Skip to main content

The Liability Nobody Put on the Balance Sheet

 

The Liability Nobody Put on the Balance Sheet

By Jacqueline Winter, CFO & CISO, ActiveState
Most organizations have detailed processes for approving financial instruments they take onto their books. Open source software does not seem to get the same treatment. This week's events are a useful reminder of what that inconsistency costs.

Every CFO understands that an unmanaged liability is a governance failure.
When a company takes on a contractual commitment, it runs due diligence. It documents the decision. It assigns ownership of the ongoing risk. It does not simply accept the commitment because it arrived through an approved channel with valid paperwork.

Open source software is on every balance sheet in the industry, and in most organizations, it has never been through that process.

I have seen this failure mode in other domains. In financial controls, in vendor risk, in operational infrastructure. The pattern is identical every time: an organization builds processes for the risk categories it recognizes as serious, and accumulates exposure in the categories it has not yet named as its own. The category eventually gets named, usually at a point that is considerably more expensive than the process would have been.

Open source software governance is at that point now.


What This Week Named Plainly

The Mini Shai-Hulud campaign compromised hundreds of open source packages across major registries by using valid credentials to sign malicious releases through legitimate CI/CD pipelines. TanStack. UiPath. MistralAI. OpenAI confirmed an incident tied to the same attack, affecting employee devices and a limited amount of credential material.
The packages passed signature verification. They passed the scanner. The SBOM recorded them accurately. None of that mattered, because the compromise happened upstream of every check the organization ran.

CISA and G7 partners released AI SBOM guidance in the same week, expanding the minimum elements for bills of materials to cover AI models, datasets, and AI-specific dependencies. The guidance is correct in what it asks for. It also includes a sentence worth putting in front of every board that is treating SBOM compliance as its primary software supply chain strategy: disclosure alone does not prove an AI system is trustworthy in production.

That sentence is not specific to AI. A bill of materials is documentation. Documentation records what entered your environment. It does not change the conditions under which it entered, and it does not make a defensible governance decision retroactively.

"We have a scanner" is load-bearing corporate for "we have no idea what is in our software, but we have a tool that produces a document that suggests otherwise." The SBOM expands that document. It does not close the gap.

The Decision That Was Never Made

Due diligence is not a concept invented for security. It has governed every material decision in finance, M&A, and vendor risk for decades. The question of whether a counterparty is who they say they are, whether the instrument is what it claims to be, whether the ongoing risk has a named owner: these are standard practice in every domain where accountability is taken seriously.
Software supply chain governance requires the same decisions. Which open source software components are eligible to enter this organization's environment? Who made that determination? On what basis? Who owns the ongoing provenance?

In most organizations, those questions produce a pause.

The pause is the governance gap.






The sourcing decision, which packages are eligible to enter at all, has defaulted in most organizations to: whatever the trusted registry lists, whatever has a valid signature, whatever the scanner does not flag. No one explicitly made that decision. It was inherited, one dependency at a time, by developers working against deadlines in conditions that were never designed to support a different outcome.

The people doing that work are not the problem. The absence of a decision made above them is the problem. I have seen this before. When accountability is distributed across too many owners, or assigned to no one in particular, the outcome is the same regardless of domain: no one is responsible, so nothing changes, until the moment when someone has to explain what happened.


Where AI Moves the Stakes

AI coding tools have accelerated this exposure in a way that should change the urgency of the conversation at the executive level.

Before AI-assisted development, there was at least a moment of human judgment in the dependency selection process. Not a rigorous security review. But a developer searching for a package, checking its maintenance status, considering alternatives. That friction filtered things out.

AI tools removed that pause. A suggestion appears inline. Accepting it is a single keystroke. The volume of open source software entering enterprise environments is increasing at a rate that no manual governance process was designed to handle. The scrutiny applied to each component is decreasing at the same rate.

The accountability gap, the gap between what is actually in your software environment and what any executive could defensibly explain about how it got there, is growing every sprint.

The regulatory environment has been moving toward personal accountability for exactly this gap. EU CRA Phase 1 takes effect September 11, 2026. SSDF compliance is already a federal contracting condition. SEC disclosure rules require a materiality determination that puts the defensible-decision question in front of legal and finance, not just security.

These are not new requirements arriving at an inconvenient time. They are the formalization of an accountability standard that has always applied to material risk. Software supply chain exposure is material risk. It is on every balance sheet. Most organizations simply have not put it there yet.


What a Defensible Posture Actually Requires

The organizations that will answer a regulator's questions without incident, or navigate the aftermath of a supply chain event without compounding the damage, are the ones that can point to governance decisions, not tooling outputs.

That means being able to answer, in advance: which open source software components are eligible to enter this environment, who determined that, on what basis, and who owns the ongoing provenance. It means the documentation reflects a decision, not just a record of what arrived.


Decision flowchart: vulnerable open source component found, two possible answers, only one is a documented governance decision.
 A scanner produced both answers, only one of them is something an executive can defend. The distinction is not technical.


The financial analogy holds here, as it does in most domains where governance has been taken seriously. Organizations do not accept financial instruments onto their books because the paperwork looked valid. They run due diligence. They assign ownership. They document the decision.

Open source software is not different. It is simply the category where most organizations have not yet applied the standard they already hold everywhere else.

The gap between current practice and a defensible posture is not a technical problem. It is a governance decision that the executive team has not yet made. The question is whether that decision gets made before the event that makes it unavoidable.


Comments

Popular posts from this blog

Open Source Compliance Now Has a Deadline. Accountability Now Has a Name.

Open Source Compliance Now Has a Deadline. Accountability Now Has a Name. The US federal safety net that followed Log4j has thinned in the same window the EU Cyber Resilience Act wrote obligations for commercial users of open source software into law, with reporting requirements beginning September 2026. The accountability for what enters your products is moving toward the organizations that consume it, on someone else's timeline. Two things happened to open source software security in the same window, and together they change who is on the hook. The US federal effort that grew after the 2021 Log4j crisis has largely lapsed, with key personnel gone and the initiatives quiet. At the same time, the EU Cyber Resilience Act turned obligations for commercial users of open source software into law, with vulnerability and incident reporting requirements applying from September 2026. One backstop thinned. The other became a requirement with a date attached to it. If the plan was to wai...

The SBOM Just Became a Liability With a Date on It

The SBOM Just Became a Liability With a Date on It When a best practice becomes a product requirement, it stops being a security artifact and starts being a financial one. The question now is whether the document you are obligated to produce is true. The EU Cyber Resilience Act is moving the software bill of materials from a best practice to a product security requirement, with the law’s full application arriving in December 2027 . If your company ships software into the EU, the character of one of your obligations just changed. The software bill of materials you used to produce because it was responsible is becoming one you are legally required to produce because a regulator says so. That is not a procedural change. It moves the bill of materials off the security team’s task list and onto the company’s books, and most organizations have not adjusted to what that means. A best practice and a requirement are not the same liability Every CFO understands that an unmanaged liability is a ...

Discovery Is Outrunning Remediation Everywhere. That Is Not Just a Technology Problem.

Discovery Is Outrunning Remediation Everywhere. That Is Not Just a Technology Problem. A model found 1,596 unpatched vulnerabilities in open source projects last month. The industry’s answer was more infrastructure for finding problems. That was never the part that was broken. Anthropic, Google, OpenAI, Microsoft, and more than a dozen other organizations just did something companies rarely do voluntarily. They pooled money into a shared body, called Akrites and hosted by the Linux Foundation, because none of them could keep pace with open source vulnerability discovery and remediation on their own. Organizations build shared infrastructure at this speed for one reason. A risk got too expensive for any single balance sheet to absorb quietly. That is what a captive insurance pool is. A group of companies decides a risk is real and common enough that carrying it alone costs more than carrying it together. Nobody calls that admission a taskforce. They call it underwriting, and they usual...