Skip to content

AI-SPM inventory

The AI-SPM inventory is the centralized hub for managing all artificial intelligence components discovered across your code repositories and cloud environments. This inventory provides detailed, specialized views for Models, Agents, and MCP Servers, offering security context and compliance status for each asset type.

Models

The Models view provides a complete inventory of the trained artificial intelligence components discovered across your code repositories and cloud environments.

To access Models:

  1. From the AQG main menu AI section, select Inventory.
  2. Under the AI Assets group, select Models.

Models table

The table organizes your model data by:

  • Name - The unique identifier or file name of the model.
  • Supplier - The external entity or service where the model is hosted (for example, Hugging Face, Google, or OpenAI).
  • Manufacturer - The organization or group that created the model.
  • Model type - Specifies the model deployment type (Self-hosted / Managed).
  • Model health score - A metric indicating the overall security health of the model based on its configuration and associated issues.
  • Library - The library or framework that was used to train or query the model (such as Google Keras, Transformers, or Smolagents).
  • Size - The file size or parameter count of the model (for example, 130m, 8b).
  • Data sources - The source where the model was discovered (for example, GitHub or AWS).
  • Last scanned - The date and time of the most recent scan that detected this model.
  • Severity - The highest severity level of any open issue currently associated with the model.

Agents

The Agents view lists autonomous systems that utilize models, tools, and data to perform complex actions within your codebase. This table provides details on the function, context, and security configuration of each discovered autonomous agent, whether identified in code repositories or cloud services.

To access Agents:

  1. From the AQG main menu AI section, select Inventory.
  2. Under the AI Assets group, select Agents.

Agents table

  • Name - The unique name or identifier of the agent (such as weather_time_agent or Cancellation Agent).
  • Model - The specific model the agent is configured to use (such as gemini-2.0-flash or gpt-4).
  • Tools - The specific external functions or capabilities the agent can utilize (for example, get_current_time or cancel_flight).
  • Context - The domain or specific environment for which the agent is designed (for example, AirlineAgentContext).
  • Input guardrail - The security measure or policy applied to filter or validate user input before it reaches the agent.
  • Output guardrail - The security measure or policy applied to filter or validate the agent’s output before it is delivered to the user.
  • Library - The framework used to define the agent (such as Google Agent Development Kit, OpenAI Agents, or AutoGen Extension).
  • Data sources - The source where the agent was discovered (for example, GitHub or AWS).
  • Last scanned - The date and time of the most recent scan that detected this agent.
  • Severity - The highest severity level of any open security issue currently associated with the agent.

MCP servers

The MCP servers view tracks server components that expose specific tools or capabilities to agents, typically following the Model Context Protocol. This table lists the discovered servers that facilitate communication and tooling for agents.

To access MCP servers:

  1. From the AQG main menu AI section, select Inventory.
  2. Under the AI Assets group, select MCP servers.

MCP servers table

  • Name - The unique name or identifier of the Model Context Protocol server (for example, Second Server or EchoServer).
  • Library - The framework or protocol used to implement the MCP server (for example, FastMCP or Anthropic MCP).
  • Type - The classification of the server’s origin:
    • Internal: Servers manually defined or configured by the user.
    • Third-party: External MCP servers sourced from outside providers.
  • Imported tags - Any raw tags that were uploaded through the command line. For more details, refer to Tags.
  • Data sources - The source where the server was discovered (for example, GitHub or AWS).
  • Last scanned - The date and time of the most recent scan that detected this server.
  • Severity - The highest severity level of any open security issue currently associated with the server.