Security teams that cannot answer "what AI systems are running in our environment right now?" cannot protect them. Enterprise AI model registry security is not a governance checkbox. It is the foundational control that makes every other AI security measure possible. Without a complete, accurate inventory, vulnerability scanning has no targets, access controls have no subjects, and incident response has no scope.
This guide covers what belongs in a security-grade enterprise AI model registry, how attackers exploit gaps in AI asset visibility, which compliance frameworks now mandate it, and how security teams can build or buy a registry that actually works.
Key Takeaways
- 80% of organizations report moderate to pervasive shadow AI use, but only 25% have comprehensive visibility into that usage.
- AI model files carry exploitable vulnerabilities: CVE-2025-10155, CVE-2025-10156, and CVE-2025-10157 were CVSS 9.3 zero-days in PickleScan discovered in December 2025.
- 2,130 AI-related CVEs were published in 2025, a 34.6% year-over-year increase, with AI supply chain vulnerabilities representing the highest concentration.
- The EU AI Act Annex IV compliance deadline for high-risk Annex III systems is August 2, 2026, 33 days away. Non-compliance carries fines up to 15 million euros or 3% of global turnover.
- NIST AI RMF MAP function treats AI inventory as the required precondition for GOVERN, MEASURE, and MANAGE functions.
- An AI model registry must cover more than models: agents, tools, datasets, pipelines, MCP servers, and external API dependencies all belong in scope.
- Integration with SIEM and SOAR turns the registry from a passive catalog into an active security control.
The Shadow AI Inventory Problem
Most enterprise AI inventories have a fundamental gap: they catalog what IT approved and miss everything else. Security surveys in 2026 consistently show that 80% of organizations experience moderate to pervasive shadow AI use across their workforce. Only 25% have comprehensive visibility into how employees actually use AI tools day to day.
The gap is not a failure of intent. It reflects how AI adoption happens. An engineer discovers a new coding assistant. A finance analyst starts using an AI spreadsheet tool. A customer success team subscribes to an AI email tool through a personal credit card. Each of these creates an undocumented AI dependency that processes business data, calls external APIs, and may store conversation history on third-party servers.
This matters from a security standpoint because every undiscovered AI dependency is a potential exfiltration channel, an unmonitored data processor, and a supply chain attack surface that security teams cannot scan, patch, or revoke if compromised.
A meaningful discovery program in 2026 requires four parallel approaches. First, network egress monitoring to detect traffic to known AI API endpoints such as api.openai.com, api.anthropic.com, and similar provider domains. Second, SaaS OAuth grant inventory to surface all OAuth tokens that employees have issued to AI applications from corporate identity providers. Third, identity provider log analysis to catch AI tool sign-ups using corporate email addresses. Fourth, CASB policy enforcement that flags AI tool usage patterns in real time.
Discovery is not a one-time project. AI tool adoption moves faster than formal approval cycles. The registry must be treated as a living system with continuous discovery running in the background.
What Belongs in a Security-Grade AI Model Registry
A traditional model registry, as implemented by data teams, tracks model versions, training parameters, and performance metrics. A security-grade registry needs more.
Models. Every AI model in production, staging, and development requires an entry. Each entry should capture: the model source (internal, open-source hub, vendor API), training data provenance, known CVEs, capability disclosures including documented limitations, and the last security review date.
AI agents. Autonomous agents are distinct from models. They require their own entries that document: which tools the agent can call, the scope of those tool calls, the maximum privilege level the agent can reach, and the approval chain for changes to agent permissions.
Datasets. Training and fine-tuning datasets are supply chain components. A dataset sourced from a public hub may have been poisoned. The registry should record dataset provenance, the integrity verification method used at ingestion, and whether the dataset has appeared in any known poisoning incident reports.
External API dependencies. Most enterprise AI systems call external models through APIs rather than running models locally. Each external API dependency should be documented with the provider, the data classification of content sent to that API, the data retention policy of the provider, and the contractual security terms in place.
Pipelines and orchestration layers. LangChain, LlamaIndex, and similar orchestration frameworks introduce their own dependency chains. The registry should include pipeline configurations, the third-party packages those pipelines depend on, and any known vulnerabilities in those packages.
MCP servers and plugins. The Model Context Protocol (MCP) has introduced a new class of AI extension that can be difficult to track. MCP servers expose tools to AI agents with varying levels of trust. Each approved MCP server should have a registry entry documenting what tools it exposes, what systems it has access to, and which agents are permitted to call it.
Security Use Cases for AI Asset Inventory
A complete inventory creates value only if security teams use it as an active control surface. Four use cases drive the most immediate return.
Vulnerability Scanning
AI model files are not passive binary blobs. PyTorch models stored in Pickle format execute arbitrary Python code on deserialization. In February 2025, ReversingLabs researchers documented the NullifAI technique: attackers embed malicious Pickle opcodes at the beginning of the serialization stream so that the payload executes before scanning tools reach the broken stream that would normally trigger a detection. This technique was used to distribute malware through models hosted on the Hugging Face hub.
The PickleScan tool, widely used for detecting malicious Pickle payloads, was found to carry three zero-day vulnerabilities in December 2025. CVE-2025-10155 allows evasion by renaming files with alternative extensions. CVE-2025-10156 exploits CRC error handling in ZIP archives. CVE-2025-10157 uses subclassed module paths to invoke dangerous functions without matching blocklist patterns. All three are rated CVSS 9.3.
Without a complete registry, you cannot schedule systematic scans of all model files as new CVEs emerge. With a registry, you can immediately identify which deployed models were sourced from affected repositories and prioritize remediation.
Supply Chain Lineage Auditing
In February 2026, Koi Security researchers discovered 341 malicious skills in the ClawHub agent skill registry distributing Atomic Stealer malware. For organizations using agent skill registries without a corresponding internal catalog of approved skills, there was no systematic way to determine exposure.
Lineage auditing means the registry tracks not just what is deployed but where it came from and what the chain of custody was from source to production. When a supply chain incident is disclosed, lineage data enables the security team to immediately answer: did we use this model or skill, and if so, from which source version?
Access Control Enforcement
AI agents that call databases, execute code, or send network requests are privileged identities. The registry provides the authoritative source for what permissions each agent should have. Access control systems can query the registry to enforce that agents operate within their documented scope and to auto-revoke permissions when a registry entry is modified or an agent is retired.
Incident Response Scoping
When a security incident involves an AI system, the first question is: what data did this system have access to and what systems could it reach? Without a registry, answering that question requires manual investigation across multiple teams. With a registry entry that documents tool call scope, API dependencies, and data classifications, the incident response team can scope the potential impact in minutes rather than days.
NIST AI RMF and the MAP Function
The NIST AI Risk Management Framework (AI RMF 1.0) establishes four core functions: GOVERN, MAP, MEASURE, and MANAGE. The MAP function is the operational starting point: it establishes the context needed to characterize risk for a specific AI system.
NIST guidance explicitly requires organizations to inventory AI systems in production, in development, and in pilot programs, including third-party AI tools and AI features embedded in SaaS platforms. The MAP function documentation checklist includes completed AI system inventory as a required evidence item. Without an inventory, organizations cannot demonstrate MAP function compliance during an audit or assessment.
The dependency is structural. MEASURE function risk assessments require knowing which systems to measure. MANAGE function controls require knowing which systems to apply controls to. GOVERN function policies require knowing which systems are in scope. All three downstream functions are only as complete as the inventory that feeds them.
Organizations that implement NIST AI RMF typically discover that shadow AI is the primary MAP function failure mode. Sanctioned systems appear in the inventory. The majority of actual AI usage, flowing through personal accounts, browser-based tools, and AI features in SaaS platforms, often does not appear in the first inventory pass.
For practical guidance on implementing NIST AI RMF controls, see our NIST AI RMF practical implementation guide.
EU AI Act Annex IV: 33 Days to Comply
For organizations deploying high-risk AI systems as defined in Annex III of the EU AI Act, the technical documentation deadline is August 2, 2026. That is 33 days from the date of this post.
EU AI Act Annex IV specifies 9 mandatory categories of technical documentation that must be prepared before a high-risk system is placed on the market or put into service:
Without an AI model registry, producing accurate documentation for items 2, 3, 4, 5, and 6 is a manual research project for every system. With a registry that captures training provenance, testing history, access controls, and change logs, the documentation can be generated systematically.
Non-compliance carries fines up to 15 million euros or 3% of total worldwide annual turnover, whichever is higher. For organizations with multiple high-risk AI systems in production, the registry is not optional. It is the operational infrastructure that makes Article 11 compliance achievable.
Build vs. Buy: Evaluating Registry Platforms
Three categories of platforms compete for this use case.
Vendor governance platforms such as Atlan and Alation were built for data governance and have extended into AI model tracking. Their strength is integration with existing data catalogs. Their limitation from a security standpoint is that they were designed for data lineage, not security controls. They typically lack native vulnerability tracking, CVE correlation, or security-focused access control enforcement.
Open-source options such as DataHub and MLflow provide model registry capabilities with significant flexibility. DataHub, in particular, offers extensible schema that can be adapted to capture security attributes alongside governance metadata. The operational cost is meaningful: security teams must build and maintain integrations with vulnerability scanners, SIEM systems, and access control platforms.
Security-first AI governance platforms are an emerging category in 2026 that combines discovery, registry, and security controls in a single system. These are worth evaluating for organizations whose primary driver is compliance and security rather than data engineering workflow.
For most enterprise security teams, the practical path is to start with an existing data governance platform and extend it with security-specific attributes rather than waiting for a purpose-built security registry to mature. The metadata schema extensions required are well-understood: add fields for last CVE scan date, known vulnerabilities, data classification of inputs and outputs, and incident response contacts.
Integration with Existing Security Tools
A registry that does not connect to operational security tools remains a documentation artifact rather than a security control.
SIEM integration involves ingesting model deployment events, registry change events, and access control changes into the security information and event management system. Deployment of a model from an unregistered source, or a registry entry marked as vulnerable, should generate a SIEM alert. Most SIEM platforms accept webhook-based event forwarding that registry systems can provide with modest configuration.
SOAR automation can trigger playbooks when registry states change. A model entering a "vulnerability confirmed" state can automatically trigger a SOAR playbook that notifies the model owner, schedules a replacement review, and optionally quarantines the model from production inference endpoints.
CSPM coverage of model storage is often overlooked. Model files stored in S3 buckets or Azure Blob Storage require the same access control and encryption posture as other sensitive data. CSPM tools should be configured to treat model storage locations as high-sensitivity assets. The registry is the source of truth for which storage locations contain model files that require this treatment.
SBOM and AI BOM tooling can consume registry data to produce software bills of materials that include AI components. For organizations subject to US federal software supply chain requirements or EU Cyber Resilience Act obligations, the AI model registry feeds the AI bill of materials process directly. For a deeper look at how supply chain security applies specifically to model files, see our AI model supply chain security guide.
CISO Implementation Checklist
The following sequence gets a security-grade registry operational without requiring a large upfront platform investment.
Week 1: Discovery audit. Deploy network monitoring for AI API traffic. Pull OAuth grant reports from the identity provider. Run a browser extension scan across managed devices. Catalog everything discovered without filtering.
Week 2: Risk triage. Classify discovered AI assets by data sensitivity of inputs and outputs. Flag any assets processing regulated data categories: PII, PHI, financial data, IP. These are the priority targets for formal registry entries.
Week 3: Registry schema design. Define the minimum required fields for each registry entry type: models, agents, APIs, datasets. At minimum: asset name, source, version, data classification, owner, vulnerability status, last review date, and EU AI Act risk tier.
Week 4: Vulnerability baseline. Run PickleScan or equivalent against all locally stored model files. Verify the scanner version addresses CVE-2025-10155 through CVE-2025-10157. Document results as the security baseline for each model asset.
Month 2: Process integration. Establish a registry update requirement as part of model deployment workflows. No model reaches production without a registry entry. Integrate registry change events with the SIEM. Define the SOAR playbook for vulnerability findings.
Month 3: Compliance mapping. Map registry contents against EU AI Act Annex IV requirements for each high-risk system. Identify documentation gaps. Assign owners and deadlines for gap remediation.
Ongoing: Continuous discovery. Shadow AI grows continuously. Treat discovery as an operational process, not a one-time project. Monthly discovery sweeps and weekly CASB alert reviews keep the registry current.
Building Security on What You Can See
The enterprise AI model registry is not an administrative overhead. It is the prerequisite for every downstream security control that organizations claim to have in place for their AI systems. Vulnerability scanning, access control enforcement, supply chain auditing, and incident response all degrade to guesswork without a complete, current inventory.
The August 2, 2026 EU AI Act deadline, the specific CVEs now targeting model files and scanning tools, and the documented scale of shadow AI in enterprise environments make 2026 the year this investment becomes non-optional for any organization running AI in production.
Start with discovery. Build the registry schema. Wire it into your existing security tools. The organizations that do this now will spend incident response cycles on remediation rather than on answering the basic question of what they were even running.
Ready to assess your AI inventory posture? Run a free scan at BeyondScale to identify undiscovered AI dependencies in your environment, or contact our team to schedule a full AI security assessment.
AI Security Audit Checklist
A 30-point checklist covering LLM vulnerabilities, model supply chain risks, data pipeline security, and compliance gaps. Used by our team during actual client engagements.
We will send it to your inbox. No spam.
BeyondScale Team
AI Security Team, BeyondScale Technologies
Security researcher and engineer at BeyondScale Technologies, an ISO 27001 certified AI cybersecurity firm.
Want to know your AI security posture? Run a free Securetom scan in 60 seconds.
Start Free Scan

