An SBOM is a formally structured list of all components, libraries and modules that make up a piece of software and the supply‑chain relationships between them. Both NTIA and the ACT‑IAC definition compare it to a “nested inventory” or ingredient list.

Who uses an SBOM and for what?

SBOM usage falls into three broad categories: producers use it to maintain their software, purchasers use it for pre‑purchase assurance and to plan implementations, and operators use it to manage vulnerabilities, licenses and supply‑chain risks.

Who should have or produce an SBOM?

NTIA notes that anyone concerned with supporting their software products and customers should generate SBOMs; requirements may emerge for regulated sectors, such as the FDA’s mandate for medical device manufacturers.

What should be included in an SBOM?

Minimum elements include the author’s name, supplier name, component name, version string, a component hash or unique identifier, and the relationship between components; licensing and provenance information should also be included if available.

Why are SBOMs important?

SBOMs improve transparency and security across the software supply chain. Benefits cited in industry guidance include better identification of software components, improved detection of vulnerabilities, faster remediation, greater transparency and customer trust, improved licensing governance and enhanced supply‑chain resiliency.

How often should an SBOM be updated?

NTIA advises that a new SBOM should be created for every new release of a component; any change to a component requires a corresponding update to the SBOM. FDA‑focused guidance similarly notes that SBOMs must be updated whenever software components change.

Merito Company Logo

Application Security in the Age of Agentic Coding: Why Software Bills of Materials (SBOMs) Matter More Than Ever

As agentic coding systems and AI-assisted development reshape software creation, understanding what goes into your codebase is no longer optional—it’s essential. Software Bills of Materials (SBOMs) have become the cornerstone of transparency and trust in modern application security, helping organizations mitigate risks introduced by complex, AI-generated dependencies.

The Rise of Agentic Coding

In recent years, we’ve seen an evolution from traditional software engineering to agentic coding—where autonomous AI agents can generate, modify, and deploy code with minimal human oversight. These AI systems can spin up microservices, refactor APIs, or integrate third-party libraries in seconds. While this has accelerated innovation, it has also introduced a new layer of complexity into application security.

Each automated code generation introduces potential risks:

Unverified open-source dependencies
Outdated libraries with known vulnerabilities
Hidden transitive packages that evade manual review

The challenge isn’t just what AI can build—it’s what it pulls in behind the scenes.

Why SBOMs Are the New Security Baseline

A Software Bill of Materials (SBOM) is a formal record of all components, libraries, and dependencies that make up a software application. Think of it as an ingredient list for your software.

In the age of agentic coding, an SBOM is critical for:

Transparency: Knowing exactly which components and versions are in use.
Vulnerability Management: Quickly identifying when a known CVE affects your environment.
Compliance: Aligning with mandates like U.S. Executive Order 14028 and NIST SP 800-218, which require SBOMs for federal software.
AI Governance: Auditing the provenance and trustworthiness of AI-selected components.

Without an SBOM, your organization risks operating a “” system where even developers can’t confidently describe what’s running in production.

Application Security in the Age of Agentic Coding: Why Software Bills of Materials (SBOMs) Matter More Than Ever

The Rise of Agentic Coding

Why SBOMs Are the New Security Baseline

Challenges in the AI-Driven Era

Integrating SBOMs into Secure Development Pipelines

Looking Ahead

Key Takeaways

Related Blogs

Enterprise Software Testing Strategy With AI: A Practical Guide For Risk-driven SDLC Delivery

Modernize Software Delivery for DoD and IC: Key Takeaways from our Webinar Series

Supercharge your Test Automation with Rapise 8.6 & Inflectra.ai: Here's All You Need to Know!

Previous and Next Posts

Accelerating Quality & Confidence in your software delivery with Automation Testing