Software bill of materials (SBOM) strategies are rapidly evolving. What began as a way to track open source components for compliance and vulnerability management is quickly expanding into something much larger: a broader effort to understand, secure, and govern modern software supply chains.
At the same time, organizations are increasingly adopting AI-powered applications and exploring Artificial Intelligence Bills of Materials (AI BOMs) — which extend software transparency practices to AI systems, datasets, models, and decision logic.
The challenge is that modern software ecosystems are far more complex than traditional package inventories alone.
Applications today depend on:
Cloud services
APIs
Containers
Build systems
CI/CD pipelines
AI/ML models
Deployment infrastructure
Security attestations and provenance data
Traditional SBOM models were never designed to represent this level of complexity.
That's exactly why SPDX 3.0 matters. It gives organizations a more flexible, extensible way to describe software, security, build, dataset, and AI-related metadata as part of a broader supply chain transparency strategy. And it's why Sonatype SBOM Manager now supports SPDX 3.0.
Historically, most SBOMs focused on answering a single question: "What components are included in this application?"
That was an important first step for software transparency.
But organizations today increasingly need answers to much larger questions:
How was this software built?
What services does it depend on?
What relationships exist between artifacts?
What AI models are embedded?
What evidence proves integrity and provenance?
How does software move through the development lifecycle?
Traditional SBOM formats weren't designed to model this level of complexity. SPDX 3.0 addresses these emerging requirements by extending software transparency beyond package inventories and creating a foundation for both SBOM and AI BOM initiatives.
One of the most practical advantages of SPDX 3.0 is that it simplifies how organizations manage software transparency data.
In earlier SPDX versions, VEX (Vulnerability Exploitability eXchange) information typically existed as a separate document that lived alongside the SBOM itself.
That created additional operational overhead such as more files to manage, more artifacts to track, more opportunity for version drift, and more complexity during audits or investigations.
SPDX 3.0 changes this model by allowing VEX information to be embedded directly within the SBOM.
Instead of managing multiple disconnected artifacts, organizations can maintain a more complete and unified software transparency record in a single document.
This creates several advantages:
Fewer documents to track and maintain.
Reduced management overhead.
Improved consistency between SBOM and vulnerability context.
Lower risk of operational errors.
Simpler downstream automation and governance workflows.
For enterprises managing thousands of applications and software artifacts, this consolidation can significantly streamline SBOM operations.
For many organizations, software transparency requirements are accelerating faster than their tooling strategies.
Security teams are facing increased pressure around:
Supply chain attacks
Provenance verification
Regulatory compliance
Vendor risk management
Open source governance
Software integrity validation
AI risk management and auditability
At the same time, modern development environments are becoming increasingly distributed and dynamic.
Organizations need more than visibility into components. They need context. SPDX 3.0 helps provide that context by enabling richer representations of software relationships, provenance, security data, and emerging AI BOM metadata within a unified framework.
Another major evolution in SPDX 3.0 is support for AI and machine learning systems.
Earlier SBOM standards were not designed to represent AI-specific metadata in meaningful ways. As organizations increasingly adopt AI-powered applications and embedded models, that limitation becomes more significant.
SPDX 3.0 introduces support for AI-related metadata such as:
Hyperparameters
Fine-tuning information
Dataset references
Explainability metadata
Decision thresholds
Energy consumption metrics
This represents an important shift.
Organizations increasingly need visibility not just into which AI components are being used, but how they are being used, trained, tuned, and operationalized.
The level of transparency in AI BOMs is becoming increasingly important for AI governance, regulatory readiness, model risk management, responsible AI initiatives, and enterprise auditability. SPDX 3.0 gives organizations a path to bring AI systems into the same governance conversations already happening around software supply chain security.
This is the fundamental shift enabled by SPDX 3.0.
Before: SBOMs answered, "What packages are present?"
Now: Organizations can understand how software systems are connected. This richer context strengthens incident response, provenance validation, audit readiness, governance, zero-trust initiatives, and AI transparency.
With SPDX 3.0 support, Sonatype SBOM Manager evolves beyond centralized SBOM ingestion and governance. It becomes a platform for operationalizing software supply chain intelligence.
Organizations can now begin managing richer software metadata across:
Development pipelines
Security workflows
Compliance processes
Vendor ecosystems
Software lifecycle governance initiatives
Importantly, this does not require abandoning existing SBOM investments.
Most enterprises will continue operating in heterogeneous environments with multiple standards and formats. Sonatype SBOM Manager helps normalize and operationalize those workflows while enabling organizations to prepare for the future of software transparency.
SPDX 3.0 adoption will not happen overnight. But the direction of the industry is becoming increasingly clear. Software supply chain security is moving toward:
Richer provenance
Stronger attestations
Lifecycle traceability
Interoperable metadata ecosystems
Broader artifact representation
Evolving compliance requirements
By supporting SPDX 3.0, Sonatype SBOM Manager helps organizations prepare for that next phase, which enables richer interoperability, deeper lifecycle visibility, and future-ready software supply chain intelligence.
As SBOMs expand to include AI systems, datasets, provenance, security evidence, and more complex relationships, organizations need tools that can help them manage that complexity without slowing development. Sonatype SBOM Manager gives teams a practical foundation for doing exactly that.