Take a second. Breathe. Then think back to the last time you bought a pre-packaged sandwich from a high-end deli. I bet you glanced at the back, and not because you’re a nutritionist. Most likely because you wanted to ensure that “Artisan Turkey” didn’t contain a hidden payload of unlisted allergens, you trusted the label because the law says the deli can’t just shrug and say, “It’s proprietary bread, don’t worry about it.”
For decades, the enterprise software industry has operated like a deli with no labels, selling thousand-dollar sandwiches filled with ingredients even the chef couldn’t identify. Call it bloatware or what you may, but you ended up with ingredients you did not think you had or bought. But as we move into 2026, the era of “mystery meat” code is officially over.
For the chief data officer, the Software Bill of Materials (SBOM) has evolved. It is no longer a niche cybersecurity checklist but a fundamental pillar of data governance. That means that, if you go by the reused and rehashed adage “data is the new oil,” the SBOM is the chemical analysis that tells you whether that oil is contaminated with lead.
From compliance to chemical analysis
In the early 2020s, an SBOM was essentially a digital receipt. It existed as a static PDF that sat in a compliance folder, gathering virtual dust. But according to the latest U.S. Government’s Cybersecurity & Infrastructure Security Agency (CISA) “2025 Minimum Elements” guidance, the SBOM has gone “live.”
By ditching the passive “Supplier Name” for the more active “Software Producer,” the updated standards actually reflect the real world. It recognizes that your software is no longer just “delivered” once but continuously synthesized across its lifetime. CISA now demands cryptographic fingerprints (Component Hashes) and “Generation Context.”
This shift sees SBOM entering the CDO domain. When a board member asks where your data-processing engine came from and what’s inside it, “we bought it from a reputable vendor” won’t cut it. You need the hash, the tool name that generated the record and the digital DNA.
So, if you are sitting in Asia, why should you care? Well, other nations are following suit — fast.
For example, the Asia Pacific is moving from voluntary guidelines to mandatory transparency. Singapore’s Cybersecurity Labelling Scheme (CLS) has expanded its mutual recognition treaties to include the U.K. and the E.U. It means software sold in the Lion City must now meet global SBOM standards to remain “certified.”
In September 2025, Japan’s METI (Ministry of Economy, Trade and Industry) signed the international “Shared Vision of SBOM for Cybersecurity” and, in the subsequent month, helped to finalize “Guidelines on the Roles Expected of Cyber Infrastructure Providers (draft)” in Japanese/English, outlining software supply chain responsibilities referencing SBOM guidance.
Meanwhile, the E.U. Cyber Resilience Act (CRA) effectively turned the SBOM into a passport for digital products.
The AI Wild West gets a map
The most pressing concern for the modern CDO is, of course, the sprawling sprawl of GenAI. We’ve spent the last two years shoving LLMs into every crevice of the enterprise, often with very little idea of what data trained them or what libraries govern their outputs.
Enter the AI-BOM and ML-BOM. View them as the missing link in data lineage. For a CDO, the AI-BOM solves the “black box” problem of model training. It documents the exact datasets, sampling methods, and cleaning protocols used to build a model.
The latest SPDX 3.0 specification and CycloneDX 1.7 (released just a few months ago in October 2025) have expanded the “ingredient list” to include datasets, algorithms, and cryptographic inventories (CBOMs). By ingesting these into a central data catalog, a CDO can finally map the flow of information from a raw training set to a specific model output.
This is where the CDO takes the lead. When the legal department asks if your customer-facing AI was trained on copyrighted material or if its encryption is post-quantum resilient, the AI-BOM provides the audit trail. It transforms AI from an unseen liability into a governed asset by providing a “bi-temporal” view: the ability to show exactly what data state influenced a model’s decision at any specific point in history. In other words, a CDO can say, “I think we’re okay” and “Here is the verified manifest of our model’s training lineage,” instead of hoping “we’re ok.”
Automation: Ending the “format wars”
Historically, the biggest headache for data teams was the “Beta vs. VHS” battle between the two leading SBOM formats: SPDX and CycloneDX.
In 2026, that friction has largely evaporated thanks to open-source “universal translators” like Protobom and BomCTL under the OpenSSF. These tools enable lossless translation between formats, allowing a CDO to pipe software metadata directly into existing Data Lakes without worrying about vendor lock-in.
VEX (Vulnerability Exploitability eXchange) takes it to a whole new level. If an SBOM tells you what’s in the software, VEX tells you if the “ingredients” are actually safe. It allows, for example, a vendor to say, “Yes, we use that library, but no, the bug in it cannot be triggered in our environment.” For a CDO, VEX is the filter that turns raw security data into actionable business intelligence.
SBOM puts CDOs in charge
The SBOM is now an active data stream, not a passive document. You can call it the metadata of your entire software ecosystem.
As a CDO, you are the steward of the organization’s most valuable asset. If you don’t have a strategy for ingesting, analyzing, and acting upon the SBOMs of your software supply chain, you are flying a plane with a broken fuel gauge. You might be in the air now, but you have no idea what’s happening in the engines.
It’s time for CDOs to start treating it like the complex, traceable data product it is. After all, the only thing more expensive than transparency is the lack of it.
Image credit: iStockphoto/Orla