One issue I know happens in supply chains based on
hearing stories is that the person responsible for open source
software compliance may leave the company, take a new role, etc
and the company does not backfill them.
This is *so* true and a major reason to put a time limit on
certification.
