“Maintain an up-to-date inventory of components using a Software Bill of Materials (SBOM)… this can also include license inventories.” Extend it to models, datasets, and adapters — an AIBOM.

When torchtriton (Slide 9) and Ultralytics (Slide 10) were found malicious, the urgent question for every team was “are we affected, and where?” Without an inventory you can't answer that in an incident — you're grepping production by hand while the clock runs.

→ Generate an SBOM/AIBOM automatically in CI, every build — packages, models, datasets, adapters, versions, hashes
→ Include license info so a bad license (Slide 18) is visible before you ship
→ Make it queryable: “does anything we run use package X version Y?” should take seconds

Name yesterday's CVE and ask your inventory whether you're exposed. If producing the answer takes more than a minute, your SBOM isn't real yet.