Home etc Blogs Google Open Sources k8s-aibom To Expose ‘Shadow AI’ In Live Infrastructure

Google Open Sources k8s-aibom To Expose ‘Shadow AI’ In Live Infrastructure

0
1
Google
Google

Google’s new real-time Kubernetes controller maps out hidden production models to build audit-grade, untamperable bills of materials for strict regulatory frameworks.

Google has open-sourced k8s-aibom, a lightweight Kubernetes controller designed to detect unregistered ‘Shadow AI’ workloads—such as models, inference servers, and agent frameworks—that developers deploy without enterprise oversight. Officially released by Google Cloud on 13 July 2026, the utility monitors live infrastructure in real time to identify active production execution rather than statically scanning software artifacts before deployment.

The tool automatically generates standard CycloneDX 1.6 Machine Learning Bill of Materials (ML-BOM) documents, creating an inventory that integrates into clusters or exports to external sinks like Google Cloud Storage. To establish an evidence trail for frameworks including the EU AI Act, NIST AI Risk Management Framework, and ISO/IEC 42001, the controller writes these ML-BOMs using a dedicated service account enforcing a DoesNotExist precondition, making records un-overwriteable once stored.

To categorise discovered assets, k8s-aibom applies a three-tier taxonomy. Declared assets are explicitly configured in workload parameters by engineers. Inferred assets represent frameworks caught dynamically via runtime signature matching. Unresolved assets denote detected AI activity where specific versions or weights cannot be verified.

Google’s security engineers pushed the tool forward under the foundational thesis that 99% of enterprise vulnerabilities are not in the code written in the core application, but in a very deep tree of underlying dependencies. By extending software bills of materials to machine learning weights and agentic frameworks, the tool addresses what leadership categorises as a “P0 (highest priority) challenge for the entire planet.”

Operating as an unprivileged controller in its own namespace, the tool runs without the need for sidecars, privileged DaemonSets, or eBPF kernel modifications. It scans container images, environment variables, and command-line arguments to automatically identify specific infrastructure components, including runtimes (vLLM, Triton, Ollama), agent frameworks (LangChain, AutoGen, CrewAI), and vector databases (Milvus, Qdrant, pgvector).

LEAVE A REPLY

Please enter your comment!
Please enter your name here