{"id":106327,"date":"2026-01-11T12:42:46","date_gmt":"2026-01-11T10:42:46","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=106327"},"modified":"2026-01-15T12:07:08","modified_gmt":"2026-01-15T10:07:08","slug":"the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/","title":{"rendered":"The AI Inventory Gap: Why Your Organization Has No Idea What AI Assets\u00a0Are Part of\u00a0Your Software\u00a0Supply Chain"},"content":{"rendered":"<p>Your developers are&nbsp;already&nbsp;embedding or calling AI assets as part of&nbsp;your&nbsp;applications&nbsp;&#8211;&nbsp;whether you know it or not.&nbsp;Models, weights, MCPs, agent frameworks, and AI libraries are quietly making their way into codebases.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>Once these AI assets land in your repositories or container images, they become part of your software supply chain. The next&nbsp;<a href=\"https:\/\/checkmarx.com\/learn\/aspm\/inside-the-mind-of-an-attacker-how-malicious-code-is-crafted-and-deployed\/\" target=\"_blank\" rel=\"noreferrer noopener\">Log4J<\/a>&nbsp;doesn\u2019t&nbsp;have to&nbsp;be a package; it&nbsp;can&nbsp;just as easily&nbsp;be a model, an MCP, or an AI&nbsp;asset&nbsp;you&nbsp;didn\u2019t&nbsp;even know you shipped.&nbsp;<\/p>\n\n\n\n<p>AI&nbsp;Supply Chain&nbsp;risks include any&nbsp;risks&nbsp;introduced by AI assets&nbsp;that&nbsp;become part of your software&nbsp;supply chain,&nbsp;<a href=\"https:\/\/checkmarx.com\/zero-post\/11-emerging-ai-security-risks-with-mcp-model-context-protocol\/\" target=\"_blank\" rel=\"noreferrer noopener\">ranging from<\/a>&nbsp;poisoned&nbsp;data, malicious or over-privileged MCPs\/agents&nbsp;and unknown provenance.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>And yet, despite&nbsp;this rapid adoption,&nbsp;organizations&nbsp;can\u2019t&nbsp;answer a simple question:&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>What AI components are we using&nbsp;in our software development, and where?&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>Without visibility,&nbsp;AI-related risk compounds:&nbsp;AI&nbsp;assets&nbsp;spread across codebases without security review, inventory, or policy controls, creating&nbsp;new&nbsp;blind spots&nbsp;or widening&nbsp;existing ones&nbsp;across&nbsp;your software supply chain.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">Why Most Organizations Lack Visibility into Their Devs\u2019 AI Usage&nbsp;<\/h2>\n\n\n\n<p>AI&nbsp;adoption is&nbsp;rapidly&nbsp;growing&nbsp;across&nbsp;organizations.&nbsp;In&nbsp;fact,&nbsp;our&nbsp;recent&nbsp;<a href=\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/just-released-the-future-of-appsec-in-the-era-of-ai-2026-industry-outlook\/\" target=\"_blank\" rel=\"noreferrer noopener\">Future of AppSec report<\/a>&nbsp;found that&nbsp;one in three respondents said over 60% of their organization\u2019s code is written by AI.&nbsp;&nbsp;Yet only 18% have any sort of AI governance in place.&nbsp;<\/p>\n\n\n\n<p>This&nbsp;combination of&nbsp;rapid growth in AI usage&nbsp;(especially among developers), combined with a lack of oversight,&nbsp;has created a visibility gap&nbsp;fuelled&nbsp;by fragmentation and tooling that was never built to address AI\u2011specific risks.&nbsp;<\/p>\n\n\n\n<p>Here are the main reasons:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Emergence of new AI-focused protocols and technologies. Example:\u00a0MCP\u00a0\u00a0(Model Context Protocol)\u00a0was introduced only in November 2024.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AI fragmentation (Copilot, Claude, Microsoft,\u00a0OpenAI, etc.).\u00a0Multiple providers, teams picking different tools, no standardization. Lots of tools with different security\u00a0approaches.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Code\u00a0security and Supply Chain Security\u00a0require\u00a0different\u00a0approaches.\u00a0AppSec tools are evolving to detect AI-related code vulnerabilities\u2014identifying\u00a0prompt injections, tracking sensitive data flows to LLMs, and flagging improper output handling. This addresses how developers write and use AI in their code. But a separate challenge\u00a0remains:\u00a0gaining visibility into what AI assets exist across your software supply chain. Traditional scanners\u00a0analyze\u00a0data flows and\u00a0patterns\u00a0but\u00a0AI supply chain security requires comprehensive asset inventory, provenance tracking, and governance.\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">What is the AI Inventory Gap?&nbsp;<\/h2>\n\n\n\n<p>The AI Inventory Gap refers to all the AI-related components embedded in your applications that your organization&nbsp;hasn&#8217;t&nbsp;tracked, reviewed, or governed,&nbsp;yet still ships as part of your software supply chain.&nbsp;<\/p>\n\n\n\n<p>It typically includes:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Models &amp; weights: Pre-trained or fine-tuned LLMs, CV models, embeddings\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agent frameworks: A software toolkit and structure for building, managing, and orchestrating autonomous AI agents\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MCP servers: Program that enables AI models, particularly large language models (LLMs), to access external data, tools, and workflows, acting as a bridge for AI agents to interact with the real world.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Datasets: Training and evaluation data, sometimes with sensitive or licensed content\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prompts: Operational logic dispersed across code and configuration\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AI libraries &amp; integrations: SDKs, connectors, and wrappers that pull AI into runtime\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">The Risks of&nbsp;the AI Inventory Gap&nbsp;<\/h2>\n\n\n\n<p>When&nbsp;AI components&nbsp;operate&nbsp;without&nbsp;control, the consequences are serious:&nbsp;From&nbsp;hidden attack surfaces, operational surprises, compliance failures,&nbsp;to&nbsp;reputational damage, often discovered only after an incident or audit begins.&nbsp;<\/p>\n\n\n\n<p>Key risks&nbsp;include:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Model poisoning:\u00a0Silently introduces backdoors, blind spots, or biased\u00a0behavior\u00a0that attackers exploit without detection\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unverified or malicious weights: Sourced from unknown origins without integrity checks.\u00a0Unverified or malicious weights are like running untrusted binaries,\u00a0they\u00a0\u00a0can\u00a0expose you to remote code execution,\u00a0contain\u00a0hidden payloads or logic or create backdoors for data exfiltration or resource abuse.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dataset exposure: Sensitive or licensed data leaked via training, prompts, or logs\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unsafe agents &amp; tools: Autonomous agents that can access files, networks, or services without guardrails\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unpinned versions: Silent updates to models or libraries change\u00a0behavior\u00a0and risk posture overnight. Unpinned versions can allow unexpected or malicious updates to be introduced automatically, leading to supply-chain attacks, breaking changes, or non-reproducible and insecure builds.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Compliance gaps: Missing documentation, provenance, and audit trails lead to penalties and delays\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">AI Governance: Can You Trace Every Model, Dataset, and Dependency?&nbsp;<\/h2>\n\n\n\n<p>AI adoption is following&nbsp;a&nbsp;pattern&nbsp;similar to&nbsp;what we&nbsp;see with open-source software: developers move fast&nbsp;while&nbsp;governance&nbsp;lags behind.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The expectation&nbsp;from&nbsp;a compliance point&nbsp;of view&nbsp;is that&nbsp;reporting&nbsp;and keeping an inventory of AI&nbsp;components&nbsp;is no longer optional&nbsp;<\/p>\n\n\n\n<p>But the reality is messy:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<a href=\"https:\/\/checkmarx.com\/the-appsec-regulatory-review-and-assessment-guide\/\" target=\"_blank\" rel=\"noreferrer noopener\">Regulatory Expectations Are Rising<\/a>:\u00a0frameworks and regulations (e.g., EU AI-related requirements, AI governance standards) demand accountability and evidence, teams lack the tooling to inventory, assess, and report on AI usage across the enterprise. Compliance becomes reactive and costly.\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Developer-Led AI Adoption Outpaces Governance: Developers integrate models, datasets, and frameworks to solve real problems fast. If governance processes are slow or unclear, people ship and promise to \u201cclean it up later.\u201d Those quick wins become permanent dependencies, often without reviews, version pinning, or provenance checks.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fragmented\u00a0Work Processes\u00a0Makes Inventory Hard: AI usage spans multiple teams and repos: data science, platform engineering, mobile, web, back-end, cloud functions. Without a central AI inventory, leadership cannot answer basic questions about what AI assets are being used, deployed, and what risks are attached. This leads to reactive security, and the risk of having to deal with vulnerabilities after\u00a0it\u2019s\u00a0too late.\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No Clear Ownership of AI Governance: Developers are focused on shipping features. They experiment with models, libraries, MCPs, and agent frameworks to solve problems quickly\u2014not to define governance boundaries or\u00a0maintain\u00a0inventories.\u00a0<\/li>\n<\/ul>\n\n\n\n<p>Application security teams, meanwhile, are often left to document and report on AI usage after the fact.&nbsp;They\u2019re&nbsp;suddenly asked to answer questions about models, datasets, and agents embedded across the software supply chain,&nbsp;without the visibility or tooling needed to do so.&nbsp;<\/p>\n\n\n\n<p>At the leadership level, responsibility is&nbsp;also&nbsp;often fragmented. CTOs drive adoption and velocity, CISOs are accountable for risk and compliance, and no single function clearly owns end-to-end governance of AI assets. The result is predictable: AI moves fast, ownership stays unclear, and Shadow AI fills the gap.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\">What can&nbsp;Organizations&nbsp;do about it?&nbsp;<\/h2>\n\n\n\n<p>AI&nbsp;inventory&nbsp;isn\u2019t&nbsp;a problem you solve with a single control.&nbsp;It requires ownership, visibility, and governance embedded into how software is built.&nbsp;<\/p>\n\n\n\n<p>This is a&nbsp;relatively new&nbsp;challenge, and while tooling is evolving, organizations can take concrete steps today to regain control:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Decide on a clear owner of AI inventory, with defined responsibilities and authority, to whom other teams report.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Baseline your AI usage: Run deterministic discovery across prioritized repos and services to build\u00a0an initial\u00a0inventory.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Classify &amp; assess risks: Tag assets by type (model, agent, dataset, prompt, library) and apply AI-specific risk checks.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Generate AI\u2011BOMs: Produce standards-aligned BOMs with provenance, licensing, dependencies, and risk metadata.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define your policies: Blacklist\/whitelist of assets, acceptable risk thresholds, block build for specific type of risks, etc.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Embed governance where work happens:\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Add PR checks, CI\/CD gates, and dashboards to enforce policies and track trends.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Measure &amp; iterate: Monitor coverage, findings, MTTR, and compliance posture. Expand to more teams, apps, and environments.\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-6\">Final Thoughts&nbsp;&nbsp;<\/h2>\n\n\n\n<p>AI has moved beyond the experiment phase.\u00a0It is now part of the day-to-day reality of modern development teams,\u00a0already deeply embedded into modern software stacks.\u00a0But without visibility, every untracked model, dataset, or agent becomes a potential vulnerability.\u00a0\u00a0<\/p>\n\n\n\n<p>The bottom line? If you&nbsp;can\u2019t&nbsp;see the AI in your software, you&nbsp;can\u2019t&nbsp;control the risk.&nbsp;&nbsp;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/checkmarx.com\/request-a-demo\/\"><img decoding=\"async\" width=\"901\" height=\"321\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/image.png\" alt=\"\" class=\"wp-image-106328\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/image.png 901w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/image-300x107.png 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/image-768x274.png 768w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/image-400x143.png 400w\" sizes=\"(max-width: 901px) 100vw, 901px\" \/><\/a><\/figure>","protected":false},"excerpt":{"rendered":"<p>Your developers are&nbsp;already&nbsp;embedding or calling AI assets as part of&nbsp;your&nbsp;applications&nbsp;&#8211;&nbsp;whether you know it or not.&nbsp;Models, weights, MCPs, agent frameworks, and AI libraries are quietly making their way into codebases.&nbsp;&nbsp;&nbsp; Once these AI assets land in your repositories or container images, they become part of your software supply chain. The next&nbsp;Log4J&nbsp;doesn\u2019t&nbsp;have to&nbsp;be a package; it&nbsp;can&nbsp;just as [&hellip;]<\/p>\n","protected":false},"author":166,"featured_media":106329,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":true,"footnotes":""},"categories":[1284,84,844],"tags":[1429,384,361,385],"class_list":["post-106327","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai-llm-tools-in-application-security","category-blog","category-supply-chain-security","tag-ai-generated-code-2","tag-software-bill-of-materials","tag-software-supply-chain","tag-supply-chain-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>The AI Inventory Gap: Why Your Organization Has No Idea What AI Assets\u00a0Are Part of\u00a0Your Software\u00a0Supply Chain<\/title>\n<meta name=\"description\" content=\"AI assets are already embedded in your software supply chain, but most organizations can\u2019t see them. Learn why the AI inventory gap creates hidden risk\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The AI Inventory Gap: Why Your Organization Has No Idea What AI Assets\u00a0Are Part of\u00a0Your Software\u00a0Supply Chain\" \/>\n<meta property=\"og:description\" content=\"AI assets are already embedded in your software supply chain, but most organizations can\u2019t see them. Learn why the AI inventory gap creates hidden risk\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-11T10:42:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-01-15T10:07:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/checkmarx_ai_inventory_gap_16x9.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"864\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"David Dewaele\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"David Dewaele\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/\"},\"author\":{\"name\":\"David Dewaele\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/31bf6b0a42ea0d9e656cff6a86fa9f09\"},\"headline\":\"The AI Inventory Gap: Why Your Organization Has No Idea What AI Assets\u00a0Are Part of\u00a0Your Software\u00a0Supply Chain\",\"datePublished\":\"2026-01-11T10:42:46+00:00\",\"dateModified\":\"2026-01-15T10:07:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/\"},\"wordCount\":1421,\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/checkmarx_ai_inventory_gap_16x9.webp\",\"keywords\":[\"AI generated code\",\"Software Bill of Materials\",\"Software Supply Chain\",\"SSCS\"],\"articleSection\":[\"AI &amp; LLM Tools in Application Security\",\"Blog\",\"Supply Chain Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/\",\"url\":\"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/\",\"name\":\"The AI Inventory Gap: Why Your Organization Has No Idea What AI Assets\u00a0Are Part of\u00a0Your Software\u00a0Supply Chain\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/checkmarx_ai_inventory_gap_16x9.webp\",\"datePublished\":\"2026-01-11T10:42:46+00:00\",\"dateModified\":\"2026-01-15T10:07:08+00:00\",\"description\":\"AI assets are already embedded in your software supply chain, but most organizations can\u2019t see them. Learn why the AI inventory gap creates hidden risk\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/checkmarx_ai_inventory_gap_16x9.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/checkmarx_ai_inventory_gap_16x9.webp\",\"width\":1536,\"height\":864},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/31bf6b0a42ea0d9e656cff6a86fa9f09\",\"name\":\"David Dewaele\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/11\/David-Dewaele.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/11\/David-Dewaele.jpg\",\"caption\":\"David Dewaele\"},\"description\":\"David Dewaele is a product leader at Checkmarx, driving innovation at the intersection of application security and AI. With a background in engineering and deep expertise in software supply chain risks, he focuses on building solutions that help enterprises securely adopt modern AI technologies. David writes about AppSec, Software Supply Chain Security and AI Security, and the evolving challenges of securing today\u2019s hybrid software stacks. He is passionate about turning complex technical problems into practical tools that empower developers and security teams alike.\",\"url\":\"https:\/\/checkmarx.com\/author\/david-dewaele\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The AI Inventory Gap: Why Your Organization Has No Idea What AI Assets\u00a0Are Part of\u00a0Your Software\u00a0Supply Chain","description":"AI assets are already embedded in your software supply chain, but most organizations can\u2019t see them. Learn why the AI inventory gap creates hidden risk","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/","og_locale":"en_US","og_type":"article","og_title":"The AI Inventory Gap: Why Your Organization Has No Idea What AI Assets\u00a0Are Part of\u00a0Your Software\u00a0Supply Chain","og_description":"AI assets are already embedded in your software supply chain, but most organizations can\u2019t see them. Learn why the AI inventory gap creates hidden risk","og_url":"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_published_time":"2026-01-11T10:42:46+00:00","article_modified_time":"2026-01-15T10:07:08+00:00","og_image":[{"width":1536,"height":864,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/checkmarx_ai_inventory_gap_16x9.webp","type":"image\/webp"}],"author":"David Dewaele","twitter_card":"summary_large_image","twitter_creator":"@checkmarx","twitter_site":"@checkmarx","twitter_misc":{"Written by":"David Dewaele","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/#article","isPartOf":{"@id":"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/"},"author":{"name":"David Dewaele","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/31bf6b0a42ea0d9e656cff6a86fa9f09"},"headline":"The AI Inventory Gap: Why Your Organization Has No Idea What AI Assets\u00a0Are Part of\u00a0Your Software\u00a0Supply Chain","datePublished":"2026-01-11T10:42:46+00:00","dateModified":"2026-01-15T10:07:08+00:00","mainEntityOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/"},"wordCount":1421,"publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/checkmarx_ai_inventory_gap_16x9.webp","keywords":["AI generated code","Software Bill of Materials","Software Supply Chain","SSCS"],"articleSection":["AI &amp; LLM Tools in Application Security","Blog","Supply Chain Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/","url":"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/","name":"The AI Inventory Gap: Why Your Organization Has No Idea What AI Assets\u00a0Are Part of\u00a0Your Software\u00a0Supply Chain","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/checkmarx_ai_inventory_gap_16x9.webp","datePublished":"2026-01-11T10:42:46+00:00","dateModified":"2026-01-15T10:07:08+00:00","description":"AI assets are already embedded in your software supply chain, but most organizations can\u2019t see them. Learn why the AI inventory gap creates hidden risk","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/blog\/ai-llm-tools-in-application-security\/the-ai-inventory-gap-why-your-organization-has-no-idea-what-ai-assets-are-part-of-your-software-supply-chain\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/checkmarx_ai_inventory_gap_16x9.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/checkmarx_ai_inventory_gap_16x9.webp","width":1536,"height":864},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]},{"@type":"Person","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/31bf6b0a42ea0d9e656cff6a86fa9f09","name":"David Dewaele","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/11\/David-Dewaele.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/11\/David-Dewaele.jpg","caption":"David Dewaele"},"description":"David Dewaele is a product leader at Checkmarx, driving innovation at the intersection of application security and AI. With a background in engineering and deep expertise in software supply chain risks, he focuses on building solutions that help enterprises securely adopt modern AI technologies. David writes about AppSec, Software Supply Chain Security and AI Security, and the evolving challenges of securing today\u2019s hybrid software stacks. He is passionate about turning complex technical problems into practical tools that empower developers and security teams alike.","url":"https:\/\/checkmarx.com\/author\/david-dewaele\/"}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/106327","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/166"}],"replies":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/comments?post=106327"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/106327\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/106329"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=106327"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/categories?post=106327"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/tags?post=106327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}