SBOMs in 2026: Some Love, Some Hate, Much Ambivalence

The promise of SBOMs—to provide a transparent inventory of software components—has been undercut by practical challenges. Many organizations treat SBOM creation as a final‑step checkbox, resulting in manifests that miss transitive dependencies, lack usage context, and fail to reflect the true composition of compiled or embedded binaries. This gap creates a false sense of security, as attackers can still exploit untracked libraries or compromised build pipelines. Moreover, the open‑source ecosystem’s uneven adoption of provenance standards leaves critical gaps in the supply chain, complicating risk assessment for enterprises that rely on third‑party code.

Regulatory pressure is accelerating the demand for more rigorous SBOM practices. Executive Order 14028 and the EU’s Cyber Resilience Act now require machine‑readable SBOMs for critical software, while CISA’s updated guidance mandates formats like SPDX and CycloneDX to enable automation. Docker’s Hardened Images illustrate a proactive response, coupling complete SBOMs with Level 3 SLSA verification to assure build integrity. Yet, most firms still struggle to meet these standards, often generating SBOMs at the end of the build process without sufficient validation, which limits their utility for downstream security tooling and compliance audits.

Looking ahead, the industry is expanding beyond traditional SBOMs toward broader provenance frameworks. The Linux Foundation’s SLSA 1.2 introduces granular build‑track definitions that strengthen the link between source code and binaries, while AI bills of materials (AI BOMs) emerge to track datasets, model versions, and training parameters. For organizations to move past checkbox compliance, they must integrate SBOM generation early in the CI/CD pipeline, adopt automated verification tools, and align with SLSA and AI BOM standards. This holistic approach promises not only regulatory alignment but also a measurable reduction in supply‑chain risk.