Skip to main content

AI Supply Chain Risk Management - Auto-discovery, signing, and continuous validation for AI systems

Project description

AI-SCRM

AI Supply Chain Risk Management for Secure AI Infrastructure

ai-scrm python license tests

Version 1.0.0


Intro

AI-SCRM is the reference implementation of the AI-SCS (AI Supply Chain Security) standard for securing AI infrastructure. It provides production-ready tools to document, sign, and validate AI system componentsโ€”protecting against model backdooring, dataset poisoning, unauthorized tool activation, and supply chain attacks.

AI-SCRM is intended to:

  • Auto-discover models, MCP servers, libraries, and prompts with one command
  • Infer metadata for 100+ common model families automatically
  • Sign and verify AI artifacts with Ed25519/RSA/ECDSA
  • Continuously monitor for drift with configurable intervals
  • Integrate easily with LangChain, FastAPI, and CI/CD pipelines
  • Provide clear, actionable error messages
  • Support production deployments with SIEM integration

Quick Start: One Command Setup

# Install with all features
pip install ai-scrm[all]

# Initialize everything (scan + template + keys + sign)
ai-scrm init

# View status
ai-scrm status

# Start continuous monitoring
ai-scrm monitor

That's it. In under 2 minutes, AI-SCRM will:

  1. ๐Ÿ” Scan for models, MCP servers, libraries, and prompts
  2. ๐Ÿง  Infer suppliers for known models (Llama, Mistral, GPT, etc.)
  3. ๐Ÿ“‹ Generate a metadata template for items needing review
  4. ๐Ÿ”‘ Create signing keys and sign your ABOM
  5. ๐Ÿ“Š Start monitoring for drift

How AI-SCRM Works

Implementing AI supply chain security requires that your AI system becomes inventory-aware AND your runtime environment validates against the declared inventory. AI-SCRM automates both. Each Control Domain enforces the same core requirement:


An AI system may only execute components that are declared in its ABOM, cryptographically verified, and continuously validated at runtime.


The AI-SCRM Workflow

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                    AI-SCRM Workflow                             โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚                                                                 โ”‚
โ”‚  [1] SCAN (Automatic)                                           โ”‚
โ”‚      โ””โ”€โ”€ Discovers models, MCP, libraries, prompts              โ”‚
โ”‚                                                                 โ”‚
โ”‚  [2] ENRICH (Review ~5 min)                                     โ”‚
โ”‚      โ””โ”€โ”€ Fill in TODOs for unknown suppliers                    โ”‚
โ”‚                                                                 โ”‚
โ”‚  [3] SIGN (Automatic)                                           โ”‚
โ”‚      โ””โ”€โ”€ Cryptographically sign the ABOM                        โ”‚
โ”‚                                                                 โ”‚
โ”‚  [4] MONITOR (Continuous)                                       โ”‚
โ”‚      โ”œโ”€โ”€ Hash checks (every 60s)                                โ”‚
โ”‚      โ”œโ”€โ”€ MCP heartbeat (every 5 min)                            โ”‚
โ”‚      โ”œโ”€โ”€ Full re-scan (every 30 min)                            โ”‚
โ”‚      โ””โ”€โ”€ On drift โ†’ RADE event โ†’ SIEM                           โ”‚
โ”‚                                                                 โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Access is permitted only when artifacts are declared, signed, and verified.


Key Characteristics

Aspect Scope
Asset coverage Models, data, tools, MCP, agents, infra
Inventory format CycloneDX 1.6 + AI-SCS extensions
Integrity SHA-256 cryptographic hashes
Authenticity Ed25519, RSA-PSS, ECDSA-P256 signatures
Validation Continuous runtime drift detection
Integration SIEM, SOAR, policy engines

Installation

# Basic installation
pip install ai-scrm

# With all features (signing, CLI, YAML support)
pip install ai-scrm[all]

Auto-Discovery

AI-SCRM automatically finds your AI components:

Component How It's Discovered
Models Scans directories for .safetensors, .gguf, .pt, .onnx files
MCP Servers Parses Claude Desktop config, mcp.json, environment variables
Libraries Reads pip list, requirements.txt, pyproject.toml
Prompts Finds *.prompt, system_prompt*, *.jinja2 files

Smart Metadata Inference

AI-SCRM recognizes 100+ model families and automatically fills in:

# Automatically inferred from filename:
"llama-3-8b-instruct.safetensors" โ†’ supplier: Meta, type: fine-tuned, params: 8B
"mistral-7b-v0.1.gguf" โ†’ supplier: Mistral AI, architecture: mistral
"text-embedding-ada-002.onnx" โ†’ supplier: OpenAI, type: embedding
"claude-3-sonnet.bin" โ†’ supplier: Anthropic, family: Claude 3

Trust Boundary Classification

MCP servers are automatically classified based on endpoint:

Pattern Trust Boundary
localhost:* internal
127.0.0.1:* internal
192.168.*, 10.* internal
stdio:// internal
Everything else external

Override with patterns in ai-scrm-metadata.yaml:

trust_boundaries:
  "*.internal.mycompany.com": internal
  "*": external

Continuous Monitoring

AI-SCRM monitors with three tiers:

Tier Default Interval What It Checks
Hash Check 60 seconds File integrity of known components
MCP Heartbeat 5 minutes MCP server availability
Full Scan 30 minutes Discover new/removed components
from ai_scrm import Monitor

monitor = Monitor(
    abom_path="abom-signed.json",
    hash_check_interval=30,      # Faster checks
    mcp_heartbeat_interval=120,
    on_drift=lambda e: alert(e)  # Custom handler
)
monitor.start()

Basic Usage

from ai_scrm import ABOMBuilder, ABOM, Signer, Verifier, DriftDetector

# 1. Build ABOM with your AI components
builder = ABOMBuilder()
builder.add_model(
    name="llama-3-8b",
    version="1.0.0",
    hash_value="a1b2c3d4e5f6...",
    format="safetensors",
    supplier="Meta"
)
builder.add_mcp_server(
    name="filesystem-mcp",
    version="1.0.0",
    endpoint="http://localhost:3000",
    trust_boundary="internal",
    capabilities=["read_file", "write_file"]
)
abom = builder.finalize(system_name="my-ai-assistant")

# 2. Sign the ABOM
signer = Signer.generate("ed25519")
signer.sign(abom)
abom.to_file("abom-signed.json")

# 3. Verify at runtime
abom = ABOM.from_file("abom-signed.json")
verifier = Verifier(reject_unsigned=True)
verifier.verify(abom)

# 4. Detect drift
detector = DriftDetector(abom)
event = detector.check_tool_authorized("filesystem-mcp")
if event.is_compliant():
    print("โœ“ Tool authorized")

For complete setup instructions, see the Implementation Guide.


Framework Integrations

Decorator Guard

from ai_scrm import guard

@guard(tool="web-search")
def search_web(query):
    return search_api.search(query)  # Only runs if authorized

LangChain

from ai_scrm import langchain_guard

agent = create_react_agent(llm, tools, prompt)
secure_agent = langchain_guard(agent, abom_path="abom.json")

FastAPI Middleware

from ai_scrm import FastAPIMiddleware

app.add_middleware(FastAPIMiddleware, abom_path="abom.json")

Emergency Bypass

from ai_scrm import emergency_bypass

with emergency_bypass(reason="Production incident #1234"):
    # All checks disabled, but fully logged
    do_emergency_fix()

Package Structure

ai_scrm/
โ”œโ”€โ”€ __init__.py              # Main exports
โ”œโ”€โ”€ abom/                    # Control Domain 1: ABOM
โ”‚   โ”œโ”€โ”€ models.py            # ABOM, Component, Hash, Property
โ”‚   โ”œโ”€โ”€ builder.py           # Fluent builder for all asset types
โ”‚   โ””โ”€โ”€ exceptions.py        # ABOM-specific exceptions
โ”œโ”€โ”€ trust/                   # Control Domain 2: Trust
โ”‚   โ”œโ”€โ”€ signing.py           # Ed25519, RSA, ECDSA signers
โ”‚   โ”œโ”€โ”€ verification.py      # Signature verification
โ”‚   โ””โ”€โ”€ assertion.py         # Trust assertions (AI-SCS 6.3)
โ”œโ”€โ”€ validation/              # Control Domain 3: Validation
โ”‚   โ”œโ”€โ”€ detector.py          # Drift detection
โ”‚   โ”œโ”€โ”€ events.py            # RADE events (attestation, drift, violation)
โ”‚   โ””โ”€โ”€ emitter.py           # SIEM/SOAR integration
โ”œโ”€โ”€ scanner/                 # Auto-Discovery
โ”‚   โ”œโ”€โ”€ scanner.py           # Main scanner
โ”‚   โ”œโ”€โ”€ inference.py         # Model metadata inference (100+ models)
โ”‚   โ”œโ”€โ”€ mcp_discovery.py     # MCP server discovery
โ”‚   โ””โ”€โ”€ metadata.py          # YAML metadata handling
โ”œโ”€โ”€ monitor/                 # Continuous Validation
โ”‚   โ””โ”€โ”€ monitor.py           # Tiered monitoring (hash/heartbeat/scan)
โ”œโ”€โ”€ integrations/            # Framework Shortcuts
โ”‚   โ””โ”€โ”€ integrations.py      # guard, langchain_guard, FastAPI
โ””โ”€โ”€ cli/                     # Command-Line Interface
    โ””โ”€โ”€ __init__.py          # init, scan, status, monitor, etc.

Three Control Domains

AI-SCRM implements all three AI-SCS Control Domains:

Domain Purpose Key Features
CD1: ABOM Inventory & Provenance All 7 asset categories, mandatory fields, CycloneDX 1.6
CD2: Trust Integrity & Authenticity Signing, verification, trust assertions
CD3: Validation Continuous Assurance Drift detection, events, enforcement
# Control Domain 1: ABOM
from ai_scrm import ABOMBuilder
builder = ABOMBuilder()
builder.add_model(...)
builder.add_mcp_server(...)
abom = builder.finalize()

# Control Domain 2: Trust
from ai_scrm import Signer, Verifier
signer = Signer.generate("ed25519")
signer.sign(abom)

# Control Domain 3: Validation
from ai_scrm import DriftDetector, RADEEmitter
detector = DriftDetector(abom)
emitter = RADEEmitter()
emitter.add_file_handler("events.jsonl")

Supported Asset Categories (AI-SCS 4.1)

AI-SCRM supports all seven AI-SCS asset categories:

Category Examples Builder Methods
Models Base models, fine-tuned, adapters add_model(), add_fine_tuned_model(), add_adapter()
Data Training, evaluation datasets add_dataset(), add_training_data()
Embeddings Embedding models, vector stores add_embedding_model(), add_vector_store()
Dependencies Frameworks, tokenizers, libraries add_library(), add_framework(), add_tokenizer()
Agents Orchestrators, planners add_agent(), add_planner(), add_orchestrator()
Tools Plugins, MCP servers, APIs add_tool(), add_mcp_server(), add_external_api()
Infrastructure TEEs, accelerators add_infrastructure(), add_tee(), add_accelerator()

Plus behavioral artifacts: add_prompt_template(), add_policy(), add_guardrail()


MCP Server Security

AI-SCRM provides specific support for Model Context Protocol (MCP) servers:

# MCP servers have mandatory fields per AI-SCS 5.3.5
builder.add_mcp_server(
    name="filesystem-mcp",
    version="1.0.0",
    endpoint="http://localhost:3000",      # REQUIRED
    trust_boundary="internal",              # REQUIRED: internal, external, hybrid
    capabilities=["read", "write", "list"]  # REQUIRED
)

# Runtime validation before connecting
detector = DriftDetector(abom)
event = detector.check_mcp_authorized("filesystem-mcp", endpoint="http://localhost:3000")
if not event.is_compliant():
    raise SecurityError(f"Unauthorized MCP: {event.observation.details}")

MCP Authorized Endpoint Matches Result
โœ… โœ… ALLOW
โŒ โœ… DENY
โœ… โŒ DENY
โŒ โŒ DENY

Clear Error Messages

AI-SCRM provides actionable errors:

Signature validation failed for abom.json

The ABOM file has been modified since it was signed.
This could mean:
  โ€ข Someone tampered with the file (security incident)
  โ€ข You made legitimate changes and forgot to re-sign

To fix:
  โ€ข If changes were intentional: ai-scrm sign abom.json
  โ€ข If unexpected: Investigate first - this may be a security incident

Diff-Based Approval

When drift is detected:

$ ai-scrm status

โš ๏ธ  2 changes detected:

[NEW] MCP Server: slack-notifications-mcp
      Endpoint: http://localhost:3005
      Action: ai-scrm approve slack-notifications-mcp

[CHANGED] Model: llama-3-8b.safetensors
      Hash: a1b2c3... โ†’ x7y8z9...
      Action: ai-scrm approve model:llama-3-8b

SIEM/SOAR Integration

AI-SCRM emits structured RADE (Runtime Attestation & Drift Events) for security integration:

from ai_scrm import RADEEmitter, DriftDetector

# Create emitter with handlers
emitter = RADEEmitter(system_name="my-ai-assistant")
emitter.add_file_handler("./logs/rade-events.jsonl")
emitter.add_webhook_handler("https://siem.company.com/api/events")

# Emit events from validation
detector = DriftDetector(abom)
events = detector.check("./deployed-system")
emitter.emit_all(events)

# Events are SIEM-compatible JSON
# {
#   "eventType": "drift",
#   "severity": "critical",
#   "observation": {"type": "model-substitution", ...},
#   "abomBinding": {"serialNumber": "urn:uuid:..."}
# }

Conformance Levels (AI-SCS Section 8)

AI-SCRM supports all three AI-SCS conformance levels:

Level Name Requirements AI-SCRM Support
Level 1 Visibility ABOM generation, static provenance โœ… Scanner, ABOMBuilder
Level 2 Integrity Artifact signing, verification โœ… Signer, Verifier
Level 3 Continuous Assurance Runtime validation, automated detection โœ… Monitor, DriftDetector, RADEEmitter

CLI Reference

# First-time setup (does everything)
ai-scrm init
ai-scrm init --dir ./my-project --no-sign

# Scanning
ai-scrm scan
ai-scrm scan --dir ./models --output results.json

# Status (with live updates)
ai-scrm status
ai-scrm status --watch

# ABOM management
ai-scrm abom validate abom.json --strict
ai-scrm abom info abom.json

# Trust operations
ai-scrm trust keygen --algorithm ed25519
ai-scrm trust sign abom.json --key ./keys/private.pem
ai-scrm trust verify abom-signed.json

# Validation
ai-scrm validation check --abom abom.json
ai-scrm monitor --hash-interval 30

# Change management
ai-scrm approve mcp:new-server --trust internal
ai-scrm reject mcp:suspicious-server

Works with Your Existing Security Infrastructure

AI-SCRM was designed to work with your existing security tools:

  • Uses CycloneDX 1.6, a standard SBOM format
  • Emits SIEM-compatible structured events
  • Integrates with policy engines via callbacks
  • Supports existing key management (HSM, cloud KMS)
  • Works with CI/CD pipelines (GitHub Actions, GitLab)
  • Compatible with Kubernetes admission controllers

Component Declared Signature Valid Hash Matches Result
โœ… โœ… โœ… ALLOW
โŒ โœ… โœ… DENY
โœ… โŒ โœ… DENY
โœ… โœ… โŒ DENY

Runtime Validation Scenarios

AI-SCRM supports various validation scenarios:

  • Startup Validation: Verify all components before system initialization
  • Continuous Monitoring: Periodic checks for drift with configurable intervals
  • On-Demand Checks: Validate specific components before use
  • Tool Authorization: Check tool/MCP permissions before invocation
# Startup validation
events = detector.check("./deployed-system")
if any(e.event_type == "drift" for e in events):
    raise SecurityError("System integrity compromised")

# Tool authorization before use
if detector.check_tool_authorized("web-search").is_compliant():
    result = web_search_tool.execute(query)

See the Implementation Guide for complete validation setup.


Documentation

  • Implementation Guide - Complete setup with all Control Domains
  • CI/CD Integration - GitHub Actions, GitLab CI examples in guide
  • Kubernetes - Admission controller example in guide

Version History

Version Changes
1.0.0 Full release: Auto-discovery, smart inference, continuous monitoring, framework integrations, Ed25519/RSA/ECDSA signing, RADE events

License

Apache License 2.0



Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ai_scrm-1.0.0.tar.gz (86.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ai_scrm-1.0.0-py3-none-any.whl (91.5 kB view details)

Uploaded Python 3

File details

Details for the file ai_scrm-1.0.0.tar.gz.

File metadata

  • Download URL: ai_scrm-1.0.0.tar.gz
  • Upload date:
  • Size: 86.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.11

File hashes

Hashes for ai_scrm-1.0.0.tar.gz
Algorithm Hash digest
SHA256 9a3fea31d3a02e979ec32a30b061bd0827fdce923933d8b7ac6133987e881b2d
MD5 87a040b622fafaa8a47c05bf29569ef2
BLAKE2b-256 f94731565ada057377da4dff35c43744385573c6ee2db96e93c630ff5a789d33

See more details on using hashes here.

File details

Details for the file ai_scrm-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: ai_scrm-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 91.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.11

File hashes

Hashes for ai_scrm-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 bf1342da9f0eb709dd42904099b1743e6eed40437a0dd62cc2a22d23ae2e7c08
MD5 a981d2dfaa852878f005b380fc8aa9e0
BLAKE2b-256 c8a74c680c07a5568425897c85421d83d74944a2337718f8f183a7555488d6db

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page