Viktor Petersson: SBOMs, Supply Chains, and the Reality of Software Transparency

In this episode of Risk-First: Stars of Software, Rob Moffat talks with Viktor Petersson, founder of SBOMify and co-founder and CEO of Screenly.

Viktor has spent years building real-world systems at the intersection of hardware, cloud, and security—from early Raspberry Pi-based digital signage through to globally deployed platforms used by organisations like NASA and Capital One. More recently, he’s focused on one of the most talked-about—and misunderstood—areas in modern software: Software Bills of Materials (SBOMs).

The conversation explores why SBOMs have suddenly become a regulatory and industry focus, whether they actually solve the problems they claim to, and what it really means to understand what’s inside the software we run.

Along the way, Rob and Viktor dive into:

• What an SBOM actually is—and why it’s often misunderstood as just “a file”
• Why software supply chain transparency is much harder than it sounds
• The gap between regulatory intent and engineering reality
• Why generating SBOMs is easy—but making them useful is not
• The problem of incomplete, inaccurate, or outdated dependency data
• How transitive dependencies create hidden and compounding risk
• Why most organisations don’t actually know what’s in their software
• The difference between compliance-driven SBOMs and operationally useful ones
• Why “perfect visibility” is probably unattainable—and what to do instead
• How SBOMs intersect with vulnerability management and incident response
• The role of tooling, automation, and standards in making SBOMs usable
• Whether SBOMs reduce risk—or just make it more visible
• How supply chain security is evolving alongside AI-generated code

sbomify
https://sbomify.com
Platform focused on generating, managing, and operationalising Software Bills of Materials.

Screenly
https://www.screenly.io
Digital signage platform originally built on Raspberry Pi, now deployed globally across enterprise environments.

Software Bill of Materials (SBOM)
A structured representation of the components, libraries, and dependencies that make up a piece of software.

Software Supply Chain Risk
Risks arising from dependencies on external code, including vulnerabilities, maintainership gaps, and compromised packages.

Transitive Dependencies
Dependencies of dependencies, which often introduce hidden complexity and risk.

SBOM Accuracy & Freshness Problem
The challenge of keeping SBOMs up to date and reflective of real-world deployed systems.

Compliance vs Operational Security
The difference between producing artefacts to satisfy regulators and actually improving security posture.

Vulnerability Management Integration
Using SBOMs as input into processes that identify, prioritise, and remediate security vulnerabilities.

AI-Generated Code Risk
The increasing difficulty of understanding software composition as AI accelerates code generation and reuse.

Jyoti Wadhwa: AI Governance at Scale, Decision Risk, and the Future of the SDLC

In this episode of Risk-First: Stars of Software, Rob Moffat talks with Jyoti Wadhwa, global leader in AI governance and enterprise technology risk, and contributor to FINOS AI governance efforts.

Jyoti has spent her career helping large organisations—from Fortune 100 companies to US federal agencies—adopt emerging technologies safely, translating regulatory expectations, risk frameworks, and responsible AI principles into governance models that actually work in practice. Which makes her the perfect person to explore what governance really means when you’re operating at scale.

The conversation explores how organisations move from individual experimentation with AI tools to coordinated, enterprise-wide adoption, why governance isn’t about slowing things down but enabling decisions, and how the shift to agentic, non-deterministic systems is fundamentally changing the software development lifecycle.

Along the way, Rob and Jyoti dive into:

• Why governance is really about decision-making at scale—not documentation
• The concept of decision risk as the most important risk in AI adoption
• How organisations must bring the right stakeholders together based on use case, not hierarchy
• Why governance enables innovation rather than slowing it down
• The three major AI risk buckets: regulatory/compliance, data & privacy, and operational visibility
• How policies translate from law → organisational agreement → technical controls
• Why the SDLC is shifting from deterministic pipelines to probabilistic, agent-driven systems
• The challenge of maintaining control and auditability in AI-driven development
• Why “human in the loop” systems must account for psychological limits like vigilance decrement
• The emergence of baseline architectures and reference models for safe AI adoption
• Why inconsistent LLM usage across business units is already a real-world governance failure
• How FINOS and industry standards help create shared “baselines of good” across firms
• Why vendor risk and AI tooling sprawl are becoming major enterprise concerns
• How regulation will continue to lag innovation—but increase rapidly in response

## Links

FINOS AI Governance Framework
https://github.com/finos/ai-governance-framework
Open-source framework defining risks and controls for adopting AI in financial services.

FINOS (Fintech Open Source Foundation)
https://www.finos.org
Industry foundation enabling collaboration on open standards and governance across financial services.

NIST AI Risk Management Framework
https://www.nist.gov/itl/ai-risk-management-framework
Widely referenced framework for managing AI risk, governance, and trustworthy AI systems.

MITRE ATT&CK Framework
https://attack.mitre.org
Knowledge base of adversary tactics and techniques used for threat modelling and security analysis.

Brittany Istenes: Open Source Readiness, OSPOs, and Why Contribution Is Risk Management

In this episode of Risk-First: Stars of Software, Rob Moffat talks with Brittany Istenes, open source strategist, InnerSource advocate, and contributor to FINOS’ Open Source Readiness work.

Brittany has spent years helping large organisations—especially in regulated industries—figure out how to actually work with open source, not just consume it. Which makes her the perfect person to explore one of the biggest blind spots in enterprise technology today: the gap between relying on open source and understanding how to manage the risks that come with it.

The conversation explores why so many firms depend on open source but struggle to engage with it properly, what OSPOs are really for (beyond compliance), and how organisations can move from passive consumption to active participation without losing control.

Along the way, Rob and Brittany dive into:

• Why open source is effectively critical infrastructure—but isn’t treated or funded like it
• The reality of “OSPOs of one” and why most firms underestimate their importance
• How dependency risk, licensing, and supply chain issues create hidden exposure in large organisations
• Why contributing upstream isn’t altruism—it’s a way to reduce risk and gain influence
• How InnerSource helps organisations learn open collaboration safely before engaging externally
• The role of foundations like FINOS in creating trusted environments for collaboration between competitors
• Why the cost of internal forks is often invisible—but significant
• How AI and “vibe coding” could massively increase the volume of open source (and the associated risks)

FINOS Open Source Readiness (OSR)
https://osr.finos.org

InnerSource Commons
https://innersourcecommons.org

FINOS (Fintech Open Source Foundation)
https://www.finos.org

Music Mentioned Includes:

• Oranssi Pazuzu (Finnish black metal)
• Nine Inch Nails – With Teeth
• MF DOOM – Doomsday
• Tom Waits
• The Bobby Lees
• Blackwater Holylight
• Wu-Tang Clan
• Puscifer
• Tool
• Tron: Legacy (Daft Punk soundtrack)
• The Crow (1994 soundtrack)