“Detective controls are things, like an SBOM, we can do to validate a system is still in compliance as the things around the system change, like the dependencies. Your running software itself will not change while in production, but an exploit could be identified.”
https://itrevolution.com/articles/sboms-and-more-investments-unlimited-series-chapter-10/