Observed vs reviewed

The most important boundary in SBOMFlow: machine observation is never human review.

What the engine observes

The deterministic engine can observe facts: a component exists, a file is present, an advisory matches a version, a requirement has no attached evidence. These are observations. An observed status is not a judgement that anything is acceptable.

What only a human can decide

  • Whether a vulnerability is not_affected or fixed (a VEX determination).
  • Whether an evidence item is accepted.
  • Whether a release may proceed.

These come only from review files and approvals, never from the engine. A not_affected claim without a valid justification is downgraded.

Important

Reachability, release drift, KEV, and EPSS are **context for a human
determination** — never the decision. reachability.json can show source
references or manual evidence, but it never sets VEX status and never suppresses
a gate by itself.

AI is assistance, never authority

AI, where used at all, is optional assistance at the edges. It is never the source of evidence, a VEX decision, or a release decision.

Why this matters

A security or audit buyer trusts a tool that is honest about what it knows. Keeping observation and review distinct is both an ethics rule and the reason the evidence is credible.