"AI Asset inventory is a dumpster fire right now."

👆 a security leader comment. Here how I cope:

1. Check the "source of truth" (usually there is >1)

This includes things like:

-> Configuration Management Databases (CMDBs)

-> Contract management systems

-> Automated scanning tools

-> ISO 27001 asset lists

-> IT spreadsheets

2. Enrich the data from other sources like:

-> Product requirement documents

-> Marketing blog posts (!)

-> SOC 2 attestations

-> PowerPoint decks

-> Jira

The difference between what you get from steps 1 and 2 is often quite large.

3. Interview key personnel

This is where the "magic" happens:

-> Executives discuss projects no one else knows about

-> Data scientists talk about their personal model repo

-> Sales teams reveal their go-to shadow AI tools

Now we have something much closer to ground truth.

And can consolidate it all in the same OWASP CycloneDX SBOM/xBOM Standard-compliant format.

This gives StackAware a starting point to do:

-> Model

-> System

-> Impact

-> Risk

assessments for our clients. And minimizes the risk of missing something.

___

Need more AI governance tips?

Give me a follow.