Skip to content

Getting started with AI-SPM

The rapid adoption of AI models and agents introduces a new, complex attack surface that traditional security platforms aren’t built to manage. The explosion of AI models, agents, and Model Context Protocol (MCP) servers used without IT oversight results in Shadow AI, creating significant security risks and compliance gaps.

AQtive Guard (AQG) AI Security Posture Management (AI-SPM) provides a unified solution to discover, analyze, and help you secure your AI ecosystem, from code repositories to cloud-hosted AI services.

AI-SPM Core Objects

AQG structures its AI findings around three core assets identified during the scan:

  • Models - The trained artificial intelligence components that perform the primary task or computation.
  • Agents - The autonomous systems that utilize models to interact with tools, data, or other agents to perform complex actions.
  • MCP servers - The servers that expose specific tools or capabilities to agents, typically following the Model Context Protocol.

Additional contextual components provide essential metadata and supply-chain risk information necessary for managing AI-SPM assets.

  • Repository - The code storage location that links the discovered AI component back to its source code.
  • Dependencies - The libraries, frameworks, and packages that the AI asset relies on. Scanning these is critical for identifying AI-SPM Issues.

How AI-SPM works

AQG AI-SPM discovers AI assets through code repository scanning and cloud service integration. The workflow involves three high-level steps: Integration, Scanning, and Analysis.

Code repository scanning

Use the AI-SPM GitHub integration to scan your GitHub repositories and ingest AI asset data to discover and secure hidden AI assets and usage across your organization.

  1. Integrate and secure credentials. Securely integrate your GitHub repository with your AQG instance, as the data source for the AI-SPM static scan.
  2. Scan and transmit data. Trigger the scan manually or automatically via GitHub. The AQG AI-SPM GitHub Action performs static analysis to identify AI assets (Models, Agents, and MCP servers) and their dependencies. The collected data is securely transmitted to AQG.
  3. Analyze and display findings. AQG analyzes the ingested AI assets using built-in and custom rules to detect security and compliance issues. The findings are presented in the AI-SPM Inventory and Issues views in the AQG AI-SPM web interface.

To complete the setup, refer to our GitHub integration guide for details.

Cloud service discovery

AQG also discovers AI assets directly from cloud providers via agentless integration. The AWS integration crawls your environment and analyzes CloudTrail activity to detect AI services such as Amazon Bedrock, Amazon SageMaker, and Amazon Lex.

Discovered assets and usage events are ingested into the AI-SPM Inventory and Issues views in the AQG AI-SPM web interface.

For details on how cloud-side AI discovery works, refer to AI-SPM ingestion and data.