With SBOMs being required and SPDX meeting ISO/IEC 5962:202. It is beneficial for developers to adopt SPDX to generate the SBOM for their software. However, with AL and ML taking more and more centre stage in modern applications, how can we make sure SPDX can be useful to AI/ML applications? Background Recently since the bill from the US government has made SBOM the standard in software distributions, all developers have started to think about how they can automate and generate SBOM with all the components stated as required. SPDX is one of the obvious choices for all as its specification is recognized as the international open standard for security. The stable release of SPDX 2.3 is good enough for most applications. Looking forward, as modern software applications are getting more and more complicated and there are more and more components involved - with the popularity of big data and AI/ML, many applications will involve data and data pipelines. These would need to be considered when generating SBOM in the future. In this talk, we will look into what has SPDX 2.3 achieved, what is added in SPDX 3.0 for data and AI, and how we can encourage the AI/Ml community to consider SPDX in their applications.