Software, AI, and the Auto Industry’s Blind Spot
If you're in the business of building cars, you’re in the business of building or using software, and increasingly, artificial intelligence. But unlike every other component on your bill of materials, your software stack and AI models rarely come with a clear ingredients list.
Log4Shell Was Our Wake-Up Call
Manifest was born in the aftermath of the Log4Shell vulnerability. I watched sophisticated companies, including the one I was at, scramble for weeks, and in some government cases, months, to answer a seemingly simple question: What did we build or buy that depends on Log4j?
Frantic hours in Excel spreadsheets, midnight board calls, vendor fire drills; it was chaos. Why? Because we didn’t know what was in our own technology. We lacked software transparency. And that lack of visibility created risk, liability, and operational paralysis.
Regulation is Catching Up
The auto industry is now facing this head-on. Standards like ISO/SAE 21434, UN R155, and more recently GB 44495 in China are mandating software bill of materials (SBOMs) across the board, from in-house software to procured components.
You’ll hear the terms:
- SBOM generation
- SBOM sharing
- SBOM risk analysis
But here’s the hard truth: compliance doesn’t equal visibility.
Most automakers are still flying blind. Surveys show that nearly 75% of security professionals view software supply chain vulnerabilities as their biggest visibility gap. And with bad actors exploiting those gaps faster than ever, regulation alone isn’t enough.
AI is the Next Frontier in Technology Supply Chains
Modern vehicles are rolling data centers. They don't just drive, they analyze, predict, and learn. Your AI dependencies are just as important (and opaque) as your software dependencies.
Ask yourself:
- What AI models are we using?
What were they trained on? - Do we have provenance and policy control over them?
To answer these questions, we need an AI Bill of Materials (AIBOM). Just like an SBOM tracks software components, an AIBOM tracks models, datasets, training provenance, licensing terms, and geopolitical risk factors. And it’s going to be absolutely essential.
Here’s why it matters: In 2023, Stanford researchers found that Stable Diffusion, a leading text-to-image model, was trained on a dataset that inadvertently included child sexual abuse material (CSAM). Imagine discovering that months after deployment. If you didn’t have an AI inventory, you’d be back in Log4Shell territory: uncertain, exposed, reactive.
From Reactive to Proactive
Security is about confidence. When a new vulnerability hits, the goal isn’t to panic. It's to wake up, sip your coffee, and know exactly which products, vendors, and systems are impacted. Manifest makes that a reality.
We help automakers:
- Automate SBOM and AIBOM generation directly in their CI/CD pipelines.
Continuously monitor for vulnerabilities across software and AI components. - Flag IP, geopolitical, and license risks before they go to production.
- Align with global regulations like GB 44495, UN R155, and ISO/SAE 21434.
- Contextualize risk using sources like NVD, OSV, CNVD, and CISA’s KEV catalog.
We’ve seen one of our Fortune 500 automotive customers go from reactive guesswork to real-time vulnerability reporting at the CTO level. Another, a defense customer, scaled to over 13 million SBOMs and uses Manifest to track, prioritize, and enforce plan of action milestones across their vendor base. A third is enforcing AI usage policies across their enterprise with a few clicks, replacing a 6-week manual review process.
This is what technology supply chain transparency looks like.
SBOMs Are Just the Beginning
A modern vehicle contains firmware, cryptography, hardware, databases, software, and now AI. SBOMs are the first chapter, not the final word.
The future is crosswalking:
- Products ⇄ AI Models ⇄ Training Datasets ⇄ Software Dependencies
That’s the vision behind our AIBOM capability. You can set policies like:
- No models from sanctioned countries
- Model freshness on Hugging Face
- Licensing allow and deny lists
And then automate enforcement, no manual JSON parsing, no guessing, no hoping your vendor reads the fine print.
AI Security Is a Team Sport
Manifest is proud to be the newest partner to the Auto-ISAC community. We’ve opened up free trials of the platform and shared tools like our SBOM Outreach Playbook to help you get started. Reach out to our team for access.
Want to see how your peers are operationalizing SBOMs and AIBOMs? Need help mapping to ISO/SAE 21434? Curious how to automate your third-party risk workflows?
Let’s build safer, smarter, more transparent vehicles, together.
