AI Security Posture Management (AI-SPM)
Scan model artifacts for malware and unsafe deserialization — pickle opcode disassembly, torch-zip inspection, safetensors/GGUF validation, and ONNX graph inspection — before untrusted weights ever load.
AI Security Posture Management (AI-SPM)
Model weights are executable supply chain artifacts. A malicious pickle can run arbitrary code the moment a model is loaded. AI-SPM inspects model artifacts before they are trusted, catching malware and unsafe deserialization in the formats teams actually ship.
AI-SPM is the lifecycle wrapper around Safeguard's AI security — discover, assess, protect, govern, monitor. Model-artifact scanning (below) is the shipped core; it sits alongside AI-BOM discovery, which inventories the models it scans, and the AI Gateway, the runtime LLM firewall.
Model-artifact malware scanning
AI-SPM statically analyzes model files without loading them:
| Format | What AI-SPM does |
|---|---|
Pickle (.pkl, .bin, PyTorch state dicts) | Disassembles the pickle opcode stream and flags dangerous operations — imports of os / subprocess / eval, and REDUCE / BUILD opcodes that can trigger arbitrary code execution during deserialization. Mapped to CWE-502 (unsafe deserialization) and CWE-94 (code injection). |
PyTorch .pt / .zip archives | A torch-zip walker unpacks the archive and inspects each embedded pickle for the same dangerous patterns. |
| safetensors | Validates the file structure and header to confirm it is a genuine, tensor-only artifact with no executable payload. |
| GGUF | Validates the GGUF container structure so malformed or tampered files are caught before use. |
| ONNX | A non-executing protobuf walker parses the model graph without running it and flags two risks: (a) custom / non-standard-domain operators and embedded code-execution ops — CWE-94 (code injection); and (b) external_data references whose path escapes the model directory (absolute paths, .., UNC paths, or URLs) — CWE-22 (path traversal). Malformed input fails safe. |
Because pickle-based formats can execute code on load, AI-SPM treats any dangerous opcode as a high-signal finding — the whole point is to catch it before the weights are deserialized. Format coverage expands over time; ONNX is the most recent addition to the model formats AI-SPM inspects.
Findings
Each finding identifies the artifact, the format, the specific opcode or import that fired, and the mapped CWE. Findings flow into the unified findings model discriminated as aisec, tenant/org-scoped end to end.
Configuration
AI-SPM is admin-toggleable via a feature flag, enforced server-side. Once enabled, model artifacts are scanned as they are ingested through your registries and pipelines.
Related
- AI-BOM Discovery — inventory of the models AI-SPM scans.
- AI Gateway (LLM Firewall) — runtime guardrails for prompts, responses, and tool calls.
- AI-BOM & Model Security — governing model provenance, signing, and lineage.
- Malware Detection — Eagle-based classification for packages, images, and weights.
- Unified Findings & Feature Flags — where AI-SPM findings land and how the engine is toggled.
Red Team (Defensive Adversary Emulation)
Validate your detections and attack paths with Safeguard's defensive-only adversary emulation — breach-and-attack simulation, purple-teaming, and safe attack-path analysis. No weaponized payloads, ever.
AI-BOM Discovery
Inventory every AI asset in your environment — models, ML dependencies, notebooks, prompts, vector stores, agents, MCP servers, and inference endpoints — into one tenant-scoped AI bill of materials.