AI Supply Chain Risk Management - Auto-discovery, signing, and continuous validation for AI systems
Project description
AI-SCRM
AI Supply Chain Risk Management for Secure AI Infrastructure
Version 1.0.1
Intro
AI-SCRM is the reference implementation of the AI-SCS (AI Supply Chain Security) standard for securing AI infrastructure. It provides production-ready tools to document, sign, and validate AI system componentsโprotecting against model backdooring, dataset poisoning, unauthorized tool activation, and supply chain attacks.
AI-SCRM is intended to:
- Auto-discover models, MCP servers, libraries, and prompts with one command
- Infer metadata for 100+ common model families automatically
- Sign and verify AI artifacts with Ed25519/RSA/ECDSA
- Continuously monitor for drift with configurable intervals
- Integrate easily with LangChain, FastAPI, and CI/CD pipelines
- Provide clear, actionable error messages
- Support production deployments with SIEM integration
Quick Start: One Command Setup
# Install with all features
pip install ai-scrm[all]
# Initialize everything (scan + template + keys + sign)
ai-scrm init
# View status
ai-scrm status
# Start continuous monitoring
ai-scrm monitor
That's it. In under 2 minutes, AI-SCRM will:
- ๐ Scan for models, MCP servers, libraries, and prompts
- ๐ง Infer suppliers for known models (Llama, Mistral, GPT, etc.)
- ๐ Generate a metadata template for items needing review
- ๐ Create signing keys and sign your ABOM
- ๐ Start monitoring for drift
How AI-SCRM Works
Implementing AI supply chain security requires that your AI system becomes inventory-aware AND your runtime environment validates against the declared inventory. AI-SCRM automates both. Each Control Domain enforces the same core requirement:
An AI system may only execute components that are declared in its ABOM, cryptographically verified, and continuously validated at runtime.
The AI-SCRM Workflow
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AI-SCRM Workflow โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ [1] SCAN (Automatic) โ
โ โโโ Discovers models, MCP, libraries, prompts โ
โ โ
โ [2] ENRICH (Review ~5 min) โ
โ โโโ Fill in TODOs for unknown suppliers โ
โ โ
โ [3] SIGN (Automatic) โ
โ โโโ Cryptographically sign the ABOM โ
โ โ
โ [4] MONITOR (Continuous) โ
โ โโโ Hash checks (every 60s) โ
โ โโโ MCP heartbeat (every 5 min) โ
โ โโโ Full re-scan (every 30 min) โ
โ โโโ On drift โ RADE event โ SIEM โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Access is permitted only when artifacts are declared, signed, and verified.
Key Characteristics
| Aspect | Scope |
|---|---|
| Asset coverage | Models, data, tools, MCP, agents, infra |
| Inventory format | CycloneDX 1.6 + AI-SCS extensions |
| Integrity | SHA-256 cryptographic hashes |
| Authenticity | Ed25519, RSA-PSS, ECDSA-P256 signatures |
| Validation | Continuous runtime drift detection |
| Integration | SIEM, SOAR, policy engines |
Installation
# Basic installation
pip install ai-scrm
# With all features (signing, CLI, YAML support)
pip install ai-scrm[all]
Auto-Discovery
AI-SCRM automatically finds your AI components:
| Component | How It's Discovered |
|---|---|
| Models | Scans directories for .safetensors, .gguf, .pt, .onnx files |
| MCP Servers | Parses Claude Desktop config, mcp.json, environment variables |
| Libraries | Reads pip list, requirements.txt, pyproject.toml |
| Prompts | Finds *.prompt, system_prompt*, *.jinja2 files |
Smart Metadata Inference
AI-SCRM recognizes 100+ model families and automatically fills in:
# Automatically inferred from filename:
"llama-3-8b-instruct.safetensors" โ supplier: Meta, type: fine-tuned, params: 8B
"mistral-7b-v0.1.gguf" โ supplier: Mistral AI, architecture: mistral
"text-embedding-ada-002.onnx" โ supplier: OpenAI, type: embedding
"claude-3-sonnet.bin" โ supplier: Anthropic, family: Claude 3
Trust Boundary Classification
MCP servers are automatically classified based on endpoint:
| Pattern | Trust Boundary |
|---|---|
localhost:* |
internal |
127.0.0.1:* |
internal |
192.168.*, 10.* |
internal |
stdio:// |
internal |
| Everything else | external |
Override with patterns in ai-scrm-metadata.yaml:
trust_boundaries:
"*.internal.mycompany.com": internal
"*": external
Continuous Monitoring
AI-SCRM monitors with three tiers:
| Tier | Default Interval | What It Checks |
|---|---|---|
| Hash Check | 60 seconds | File integrity of known components |
| MCP Heartbeat | 5 minutes | MCP server availability |
| Full Scan | 30 minutes | Discover new/removed components |
from ai_scrm import Monitor
monitor = Monitor(
abom_path="abom-signed.json",
hash_check_interval=30, # Faster checks
mcp_heartbeat_interval=120,
on_drift=lambda e: alert(e) # Custom handler
)
monitor.start()
Basic Usage
from ai_scrm import ABOMBuilder, ABOM, Signer, Verifier, DriftDetector
# 1. Build ABOM with your AI components
builder = ABOMBuilder()
builder.add_model(
name="llama-3-8b",
version="1.0.0",
hash_value="a1b2c3d4e5f6...",
format="safetensors",
supplier="Meta"
)
builder.add_mcp_server(
name="filesystem-mcp",
version="1.0.0",
endpoint="http://localhost:3000",
trust_boundary="internal",
capabilities=["read_file", "write_file"]
)
abom = builder.finalize(system_name="my-ai-assistant")
# 2. Sign the ABOM
signer = Signer.generate("ed25519")
signer.sign(abom)
abom.to_file("abom-signed.json")
# 3. Verify at runtime
abom = ABOM.from_file("abom-signed.json")
verifier = Verifier(reject_unsigned=True)
verifier.verify(abom)
# 4. Detect drift
detector = DriftDetector(abom)
event = detector.check_tool_authorized("filesystem-mcp")
if event.is_compliant():
print("โ Tool authorized")
For complete setup instructions, see the Implementation Guide.
Framework Integrations
Decorator Guard
from ai_scrm import guard
@guard(tool="web-search")
def search_web(query):
return search_api.search(query) # Only runs if authorized
LangChain
from ai_scrm import langchain_guard
agent = create_react_agent(llm, tools, prompt)
secure_agent = langchain_guard(agent, abom_path="abom.json")
FastAPI Middleware
from ai_scrm import FastAPIMiddleware
app.add_middleware(FastAPIMiddleware, abom_path="abom.json")
Emergency Bypass
from ai_scrm import emergency_bypass
with emergency_bypass(reason="Production incident #1234"):
# All checks disabled, but fully logged
do_emergency_fix()
Package Structure
ai_scrm/
โโโ __init__.py # Main exports
โโโ abom/ # Control Domain 1: ABOM
โ โโโ models.py # ABOM, Component, Hash, Property
โ โโโ builder.py # Fluent builder for all asset types
โ โโโ exceptions.py # ABOM-specific exceptions
โโโ trust/ # Control Domain 2: Trust
โ โโโ signing.py # Ed25519, RSA, ECDSA signers
โ โโโ verification.py # Signature verification
โ โโโ assertion.py # Trust assertions (AI-SCS 6.3)
โโโ validation/ # Control Domain 3: Validation
โ โโโ detector.py # Drift detection
โ โโโ events.py # RADE events (attestation, drift, violation)
โ โโโ emitter.py # SIEM/SOAR integration
โโโ scanner/ # Auto-Discovery
โ โโโ scanner.py # Main scanner
โ โโโ inference.py # Model metadata inference (100+ models)
โ โโโ mcp_discovery.py # MCP server discovery
โ โโโ metadata.py # YAML metadata handling
โโโ monitor/ # Continuous Validation
โ โโโ monitor.py # Tiered monitoring (hash/heartbeat/scan)
โโโ integrations/ # Framework Shortcuts
โ โโโ integrations.py # guard, langchain_guard, FastAPI
โโโ cli/ # Command-Line Interface
โโโ __init__.py # init, scan, status, monitor, etc.
Three Control Domains
AI-SCRM implements all three AI-SCS Control Domains:
| Domain | Purpose | Key Features |
|---|---|---|
| CD1: ABOM | Inventory & Provenance | All 7 asset categories, mandatory fields, CycloneDX 1.6 |
| CD2: Trust | Integrity & Authenticity | Signing, verification, trust assertions |
| CD3: Validation | Continuous Assurance | Drift detection, events, enforcement |
# Control Domain 1: ABOM
from ai_scrm import ABOMBuilder
builder = ABOMBuilder()
builder.add_model(...)
builder.add_mcp_server(...)
abom = builder.finalize()
# Control Domain 2: Trust
from ai_scrm import Signer, Verifier
signer = Signer.generate("ed25519")
signer.sign(abom)
# Control Domain 3: Validation
from ai_scrm import DriftDetector, RADEEmitter
detector = DriftDetector(abom)
emitter = RADEEmitter()
emitter.add_file_handler("events.jsonl")
Supported Asset Categories (AI-SCS 4.1)
AI-SCRM supports all seven AI-SCS asset categories:
| Category | Examples | Builder Methods |
|---|---|---|
| Models | Base models, fine-tuned, adapters | add_model(), add_fine_tuned_model(), add_adapter() |
| Data | Training, evaluation datasets | add_dataset(), add_training_data() |
| Embeddings | Embedding models, vector stores | add_embedding_model(), add_vector_store() |
| Dependencies | Frameworks, tokenizers, libraries | add_library(), add_framework(), add_tokenizer() |
| Agents | Orchestrators, planners | add_agent(), add_planner(), add_orchestrator() |
| Tools | Plugins, MCP servers, APIs | add_tool(), add_mcp_server(), add_external_api() |
| Infrastructure | TEEs, accelerators | add_infrastructure(), add_tee(), add_accelerator() |
Plus behavioral artifacts: add_prompt_template(), add_policy(), add_guardrail()
MCP Server Security
AI-SCRM provides specific support for Model Context Protocol (MCP) servers:
# MCP servers have mandatory fields per AI-SCS 5.3.5
builder.add_mcp_server(
name="filesystem-mcp",
version="1.0.0",
endpoint="http://localhost:3000", # REQUIRED
trust_boundary="internal", # REQUIRED: internal, external, hybrid
capabilities=["read", "write", "list"] # REQUIRED
)
# Runtime validation before connecting
detector = DriftDetector(abom)
event = detector.check_mcp_authorized("filesystem-mcp", endpoint="http://localhost:3000")
if not event.is_compliant():
raise SecurityError(f"Unauthorized MCP: {event.observation.details}")
| MCP Authorized | Endpoint Matches | Result |
|---|---|---|
| โ | โ | ALLOW |
| โ | โ | DENY |
| โ | โ | DENY |
| โ | โ | DENY |
Clear Error Messages
AI-SCRM provides actionable errors:
Signature validation failed for abom.json
The ABOM file has been modified since it was signed.
This could mean:
โข Someone tampered with the file (security incident)
โข You made legitimate changes and forgot to re-sign
To fix:
โข If changes were intentional: ai-scrm sign abom.json
โข If unexpected: Investigate first - this may be a security incident
Diff-Based Approval
When drift is detected:
$ ai-scrm status
โ ๏ธ 2 changes detected:
[NEW] MCP Server: slack-notifications-mcp
Endpoint: http://localhost:3005
Action: ai-scrm approve slack-notifications-mcp
[CHANGED] Model: llama-3-8b.safetensors
Hash: a1b2c3... โ x7y8z9...
Action: ai-scrm approve model:llama-3-8b
SIEM/SOAR Integration
AI-SCRM emits structured RADE (Runtime Attestation & Drift Events) for security integration:
from ai_scrm import RADEEmitter, DriftDetector
# Create emitter with handlers
emitter = RADEEmitter(system_name="my-ai-assistant")
emitter.add_file_handler("./logs/rade-events.jsonl")
emitter.add_webhook_handler("https://siem.company.com/api/events")
# Emit events from validation
detector = DriftDetector(abom)
events = detector.check("./deployed-system")
emitter.emit_all(events)
# Events are SIEM-compatible JSON
# {
# "eventType": "drift",
# "severity": "critical",
# "observation": {"type": "model-substitution", ...},
# "abomBinding": {"serialNumber": "urn:uuid:..."}
# }
Conformance Levels (AI-SCS Section 8)
AI-SCRM supports all three AI-SCS conformance levels:
| Level | Name | Requirements | AI-SCRM Support |
|---|---|---|---|
| Level 1 | Visibility | ABOM generation, static provenance | โ
Scanner, ABOMBuilder |
| Level 2 | Integrity | Artifact signing, verification | โ
Signer, Verifier |
| Level 3 | Continuous Assurance | Runtime validation, automated detection | โ
Monitor, DriftDetector, RADEEmitter |
CLI Reference
# First-time setup (does everything)
ai-scrm init
ai-scrm init --dir ./my-project --no-sign
# Scanning
ai-scrm scan
ai-scrm scan --dir ./models --output results.json
# Status (with live updates)
ai-scrm status
ai-scrm status --watch
# ABOM management
ai-scrm abom validate abom.json --strict
ai-scrm abom info abom.json
# Trust operations
ai-scrm trust keygen --algorithm ed25519
ai-scrm trust sign abom.json --key ./keys/private.pem
ai-scrm trust verify abom-signed.json
# Validation
ai-scrm validation check --abom abom.json
ai-scrm monitor --hash-interval 30
# Change management
ai-scrm approve mcp:new-server --trust internal
ai-scrm reject mcp:suspicious-server
Works with Your Existing Security Infrastructure
AI-SCRM was designed to work with your existing security tools:
- Uses CycloneDX 1.6, a standard SBOM format
- Emits SIEM-compatible structured events
- Integrates with policy engines via callbacks
- Supports existing key management (HSM, cloud KMS)
- Works with CI/CD pipelines (GitHub Actions, GitLab)
- Compatible with Kubernetes admission controllers
| Component Declared | Signature Valid | Hash Matches | Result |
|---|---|---|---|
| โ | โ | โ | ALLOW |
| โ | โ | โ | DENY |
| โ | โ | โ | DENY |
| โ | โ | โ | DENY |
Runtime Validation Scenarios
AI-SCRM supports various validation scenarios:
- Startup Validation: Verify all components before system initialization
- Continuous Monitoring: Periodic checks for drift with configurable intervals
- On-Demand Checks: Validate specific components before use
- Tool Authorization: Check tool/MCP permissions before invocation
# Startup validation
events = detector.check("./deployed-system")
if any(e.event_type == "drift" for e in events):
raise SecurityError("System integrity compromised")
# Tool authorization before use
if detector.check_tool_authorized("web-search").is_compliant():
result = web_search_tool.execute(query)
See the Implementation Guide for complete validation setup.
Documentation
- Implementation Guide - Complete setup with all Control Domains
- CI/CD Integration - GitHub Actions, GitLab CI examples in guide
- Kubernetes - Admission controller example in guide
Version History
| Version | Changes |
|---|---|
| 1.0.1 | Minor release: Bug fixes in CLI Syntax and Logic |
| 1.0.0 | Full release: Auto-discovery, smart inference, continuous monitoring, framework integrations, Ed25519/RSA/ECDSA signing, RADE events |
License
Apache License 2.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ai_scrm-1.0.1.tar.gz.
File metadata
- Download URL: ai_scrm-1.0.1.tar.gz
- Upload date:
- Size: 86.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0c5a19a3a493171b046537a7da084527420b44c94c2b9ae44fa46eb8b3e42e74
|
|
| MD5 |
7c598e73d12f4a0ebc0d2873120db090
|
|
| BLAKE2b-256 |
df871b4926820b7c16c7f7bd768c31d2f8116892d07e2a4aab3c894bc5c7278e
|
File details
Details for the file ai_scrm-1.0.1-py3-none-any.whl.
File metadata
- Download URL: ai_scrm-1.0.1-py3-none-any.whl
- Upload date:
- Size: 94.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7450e0764ae33e481a8534caa85895b6543a4148e0602394df9952e0fa4620f2
|
|
| MD5 |
c1fa7872afdf366fdfc952af23e0f9a5
|
|
| BLAKE2b-256 |
26ee98d3ad41bf77720c036f7361a10f89063e45afc673a46901d2982cf4e3e0
|