Traditional SBOM, VEX, and CVSS-based triage is failing to provide enough context for modern AI and software supply chain risks, especially when vulnerabilities can have very different real-world consequences. Devashri Datta proposes SRIL and AIVEX to add safety-aware, machine-readable context so organizations can prioritize remediation based on actual operational impact. #CycloneDX #AIVEX #SRIL #DevashriDatta #ISACA
Keypoints
- SBOM, VEX, and CVSS alone are not enough for modern vulnerability triage.
- AI systems create new context-dependent risks across training, inference, tools, and deployment.
- Low-severity flaws can become high-risk when they affect autonomous or safety-critical systems.
- SRIL adds safety domain, lifecycle stage, consequence, and exploitability context to triage.
- AIVEX makes this context machine-readable within the CycloneDX VEX schema.