence\/cybersecurity-medical-devices-frequently-asked-questions-faqs\">amended<\/a> the Food, Drug, and Cosmetic Act to mandate SBOMs as part of premarket submissions for healthcare devices at the FDA. In 2023, the Pentagon <a href=\"https:\/\/media.defense.gov\/2023\/Dec\/14\/2003359097\/-1\/-1\/0\/CSI-SCRM-SBOM-MANAGEMENT.PDF\">issued guidance<\/a> that contains recommendations for SBOM management as part of the military\u2019s supply chain risk management strategy.<\/p>\n<p>On the international level, the EU parliament <a href=\"https:\/\/fossa.com\/blog\/sbom-requirements-cra-cyber-resilience-act\/\">adopted<\/a> the Cyber Resilience Act (CRA) in March 2024, which will require all manufacturers and distributors of digital products to share a top-level SBOM with market surveillance authorities as part of the technical documentation provided. The legislation calls for these requirements to take effect in December 2027.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-private-sector-barriers-to-sbom-adoption\">Private sector barriers to SBOM adoption<\/h4>\n<p>Even with these advancements, most software providers still don\u2019t provide SBOMs, and most organizations don\u2019t demand them from their suppliers. Black Duck\u2019s latest <a href=\"https:\/\/www.blackduck.com\/resources\/analyst-reports\/open-source-security-risk-analysis.html\">annual analysis<\/a> found that 86% of commercial codebases contain open-source vulnerabilities, with 81% carrying high- or critical-risk flaws. Meanwhile, 95% of websites continue running outdated software with known issues.<\/p>\n<p>\u201cSurveys are showing that only 30% of people are doing anything about this,\u201d Sonatype\u2019s Fox said. \u201cAnd that\u2019s largely because it\u2019s optional.\u201d <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Corman thinks most organizations find transparency \u201cexistentially terrifying.\u201d <\/p>\n<p>\u201cThey have license risks where they\u2019re violating terms and conditions of open-source licenses that can be exposed in lawsuits, and they\u2019re not prone to out themselves voluntarily,\u201d he said. <\/p>\n<p>Along the same lines, Steve Springett, chair of the CycloneDX Core Working Group and board vice chair of the OWASP Foundation, told CyberScoop that many organizations fear the legal ramifications of disclosing flaws in their software. \u201cThe legal departments in a lot of organizations really don\u2019t want them to unnecessarily disclose more information than what is required for normal business activities.\u201d<\/p>\n<p>Nilesh Jain, co-founder and CEO of cybersecurity startup CleanStart, told CyberScoop, \u201cMost companies that we interact with are still trying to figure out the best way to start generating SBOMs. Some of the largest enterprises and banks and financing institutions still don\u2019t use it.\u201d<\/p>\n<p>Cyber vulnerability expert Art Manion points to the so-called \u201cnaming problem,\u201d where there are so many versions of software out there that span multiple years, which are tracked using numerous forms of syntax, that it becomes overwhelming to account for this multiplicity in an SBOM framework. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cFundamentally, we really are still blocked by not uniformly calling software the same things,\u201d Manion told CyberScoop. \u201cNo single source can spend enough time or money or be fast enough to collect and name all the software and keep track of it.\u201d<\/p>\n<p>Friedman, however, thinks this naming problem can be solved \u201cwith a little bit of intelligence on the pattern-matching side of things. Instead of trying to build a tool that matches exact string to exact string, we can do some <a href=\"https:\/\/redis.io\/blog\/what-is-fuzzy-matching\/\">fuzzy matching<\/a> with a little bit of data science,\u201d he said.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-will-generative-ai-eliminate-the-need-for-sboms\">Will generative AI eliminate the need for SBOMs?<\/h4>\n<p>While progress on SBOM is slow, there is a simultaneous surge in the adoption and hype cycle of AI-based coding assistants. Some experts believe these tools will reduce or even eliminate software vulnerabilities.<\/p>\n<p>\u201cI\u2019ve created code myself where I\u2019ve instructed my AI coding assistant to go build me some software and not use any software dependencies whatsoever,\u201d Knostic\u2019s Yu told CyberScoop, suggesting that avoiding dependencies can also help prevent vulnerabilities found in those libraries from being included in new software. \u201cYou can reference the entirety of open source as a template for what to build, but do not actually use any open-source libraries.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>CycloneDX\u2019s Springett agrees with Yu. \u201cIt can be done,\u201d he told CyberScoop. \u201cIt\u2019s just not being done today, but it can be done. I\u2019ve seen it being done. In the short term, AI is going to propel the number of first-party vulnerabilities that we create. But in the longer term, AI will be a good peer code reviewer and code author, and will always be on the lookout for insecure code and suggest safer alternatives to developers.\u201d<\/p>\n<p>Opinions on whether AI can create vulnerability-free systems are sharply divided. \u201cIt\u2019s absolutely not possible,\u201d Manion said. \u201cI have seen no evidence that AI is going to write secure software.\u201d<\/p>\n<p>\u201cThat\u2019s basically saying everything we\u2019ve learned in software engineering over the last 60-plus years is just tossed out the window, and none of those things matter,\u201d Sonatype\u2019s Fox said. \u201cIf you want to recreate the wheel and make all the same mistakes, good luck, man.\u201d<\/p>\n<p>\u201cI don\u2019t think it\u2019s possible,\u201d Biswajit De, co-founder and CTO of CleanStart, told CyberScoop. \u201cIt is physically impossible to give everything in your prompts to create vulnerability-free code.\u201d<\/p>\n<p>Friedman is skeptical as well. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cI have a hard time imagining any tool that is trained in the JavaScript or the <a href=\"https:\/\/www.npmjs.com\/\">node package management system<\/a>, which is heavily reliant on thousands of dependencies, just then turning around and saying, \u2018Well, we can write code without dependencies,\u2019 or if they are writing code, it will use those dependencies in practice,\u201d he told CyberScoop. <\/p>\n<p>He added, \u201cAI-generated code will get better. Anyone who looks at what is being produced today will say, \u2018Oh, that\u2019s impressive.\u2019 But large code bases tend to get unwieldy very quickly. You can use AI to try to find and detect vulnerabilities as you write them, but people do that today. There\u2019s nothing magic about AI compared to today\u2019s tools or the future tools.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.3333333333333\">\n<div class=\"author-card\" readability=\"10\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai.png?w=640&ssl=1\" alt=\"Cynthia Brumfield\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Cynthia Brumfield<\/h4>\n<p> Cynthia Brumfield is a veteran communications and technology analyst who is now focused on<br \/>\ncybersecurity. She runs a cybersecurity news and information site, Metacurity.com. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/sbom-adoption-challenges-ai-coding-transparency\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The slow rise of SBOMs meets the rapid advance of<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[235,384,78,452,293,117,3059,3288,1768,5319,310,643],"tags":[236,388,86,454,299,119,3065,3290,1773,5320,311,645],"class_list":["post-8135","post","type-post","status-publish","format-standard","hentry","category-ai","category-artificial-intelligence-ai","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-department-of-homeland-security-dhs","category-government","category-ntia","category-open-source-software","category-software-bill-of-materials","category-source-code","category-technology","category-vulnerabilities","tag-ai","tag-artificial-intelligence-ai","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-department-of-homeland-security-dhs","tag-government","tag-ntia","tag-open-source-software","tag-software-bill-of-materials","tag-source-code","tag-technology","tag-vulnerabilities"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ai\/\" rel=\"category tag\">AI<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/artificial-intelligence-ai\/\" rel=\"category tag\">artificial intelligence (AI)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-homeland-security-dhs\/\" rel=\"category tag\">Department of Homeland Security (DHS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ntia\/\" rel=\"category tag\">NTIA<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source-software\/\" rel=\"category tag\">open source software<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/software-bill-of-materials\/\" rel=\"category tag\">software bill of materials<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/source-code\/\" rel=\"category tag\">source code<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerabilities\/\" rel=\"category tag\">vulnerabilities<\/a>","tag_info":"vulnerabilities","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8135"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8135\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8135,"date":"2025-11-24T05:00:00","date_gmt":"2025-11-24T11:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86924"},"modified":"2025-11-24T05:00:00","modified_gmt":"2025-11-24T11:00:00","slug":"the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/11\/24\/the-slow-rise-of-sboms-meets-the-rapid-advance-of-ai\/","title":{"rendered":"The slow rise of SBOMs meets the rapid advance of AI"},"content":{"rendered":"