AI-BOM Discovery
Inventory every AI asset in your environment — models, ML dependencies, notebooks, prompts, vector stores, agents, MCP servers, and inference endpoints — into one tenant-scoped AI bill of materials.
AI-BOM Discovery
You can't govern AI assets you don't know you have. AI-BOM discovery builds a continuously-updated inventory of every AI asset across your code, cloud, and connected SaaS — the bill of materials that AI-SPM's posture scoring, model scanning, and governance all build on.
What it inventories
Discovery runs across three surfaces and records each asset as a typed inventory entry:
| Surface | What is discovered | Asset kinds |
|---|---|---|
| Code | Imports of AI SDKs (openai, anthropic, langchain, transformers, llama_index); model weight files (.pt, .safetensors, .gguf); prompt templates; notebooks; MCP server configuration (mcp.json) | model, service, prompt, notebook, mcp_server |
| Cloud | Managed inference endpoints — SageMaker, Bedrock, Vertex AI — discovered through the existing cloud connectors | endpoint, model |
| SaaS | Connected but unsanctioned AI tools surfaced through shadow-AI detection | service |
Vector databases (Pinecone, Weaviate, pgvector connection strings) are inventoried as vector_store assets, and agent definitions as agent assets. Discovery unifies AI signals that were previously scattered across separate checks into one place rather than duplicating them.
The AI-BOM
Every discovered asset becomes an AIAsset record — its kind, name, source, format, and metadata — and the assets for a product are assembled into an AIBOM: a tenant/org-scoped snapshot of your AI footprint at a point in time. The AI-BOM is the substrate the rest of AI-SPM operates over: model-artifact scanning attaches findings to the model assets it inventories, and the posture score reads the inventory to compute its ai_inventory_visibility factor (you can't have good posture over assets you can't see).
Findings it produces
Discovery itself is an inventory pass, so its primary output is the AI-BOM rather than findings. The assets it surfaces feed the engines that do emit findings:
- Model assets are handed to AI-SPM model-artifact scanning, which produces
aisecfindings (unsafe pickle opcodes, ONNX code-execution operators, and so on) discriminated in the unified findings model. - Shadow-AI services surface unsanctioned tools for governance review.
- Missing-visibility gaps lower the
ai_inventory_visibilityposture factor.
How to enable
AI-BOM discovery is part of the AI-SPM engine and is admin-toggleable via the ff.aispm feature flag, enforced server-side. Once enabled, discovery runs across connected repositories, cloud accounts, and SaaS integrations through the standard scan flow, and the AI-BOM is queryable in the app and through the API.
Related
- AI-SPM — model-artifact malware scanning over the models this inventory finds.
- AI Gateway — runtime guardrails for the LLM apps and endpoints in the AI-BOM.
- AI-BOM & Model Security — model provenance, signing, and lineage governance.
- Asset Discovery — discovery across the rest of your estate.
- Unified Findings & Feature Flags — where AI findings land and how the engine is toggled.
AI Security Posture Management (AI-SPM)
Scan model artifacts for malware and unsafe deserialization — pickle opcode disassembly, torch-zip inspection, safetensors/GGUF validation, and ONNX graph inspection — before untrusted weights ever load.
AI Gateway (LLM Firewall)
A runtime guardrail layer for LLM apps and agents — prompt-injection, jailbreak, and PII/secret-egress checks in monitor or enforce mode, with fail-open safety so the protected app never breaks.