Skip to content

Getting started with AI-SPM

The rapid adoption of AI models and agents introduces a new, complex attack surface that traditional security platforms aren’t built to manage. The explosion of AI models, agents, and Model Context Protocol (MCP) servers used without IT oversight results in Shadow AI, creating significant security risks and compliance gaps.

AQtive Guard (AQG) AI Security Posture Management (AI-SPM) provides a unified solution to discover, analyze, and help you secure your AI ecosystem, from the code repository to the model’s runtime usage.

AI-SPM Core Objects

AQG structures its AI findings around three core assets identified during the scan:

  • Models - The trained artificial intelligence components that performs the primary task or computation.
  • Agents - The autonomous systems that utilizes models to interact with tools, data, or other agents to perform complex actions.
  • MCP servers - The servers that expose specific tools or capabilities to agents, typically following the Model Context Protocol.

Additional contextual components provide essential metadata and supply-chain risk information necessary for managing AI-SPM assets.

  • Repository - The code storage location that links the discovered AI component back to its source code.
  • Dependencies - The libraries, frameworks, and packages that the AI asset relies on. Scanning these is critical for identifying AI-SPM Issues.

How AI-SPM works

AQG AI-SPM can integrate directly into your existing CI/CD workflow to provide security analysis and reporting on your AI assets.

The workflow involves three high-level steps: Integration, Scanning, and Analysis.

  1. Integrate and secure credentials. Securely integrate your GitHub repository with your AQG instance, as the data source for the AI-SPM static scan.
  2. Scan and transmit data. Trigger the scan manually or automatically via GitHub. The AQG AI-SPM GitHub Action performs static analysis to identify AI assets (Models, Agents, and MCP servers) and their dependencies. The collected data is securely transmitted to AQG.
  3. Analyze and display findings. AQG analyzes the ingested AI assets using built-in and custom rules to detect security and compliance issues. The findings are presented in the AI-SPM Inventory and Issues list in the AQG web interface.

GitHub integration

Use the AI-SPM GitHub integration to scan your GitHub repositories and ingest AI asset data to discover and secure hidden AI assets and usage across your organization.

To complete the setup, refer to our GitHub integration guide for details.