SPDX: Tackling System Risk in Modern Supply Chains - Kate Stewart, The Linux Foundation & Gary O’Neall, Source Auditor Inc. SPDX’s initial focus was on making the licensing of software transparent 15 years ago, but as our supply chain risks have increased exponentially and AI technologies have become mainstream, the underlying need for transparency to do proper risk management is even more important. Over the last few years with the introduction of SPDX 3.0, SPDX is now able to focus on making all the elements of an AI system transparent. This talk will go through the key aspects in SPDX 3.0 that enable AI systems and the data used to train the systems to be made transparent, so proper system level risk analysis for licensing, security, and data biases in model training can be performed. We will also provide a peek at what is emerging in SPDX 3.1 that will help extend the risks that can be modeled in a single knowledge graph, that can be exported into Bills of Materials (BOMs) for different perspectives (Software/SBOM, AI/AIBOM, Data/DBOM, Hardware/HBOM).