惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
Microsoft Azure Blog
Microsoft Azure Blog
MongoDB | Blog
MongoDB | Blog
小众软件
小众软件
Apple Machine Learning Research
Apple Machine Learning Research
O
OpenAI News
酷 壳 – CoolShell
酷 壳 – CoolShell
The GitHub Blog
The GitHub Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 聂微东
Engineering at Meta
Engineering at Meta
W
WeLiveSecurity
Hacker News: Ask HN
Hacker News: Ask HN
大猫的无限游戏
大猫的无限游戏
Vercel News
Vercel News
D
Docker
F
Full Disclosure
AI
AI
罗磊的独立博客
博客园 - 【当耐特】
U
Unit 42
S
SegmentFault 最新的问题
Stack Overflow Blog
Stack Overflow Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
P
Palo Alto Networks Blog
博客园_首页
H
Help Net Security
量子位
月光博客
月光博客
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
博客园 - 司徒正美
F
Fortinet All Blogs
D
DataBreaches.Net
B
Blog RSS Feed
Webroot Blog
Webroot Blog
TaoSecurity Blog
TaoSecurity Blog
S
Secure Thoughts
爱范儿
爱范儿
I
InfoQ
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Attack and Defense Labs
Attack and Defense Labs
Application and Cybersecurity Blog
Application and Cybersecurity Blog
C
CERT Recently Published Vulnerability Notes
Martin Fowler
Martin Fowler
Blog — PlanetScale
Blog — PlanetScale
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
S
Securelist

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Why Every CISO Needs an AIBOM in 2026 — And What Most Vendors Get Wrong
Grumpy Sage · 2026-06-05 · via DEV Community

A friend of mine runs security at a mid-size fintech. Last month she got a Slack DM from her general counsel at 9:47 on a Tuesday night. The Italian DPA had sent a questionnaire. Standard stuff on paper: list the AI systems processing EU resident data, the foundation models behind them, the training data sources, the fine-tunes you've deployed, and the third-party inference endpoints you call. Forty-eight hours to respond.

She opened a ticket with her platform team. By midnight she had a partial answer for the two flagship products. By noon the next day she had partial answers for six more. By the deadline she had submitted a document that, in her words, "was 70% true and 30% me hoping." The part that made her sick wasn't the gaps. It was that engineering had stood up a new RAG pipeline against a self-hosted Mixtral fine-tune the week before, and nobody in her org had known until she went looking. Not the platform team. Not procurement. Not her. A whole production AI system with customer PII flowing through it, and the security team learned about it from a regulator.

She told me this story over coffee and asked the question every CISO I talk to is asking right now: "How do other people have an actual answer to this?" The honest reply is that most don't. They have an SBOM, maybe a vendor inventory in a GRC tool, and a Notion page someone updated in October. That is not an AIBOM. That is a wish.

The thesis

An AI Bill of Materials isn't an SBOM with "model name" added as a column. It's a fundamentally different artifact because AI systems have layers SBOMs were never designed to capture: weights, training data, fine-tunes, prompts, retrieval indexes, agent tool graphs, and the runtime serving stack. Every one of those layers is a security boundary. Every one of them changes independently. If you can't enumerate them with the same rigor you enumerate Python packages, you can't reason about your risk, you can't respond to regulators, and you can't tell your board what you actually run. In 2026, that gap is no longer tolerable.

What an AIBOM actually contains

Let me be concrete, because vagueness is how this whole space went sideways.

A real AIBOM has seven layers. The first is the model layer itself: which base models you depend on, with versions, licenses, and provenance. Llama-3.3-70B-Instruct is not the same as a quantized GGUF derivative someone pulled from Hugging Face on a Thursday. The hash matters. The source matters. The license matters because Meta's community license has acceptable use clauses your legal team has probably never read.

The second is the adapter layer: every LoRA, every QLoRA, every full fine-tune sitting on top of a base. Each of these inherits the base model's vulnerabilities and adds its own attack surface. A fine-tune trained on internal support tickets will memorize PII. Your AIBOM has to know that fine-tune exists, where the training data came from, who approved it, and which products consume it.

The third is the data layer: training corpora, evaluation sets, retrieval indexes, vector databases, and the embedding models that populate them. This is where the GDPR questions live. A vector store containing customer email embeddings is a database of personal data, full stop, and most orgs treat it like cache.

The fourth is the inference layer: where models actually run. Self-hosted on Ollama? Behind vLLM with continuous batching? Through OpenAI's API? Bedrock? An employee's laptop running LM Studio on Tailscale? Each of these has different threat models, different network exposure, and different telemetry. The number of orgs I've seen with shadow vLLM servers running on a forgotten GPU box is genuinely funny if you don't think about it too hard.

The fifth is the prompt and tool layer: system prompts, prompt templates, RAG retrieval logic, agent tool definitions, and MCP server endpoints. This is the layer that the OWASP LLM Top 10 actually maps to. It's also the layer that changes most often and is documented least.

The sixth is the identity and access layer: which humans and which services can call which models, with which permissions, against which data. If your AIBOM doesn't tie back to your IAM model, it's a museum exhibit.

The seventh is the dependency layer: the boring software supply chain underneath everything. Transformers version. CUDA version. Triton kernels. The PyTorch wheel. The 1,815 rules in our scanner catch a lot here, but the point is that AI infrastructure is software, and software has the supply chain problems software has always had.

You need all seven. Drop any of them and your AIBOM has a blind spot a regulator or attacker will find.

What vendors are getting wrong

Here's where I'm going to make some people unhappy.

Most "AIBOM" tooling on the market right now is one of three things. It's a CSPM with a tab labeled "AI." It's a discovery tool that scrapes git repos for import openai and calls it inventory. Or it's an SBOM generator that added a JSON field for model name. None of these are AIBOMs in any meaningful sense.

The CSPM-with-a-tab products will tell you which Azure OpenAI deployments exist in which subscriptions. Useful. Stops at the cloud boundary. Can't see your self-hosted Ollama instance, can't see the LoRA your data science team trained last quarter, can't see the prompts, can't see the vector store. You get maybe 20% of the picture and a confident dashboard about it.

The code-scraping discovery tools find the calls. They don't find the runtime. They don't know if that client.chat.completions.create() is actually wired up in production or if it's dead code from a prototype. They especially don't know about the responses: what data flows back, what gets logged, what gets cached.

The SBOM-with-extra-fields products are the most cynical of the three. SBOM formats like SPDX and CycloneDX have been bolting on ML-BOM extensions, and the extensions are fine as a serialization format. But generating one requires the underlying inventory work, and the vendors selling "we support ML-BOM" usually mean "we let you fill in the fields manually." That's not inventory. That's a form.

The other thing vendors get wrong is treating the AIBOM as a static artifact. Your AIBOM has to be a continuously regenerated view, not a PDF you ship to a regulator once. Models get swapped. Adapters get retrained. RAG indexes get rebuilt nightly. A snapshot from Tuesday is wrong by Thursday. Anyone selling you an "AIBOM" without a story for continuous generation is selling you a fossil.

The self-hosted blind spot

I want to spend a minute on this because it's the part nobody wants to talk about.

The center of gravity in enterprise AI has moved. Three years ago every interesting AI workload ran on someone else's API. Today, a huge fraction of the AI that actually touches sensitive data runs on infrastructure you own, on runtimes like Ollama, vLLM, TGI, LocalAI, Triton, LM Studio, and llama.cpp. Each of those has a different deployment story, a different default network posture, and a different set of known vulnerabilities.

A vLLM server in production with no authentication on its OpenAI-compatible endpoint is a fully unauthenticated inference oracle for anyone who can reach it. An Ollama instance bound to 0.0.0.0 on an internal subnet is a model exfiltration risk and, if it's loaded with a fine-tune of your proprietary data, an IP exfiltration risk. Triton has had a real CVE history. LocalAI ships with defaults that I would charitably describe as "trusting."

Our radar scanner covers all of these because we built it specifically to map the self-hosted runtime layer. You cannot have an AIBOM in 2026 that omits self-hosted inference. That's not opinion. That's where the workloads are. If your vendor's discovery story stops at the cloud control plane, you don't have an AIBOM. You have an Azure inventory with extra steps.

What continuous AIBOM generation looks like

The mechanics matter. Let me walk through what we actually do, because I think it's the right shape and I want other vendors to copy it.

You start with a scan of the code repositories. Not for import openai calls, but for the full surface: model loading code, training scripts, prompt templates, agent tool definitions, RAG pipelines, MCP server registrations, evaluator harnesses. Our static scanner catches all of this across 75+ languages with 1,815 rules. That gives you the declared intent of your AI systems.

Then you scan the network. You enumerate inference runtimes that are actually live, fingerprint them, and check them against a known-issue catalog. This is where the radar piece earns its keep. The intent layer tells you what engineers said they were building. The runtime layer tells you what's actually running. The delta between those two is where the worst surprises live.

Then you scan the web-facing surface. Any agent that takes external input, any RAG system with user-controlled retrieval, any model behind a public endpoint needs to be probed. We run 22 categories of fuzzing against these surfaces and convert about 95% of community templates so you're not reinventing prompt injection wheels.

Then you correlate. A finding on a runtime is interesting. A finding on a runtime that you can prove is reachable from a public agent endpoint that has tool access to a database with PII is a Sev 1. Correlation is where AIBOMs become useful instead of just exhaustive.

And then you publish. Through an API, through a dashboard, and through an MCP server that exposes the inventory as 10 tools an LLM can query. That last piece sounds gimmicky until you've watched an incident response where the responder asks "what models touch the payments service" and gets an answer in three seconds instead of three hours.

A CLI example, because the abstraction is doing too much work:

cybrium aibom generate --org acme --output cyclonedx-mlbom.json
cybrium aibom diff --from last-week --to now
cybrium aibom query "models with PII training data exposed to internet agents"

Enter fullscreen mode Exit fullscreen mode

The diff is the part that matters operationally. AIBOM as a verb, not a noun.

Why this has to be one platform

I get asked constantly why we built scan, radar, and web fuzz as one platform instead of three products. The answer is correlation, but the deeper answer is that the layers of an AI system don't respect product boundaries.

A prompt injection in a web-facing agent is a web vulnerability. The model it exploits is a runtime vulnerability. The tool it calls is a code vulnerability. The data it exfiltrates is a data governance failure. If your AIBOM lives in one product, your runtime scanner lives in another, and your web fuzzer lives in a third, you have three inventories and zero correlation. You have to write the JOIN yourself, in a spreadsheet, at 2 a.m., while a regulator is waiting.

Single platform isn't a marketing position. It's the only way the math works. The MCP server exposing the inventory matters because it lets the same correlation graph answer questions from a SOC analyst, a compliance auditor, an engineering lead, and an LLM agent doing automated triage. One graph. Ten tools. Many consumers.

The recomposition

What I'm watching happen across the industry in 2026 is a recomposition of the security stack around AI as a first-class asset class. We had CMDBs for hardware. We got CSPMs for cloud. We got SBOMs for software supply chain. Now we need AIBOMs for AI, and the orgs that treat it as a checkbox on an existing tool are going to be the orgs explaining to regulators why their inventory was wrong.

The reason this matters more than the last asset class additions is that AI systems are stochastic, composable, and rapidly mutating. A package version is a fact. A model's behavior is a distribution. A fine-tune changes that distribution. A prompt change changes it again. RAG retrievals change it on every query. Your AIBOM isn't just an inventory of nouns. It's an inventory of behaviors-in-context, and the tooling has to reflect that.

The EU AI Act high-risk system documentation requirements landed for real this year. NIST AI RMF mappings are now showing up in customer security questionnaires. SOC 2 auditors are starting to ask about model inventory in the controls walkthrough. The market is converging on AIBOM as a required artifact, and the vendors who got there with real architectural answers are going to look very different from the ones who bolted a tab onto an existing dashboard.

My friend at the fintech is rebuilding her program around continuous AIBOM generation right now. The Italian DPA letter was the forcing function, but she would have gotten there anyway because the alternative is doing this work manually every time a regulator, customer, or board member asks. Manual doesn't scale past the third question.

If you're a CISO in 2026 and you can't answer "what AI runs in our environment, what data touches it, what's reachable from the internet, and what changed this week" in under five minutes, you have an AIBOM problem. The good news is it's a solvable problem. The better news is the tooling finally exists to solve it without an army of analysts.

Start with cyscan for the code surface, layer in cyradar for the runtime, add cyweb for the web-facing agents, and pipe the whole correlation graph through the MCP server so your team can ask it questions in English. That's an AIBOM. Everything else is a spreadsheet with ambitions.

If you want to talk through yours, find me at anand@cybrium.ai.