Skip to content

Getting started with AI-SPM

The rapid adoption of AI models and agents introduces a new, complex attack surface that traditional security platforms aren’t built to manage. The explosion of AI models, agents, and Model Context Protocol (MCP) servers used without IT oversight results in Shadow AI, creating significant security risks and compliance gaps.

AQtive Guard (AQG) AI Security Posture Management (AI-SPM) provides a unified solution to discover, analyze, and help you secure your AI ecosystem, from the code repository to the model’s runtime usage.

AI-SPM Core Objects

AQG structures its AI findings around three core assets identified during the scan:

  • Models - The trained artificial intelligence components that performs the primary task or computation.
  • Agents - The autonomous systems that utilizes models to interact with tools, data, or other agents to perform complex actions.
  • MCP servers - The servers that expose specific tools or capabilities to agents, typically following the Model Context Protocol.

Additional contextual components provide essential metadata and supply-chain risk information necessary for managing AI-SPM assets.

  • Repository - The code storage location that links the discovered AI component back to its source code.
  • Dependencies - The libraries, frameworks, and packages that the AI asset relies on. Scanning these is critical for identifying AI-SPM Issues.

How AI-SPM works

AQG AI-SPM can integrate directly into your existing CI/CD workflow to provide security analysis and reporting on your AI assets.

The workflow involves three high-level steps: Integration, Scanning, and Analysis.

  1. Integrate and secure credentials. Securely integrate your GitHub repository with your AQG instance, as the data source for the AI-SPM static scan.
  2. Scan and transmit data. Trigger the scan manually or automatically via GitHub. The AQG AI-SPM GitHub Action performs static analysis to identify AI assets (Models, Agents, and MCP servers) and their dependencies. The collected data is securely transmitted to AQG.
  3. Analyze and display findings. AQG analyzes the ingested AI assets using built-in and custom rules to detect security and compliance issues. The findings are presented in the AI-SPM Inventory and Issues list in the AQG web interface.

GitHub integration

Use the AI-SPM GitHub integration to scan your GitHub repositories and ingest AI asset data to help you discover and secure hidden AI assets and usage across your organization.

Before you begin

Navigate to Data sources in the AQG main menu, then select the GitHub tile. Locate the following values:

  • aqg_instance - URL of your AQtive Guard instance.
  • aqg_client_id - Client ID for authentication.
  • aqg_client_secret - Authentication token to connect to AQtive Guard.

Tip

Extract the values for client_id and client_secret from the AQG token provided. The values follow each colon, not including the surrounding quotation marks.

GitHub integration deployment

Follow these steps to deploy the GitHub integration.

  1. Visit this page to install the AQG AI-SPM GitHub Action.
  2. Use the previously obtained values to configure the GitHub Action in your workflow.
  3. View your findings in the AQtive Guard AI-SPM Inventory and Issues tables.

Tip

We strongly recommend using GitHub secrets for aqg_client_id and aqg_client_secret. If you plan to use this GitHub Action across multiple repositories, define these secrets at the Organization level. Refer to Using secrets in GitHub Actions for details.

AI-SPM data handling and privacy

AQtive Guard is committed to transparent data handling. When using the AI-SPM GitHub action, we retain a small code snippet surrounding each identified vulnerability to help you locate and resolve the issue faster. For full details on data retention and privacy measures, refer to How we manage your data.