Checkmarx Delivers Complete AI Asset Visibility and Governance for the Software Supply Chain, Closing the Shadow AI Gap

The launch comes as AI enters production faster than organizations can govern it. MIT’s Project NANDA found that employees in over 90% of companies regularly use personal AI tools for work, and Checkmarx research shows the same gap inside the development pipeline: 70% of teams expect AI components in production by the end of 2026, yet 43% have no formal governance over which components developers can use.

When auditors, customers, or regulators ask what AI models are running and where they came from, most teams can’t answer. Traditional SBOMs (Software Bill of Materials) were built to track software packages, not the models, agents, and MCP servers that increasingly shape how applications behave.

“Security teams are being asked to account for AI they often can’t even see,” said Ori Bendet, VP of Product Management at Checkmarx. “The first step in governing AI isn’t writing a policy; it’s knowing what’s actually running in your code. Checkmarx AI Inventory gives teams a concrete inventory of the AI components in use, traceable to the exact line of source code. That’s what makes governance real and audit evidence defensible.”

Also Read: CIO Influence Interview with Hugo Dozois-Caouette, CTO and Co-founder at MaintainX

How AI Inventory Works

Checkmarx AI Inventory is part of the AI Supply Chain Security solution available with Checkmarx One. It complements a suite of industry-leading hybrid scanning engines for Code Security, Runtime Security, and Software Supply Chain Security to provide a comprehensive application security solution. AI Inventory detects AI components through deterministic analysis, so every finding traces back to a specific file and line number rather than a confidence score, the kind of evidence that holds up in an audit. From a single platform, teams can:

• Inventory every AI component – models, agents, MCP servers, AI libraries, and SDKs are catalogued across every repository, current on every commit.

• Enforce policy at commit, blocking unapproved models, agents, and MCP servers in pull requests and CI/CD pipelines before they ship.

• Generate AI-BOM audit-ready documentation exportable on demand in CycloneDX 1.7.

Because AI-BOMs are versioned per release and traceable to source, the documentation maps directly to requirements emerging under the EU AI Act (Articles 11, 13, and Annex IV), the NIST AI Risk Management Framework, ISO/IEC 42001, and the EU Cyber Resilience Act – so when an assessment arrives, the evidence is already structured to answer it.

Market Validation

Major enterprises across financial services, technology, logistics, and retail participated in the early adopter program, with several already running AI Inventory in production. Early adopters reported that it gave them complete visibility into which applications embed AI components and what those components are. This served to surface previously untracked models, validate systems of record, and flag unauthorized or suspicious models for review.

These investments in AI and supply chain security have also earned market recognition. Checkmarx was named a Leader in the inaugural 2026 Gartner® Magic Quadrant™ for Software Supply Chain Security and cited as a Representative Vendor in a recent Gartner Innovation Insight for AIBOMS report.