top of page

Lastest Tech News

[ In Development ]
US News Focused on Technology

Why CISOs should automate SBOM management with AI

<p>Modern software runs on open source. Nearly all codebases -- 98% -- contain open source code, according to a 2026 <a target="_blank" href="https://www.blackduck.com/content/dam/black-duck/en-us/reports/rep-ossra.pdf" rel="noopener">report</a> from cybersecurity vendor Black Duck, which scanned 947 codebases and analyzed nearly 3,000 individual projects between November 2024 and October 2025. Those open source components change constantly as maintainers ship patches, fixes and new versions.</p> <p>A <a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-an-SBOM-with-example-and-template">software bill of materials (SBOM) captures a snapshot</a> of that inventory, so organizations can find and patch vulnerabilities quickly. The moment a developer merges a dependency update or a build pulls a new version, the document drifts from reality. A stale SBOM gives false confidence and slows the enterprise response when a vulnerability lands.</p> <p>Regulation raises the stakes. Under the EU Cyber Resilience Act, beginning Sept. 11, 2026, organizations must report actively exploited vulnerabilities. By Dec. 11, 2027, manufacturers of products with digital elements must include machine-readable SBOMs in their technical documentation. Penalties for non-compliance could reach 15 million euros or 2.5% of global annual turnover. In the U.S., CISA and its partner agencies <a target="_blank" href="https://www.cisa.gov/topics/information-communications-technology-supply-chain-security/sbom" rel="noopener">published</a> joint SBOM guidance in September 2025 that pushes wider adoption. Unlike manual upkeep, AI tools can meet these demands at scale.</p> <h1>How AI-Driven SBOM management works</h1> <p>AI-driven tools treat the SBOM as a living inventory rather than a one-time artifact. They combine automation with machine learning across the following four functions.</p> <ul class="default-list"> <li><b>Continuous generation. </b>The tools plug into your CI/CD pipeline and regenerate the SBOM on every build, so the inventory automatically tracks each release.</li> <li><b>Component identification. </b>Machine learning models, including natural language processing and graph neural networks, identify and classify components and trace transitive dependencies. One multi-model system, for example, <a target="_blank" href="https://www.researchgate.net/publication/399038727_AI-Driven_SBOM_Automated_Software_Bill_of_Materials_Generation_and_Management" rel="noopener">reported</a> 94.7% component detection and 91.3% accuracy in vulnerability mapping.</li> <li><b>Drift detection. </b>AI-driven tools compare the build-time SBOM against what actually runs in production to catch unauthorized packages, supply chain tampering and configuration drift.</li> <li><b>Vulnerability correlation. </b>AI enriches each component with exploitability intelligence and ranks findings by reachability, rather than raw CVE counts, so the highest-risk issues surface first.</li> </ul> <h1>Benefits of using AI to maintain SBOMs</h1> <p>For a CISO, the value of AI for SBOM creation and maintenance lies in accuracy, speed and audit-readiness.</p> <ul class="default-list"> <li><b>Accuracy at scale. </b>AI continuously updates inventory across hundreds of repositories, a task no human team can match by hand.</li> <li><b>Faster incident response. </b>When the next <a target="_blank" href="https://www.darkreading.com/cyberattacks-data-breaches/log4j-vulnerabilities-are-here-to-stay-are-you-prepared-" rel="noopener">Log4Shell</a>-class flaw appears, a current inventory answers the question "are we affected" in minutes instead of days.</li> <li><b>Less noise. </b>Reachability analysis filters out components that pose no real exposure risk, so analysts spend time on issues that matter.</li> <li><b>Compliance readiness. </b>An always-current, machine-readable SBOM satisfies auditors, customers and regulators on demand.</li> </ul> <h1>Risks and challenges</h1> <p><a href="https://www.techtarget.com/searchcio/feature/AI-failure-examples-What-real-world-breakdowns-teach-CIOs">AI does not remove the need for human judgment</a>. Weigh the risks before you rely on it for SBOMs or anything else. CISOs should consider the following:</p> <ul class="default-list"> <li><b>False positives and negatives. </b>Automated tools can flag components that are not in production or miss ones loaded dynamically at runtime. Human review still matters.</li> <li><b>Model opacity. </b>When a model classifies or discards a component, the reasoning can be hard to audit. Demand <a href="https://www.techtarget.com/searchsecurity/tip/What-CISOs-need-to-know-about-AI-audit-logs">explainable output you can log</a> and defend.</li> <li><b>Data quality limits. </b>An AI inventory is only as good as the sources it reads. Poor package metadata and incomplete scans produce a confident but incorrect SBOM.</li> <li><b>Automation bias. </b>Teams can over-trust a polished dashboard and stop verifying it. Treat AI output as a strong draft, rather than the final truth.</li> <li><b>A new attack surface. </b>The AI tooling and its models become part of your supply chain. Vet them as you would any other dependency, and <a target="_blank" href="https://www.darkreading.com/cyber-risk/make-ai-bom-usable-modern-security-program" rel="noopener">track your own AI components</a> too.</li> </ul> <h1>Best practices for CISOs</h1> <p>CISOs who decide to automate SBOM management with AI should start with the following steps:</p> <ul class="default-list"> <li>Embed SBOM generation in every CI/CD pipeline so it runs on each build.</li> <li>Compare build-time and runtime SBOMs to catch drift before attackers do.</li> <li>Require explainable output and use human-in-the-loop reviews to verify high-risk findings.</li> <li>Prioritize flaws by reachability and exploitability, not raw vulnerability counts.</li> <li>Vet your SBOM AI tools, models and training data as supply chain components.</li> <li>Map your process to regulatory timelines now, ahead of deadlines.</li> </ul> <p>Additionally, beware of potential pitfalls.</p> <ul class="default-list"> <li>Don't treat the SBOM as a one-time document, rather than a living inventory.</li> <li>Don't trust AI output without validation and a clear audit trail.</li> <li>Don't ignore runtime drift because the build-time SBOM looks complete.</li> <li>Don't wait for regulators to force the conversation. By then, your company could be on the hook for hefty fines.</li> </ul> <p>A current SBOM is the foundation for <a href="https://www.techtarget.com/searchsecurity/tip/4-software-supply-chain-security-best-practices">software supply chain security</a>. AI keeps that inventory continuous and accurate at a scale that manual updates cannot match. By pairing AI tools with human oversight, CISOs can turn a compliance chore into a real-time view of supply-chain risk.</p> <p><em>Matthew Smith is a vCISO and management consultant specializing in cybersecurity risk management and AI.</em></p>

EU forces Google to open Android under Digital Markets Act

Truth Social will sell Wall Street quicker access to posts

Truth Social will sell Wall Street firms quicker access to market-moving posts from President Donald Trump, the company said on Thursday.

AI-Designed Synthetic CRISPR-Like Nucleases Show Activity in Cells

Scientists used artificial intelligence to design CRISPR nucleases with properties not found in nature, achieving activity that matches or exceeds natural enzymes despite the proteins' complex, multi-domain structure. The post AI-Designed Synthetic CRISPR-Like Nucleases Show Activity in Cells appeared first on GEN - Genetic Engineering and Biotechnology News .

2006 Harley-Davidson Dyna Super Glide 35th Anniversary

This 2006 Harley-Davidson Dyna Super Glide is one of 3,500 35th Anniversary units produced to celebrate the 1971 introduction of the FX Super Glide model, and this example is said to have spent time with two previous owners before its September 2025 acquisition by the seller. Now indicating 4k miles, the motorcycle is finished in Glacier White Pearl with black-outlined red and blue graphics. Power is provided by an air-cooled 88ci Twin-Cam V-twin paired with a six-speed transmission, and equipment includes a drive belt, electronic fuel injection, a dual-outlet exhaust system, front and rear disc brakes, wire-spoke wheels, a two-up seat, a passenger backrest, a fork-mounted storage pouch, highway pegs, and a side stand. This FXD35 is offered with a New York title in the seller's name.

5 Classic Movies Every Cinephile Should Own On 4K Blu-Ray

Blu-Ray has taken some of the most classic movies in cinematic history and turned them into a special experience.

1986 TVR 280i Convertible 4-Speed

This 1986 TVR 280i is one of a claimed 862 convertibles produced and now shows 67k miles. The car is finished in red over tan and red upholstery and is powered by a Ford 2.8-liter V6 paired with a four-speed manual transmission. It rides on basketweave-style 14′′ Ceres wheels with red centers and features a vented hood, pop-up headlights, and a black convertible top with a removable roof panel. Inside, a MOMO steering wheel is accompanied by wood veneer trim as well as VDO instrumentation and a Kenwood AM/FM cassette stereo. This 280i is now offered on consignment by the selling dealer, a BaT Local Partner , in Delaware with partial service records, a clean Carfax report, and a clean Montana title.

YouTube Music is testing a major visual upgrade for its Now Playing screen

First OLED iPad mini tipped for October launch — here's why I'm excited (and worried)

According to Apple tipster Mark Gurman, Cupertino is set to launch its first OLED iPad mini in October, with iPad Air and iPad Pro being refreshed in 2027.

PDQ Door - Waterville Expands Further into Waterville, Maine, with Professional Garage Door Repair and Installation Services

Waterville, ME - PDQ Door - Waterville has expanded its service area further into Waterville, Maine, making its professional garage door repair, installation, and supplier services available to more homeowners throughout the community. The expansion reflects the company's ongoing commitment to delivering dependable garage door solutions supported by experienced technicians, quality products, and responsive customer service across Central Maine.

  • Youtube

Proverbs 3:27

©2026 Decatur Hub

  • Instagram
bottom of page