So I hacked my way into being Cyber Policy Initiative Senior Fellow at the University of Chicago's Harris School of Public Policy. I'm workin on rural water critical infrastructure cybersecurity. Do you even hack utilities? Please chat w me. I need to quickly find out where I"m wrong about some of my assumptions. Still very entertained by the fact that I *finally* got into the University of Chicago. :D https://cpi.harris.uchicago.edu/2025/12/23/harris-cyber-policy-initiative-taps-top-hacker-to-design-new-security-model-for-water-utilities/

If you have a risk register, and your organization does not have an SBOM for your built apps, the lack of an SBOM goes in your risk register. If you don't have a risk register, make one, and add your lack of SBOMs to it.