Observed vs reviewed
The most important boundary in SBOMFlow: machine observation is never human review.
What the engine observes
The deterministic engine can observe facts: a component exists, a file is present, an advisory matches a version, a requirement has no attached evidence. These are observations. An observed status is not a judgement that anything is acceptable.
What only a human can decide
- Whether a vulnerability is
not_affectedorfixed(a VEX determination). - Whether an evidence item is accepted.
- Whether a release may proceed.
These come only from review files and approvals, never from the engine. A not_affected claim without a valid justification is downgraded.
Important
Reachability, release drift, KEV, and EPSS are **context for a human
determination** — never the decision. reachability.json can show source
references or manual evidence, but it never sets VEX status and never suppresses
a gate by itself.
AI is assistance, never authority
AI, where used at all, is optional assistance at the edges. It is never the source of evidence, a VEX decision, or a release decision.
Why this matters
A security or audit buyer trusts a tool that is honest about what it knows. Keeping observation and review distinct is both an ethics rule and the reason the evidence is credible.