Google open-sources k8s-aibom to detect shadow AI
k8s-aibom gives security teams runtime visibility without privileged agents, sidecars or changes to developers’ deployment pipelines.
Google has open-sourced k8s-aibom, a lightweight Kubernetes controller designed to detect unregistered AI workloads and generate standardised inventories of the AI models, runtimes and frameworks operating inside a cluster.
The tool targets shadow AI: workloads deployed by developers without formal registration or integration with an organisation’s security and governance systems. Such deployments can evade conventional security scanners, particularly where organisations avoid privileged agents, kernel-level access or manual changes to Kubernetes workloads.
Google says k8s-aibom addresses that gap by continuously monitoring Kubernetes APIs and container environments. It detects running AI components and generates CycloneDX 1.6 Machine Learning Bills of Materials (ML-BOMs) based on what is actually executing, rather than what was intended during the build process.
The controller runs as a single unprivileged deployment in the k8s-aibom-system namespace. It does not require sidecars, eBPF modules, privileged DaemonSets or modifications to developers’ continuous integration and deployment pipelines.
The controller monitors KServe resources, deployments, StatefulSets, DaemonSets and jobs across a cluster. It then analyses container images, environment variables and command-line arguments to identify different categories of AI workloads.
Supported systems include inference runtimes such as vLLM, Triton Inference Server, TGI, and Ollama; agent frameworks including LangChain, AutoGen, and CrewAI; retrieval and vector database tools such as Milvus, Qdrant, and pgvector; and distributed training and evaluation workloads.
Once identified, the components are compiled into CycloneDX ML-BOM documents. These records can be stored as Kubernetes custom resources or exported to destinations including Google Cloud Storage and webhook endpoints.
Google also designed the tool to produce identical ML-BOM documents when given identical cluster inputs. This deterministic behaviour is intended to support GitOps workflows, allowing security and reliability teams to compare records and identify changes when AI dependencies drift.
Unlike build-time scanners, which document what organisations intended to deploy, k8s-aibom observes live clusters to identify which AI systems are actually running, how they are connected and how those findings were established.
A confidence model separates detected components into three categories. Declared assets are explicitly specified in workload configurations, inferred assets are identified through runtime patterns, and unresolved assets indicate that an AI presence was detected but the precise model, version, or weights could not be established.
Unresolved findings can therefore be prioritised for further security review, while declared and inferred classifications help auditors distinguish documented engineering intent from conclusions reached by the controller.
Google says the controller follows least-privilege principles and can export records using a dedicated identity with permission to create objects in Cloud Storage. Creation preconditions can prevent existing ML-BOM records from being silently overwritten, strengthening the historical evidence available to security and compliance teams.
Google also positions k8s-aibom as a tool for regulatory and standards compliance. Runtime inventories could help organisations gather evidence relevant to the EU AI Act, the NIST AI Risk Management Framework and ISO/IEC 42001 requirements for AI asset management.
Why does it matter?
Shadow AI has become a growing governance challenge as developers deploy AI tools outside formal security and compliance processes. Without visibility into what is actually running in production, organisations may struggle to assess risk, investigate incidents or demonstrate regulatory compliance.
By generating inventories of live AI workloads rather than relying solely on build-time records, k8s-aibom could help organisations improve AI governance while supporting audits, security operations and compliance with emerging AI standards and regulations.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
