diff --git a/README.md b/README.md
index 921775a97a3e2511837647423d5d0130a2159d79..d233b8df60b9c805107f6e34c42417e2b8eb4b40 100644
--- a/README.md
+++ b/README.md
@@ -274,6 +274,7 @@ It is bound to the `test` stage, and uses the following variables:
 | Input / Variable      | Description                            | Default value     |
 | --------------------- | -------------------------------------- | ----------------- |
 | `sbom-disabled` / `PYTHON_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
+| `TBC_SBOM_MODE`                          | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `PYTHON_SBOM_DISABLED` takes precedence | `onrelease` |
 | `sbom-syft-url` / `PYTHON_SBOM_SYFT_URL` | Url to the `tar.gz` package for `linux_amd64` of Syft to use (ex: `https://github.com/anchore/syft/releases/download/v0.62.3/syft_0.62.3_linux_amd64.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ |
 | `sbom-name` / `PYTHON_SBOM_NAME` | Component name of the emitted SBOM | `$CI_PROJECT_PATH/$PYTHON_PROJECT_DIR` |
 | `sbom-opts` / `PYTHON_SBOM_OPTS` | Options for syft used for SBOM analysis | `--override-default-catalogers python-package-cataloger` |
diff --git a/kicker.json b/kicker.json
index 5528b9b5a188ccc82dbe8c7b93e1c4562011a19f..aa9aec80c9d2a20126d99b0fc99c8b0465d37050 100644
--- a/kicker.json
+++ b/kicker.json
@@ -162,6 +162,14 @@
       "description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)",
       "disable_with": "PYTHON_SBOM_DISABLED",
       "variables": [
+        {
+          "name": "TBC_SBOM_MODE",
+          "type": "enum",
+          "values": ["onrelease", "always"],
+          "description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)",
+          "advanced": true,
+          "default": "onrelease"
+        },
         {
           "name": "PYTHON_SBOM_SYFT_URL",
           "description": "Url to the `tar.gz` package for `linux_amd64` of Syft to use\n\n_When unset, the latest version will be used_",
diff --git a/templates/gitlab-ci-python.yml b/templates/gitlab-ci-python.yml
index 8792c929d8bd98f0a1fe31d126ae91c435b0ec2c..b8354076fe2d403b740840ca5a8f1d12a1ec76b0 100644
--- a/templates/gitlab-ci-python.yml
+++ b/templates/gitlab-ci-python.yml
@@ -233,7 +233,18 @@ workflow:
     # else (Ready MR): auto & failing
     - when: on_success
 
+# software delivery job prototype: run on production and integration branches + release pipelines
+.delivery-policy:
+  rules:
+    # on tag with release pattern
+    - if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
+    # on production or integration branch(es)
+    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+
 variables:
+  # Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs)
+  TBC_SBOM_MODE: "onrelease"
+
   # Default Docker image (can be overridden)
   PYTHON_IMAGE: $[[ inputs.image ]]
   # Default Python project root directory
@@ -1374,7 +1385,13 @@ py-sbom:
     # exclude if disabled
     - if: '$PYTHON_SBOM_DISABLED == "true"'
       when: never
-    - !reference [.test-policy, rules]
+    # 'always' mode: run
+    - if: '$TBC_SBOM_MODE == "always"'
+    # exclude unsupported modes
+    - if: '$TBC_SBOM_MODE != "onrelease"'
+      when: never
+    # 'onrelease' mode: use common software delivery rules
+    - !reference [.delivery-policy, rules]
 
 # (manual from master branch): triggers a release (tag creation)
 py-release: