Checkmarx launches AI inventory for code governance

Checkmarx has launched Checkmarx AI Inventory within its Checkmarx One platform to give companies visibility into the AI components used in their applications.

The launch targets a governance problem many organisations face as AI tools move into software production without clear internal controls. The product identifies models, agents, MCP servers, AI libraries and software development kits in codebases, then generates an AI Bill of Materials for the components it finds.

The inventory is designed to show what AI elements are present in an application and where they appear in source code. Each finding is tied to a specific file and line number through deterministic analysis rather than probability-based detection.

Businesses are under growing pressure to account for AI use in software systems as regulators, customers and auditors demand clearer records on models and other AI tools embedded in products and internal applications. Traditional software bills of materials were created to track software packages, not the newer AI layers that can influence application behaviour.

Research cited by Checkmarx points to a broader rise in so-called shadow AI. A study by MIT's Project NANDA found that employees in more than 90% of companies regularly use personal AI tools for work, while Checkmarx's own research found that 70% of teams expect AI components in production by the end of 2026 and 43% have no formal governance over which components developers can use.

Governance focus

Checkmarx said AI Inventory sits within its AI Supply Chain Security offering on Checkmarx One. From the same platform, users can catalogue AI components across repositories, apply policy controls at commit level, and export AI Bill of Materials documentation in CycloneDX 1.7 format.

The records are versioned by release and traceable to source code. Checkmarx said this structure aligns with documentation demands emerging from frameworks and rules including the EU AI Act, the NIST AI Risk Management Framework, ISO/IEC 42001 and the EU Cyber Resilience Act.

That places the product in a market where software security vendors are trying to extend supply chain oversight from conventional open-source dependencies to AI models and agent-based systems. The shift reflects concern that development teams may adopt external AI tools faster than compliance, security and procurement teams can review them.

According to Checkmarx, major enterprises in financial services, technology, logistics and retail took part in an early adopter programme, and several are already using the product in production environments.

Those early users found previously untracked models, checked existing systems of record and identified unauthorised or suspicious models for review, according to the company. It did not name the participating organisations.

Ori Bendet, Vice President of Product Management at Checkmarx, said the central issue for security teams is a lack of visibility before policy enforcement can begin. "Security teams are being asked to account for AI they often can't even see," he said.

He added that source-level traceability is key to making governance practical. "The first step in governing AI isn't writing a policy; it's knowing what's actually running in your code. Checkmarx AI Inventory gives teams a concrete inventory of the AI components in use, traceable to the exact line of source code. That's what makes governance real and audit evidence defensible," Bendet said.

Broader market

The launch comes as software buyers increasingly ask security vendors for evidence not only of vulnerabilities in code, but also of the provenance and control of AI elements integrated into applications. AI models, agents and connected services are becoming part of software supply chains in the same way third-party libraries have been for years, but with different oversight challenges.

One issue is that AI systems can be embedded through application programming interfaces, packaged libraries or dedicated agent frameworks, making them harder to track with tools built for conventional software dependencies. Another is that governance teams may want to ban some models or suppliers while allowing others, which requires a clear inventory before policies can be enforced.

Checkmarx said its product can block unapproved models, agents and MCP servers in pull requests and continuous integration and delivery pipelines before code is released. That suggests it is aiming not only at discovery, but also at integrating AI oversight into existing software development controls.

The company also pointed to its standing in the software supply chain security market, saying it had been recognised by Gartner in recent research. Those references are part of a broader effort by security vendors to show they can address both traditional code risk and the newer governance demands created by AI in production.

AI Inventory is available as part of the AI Supply Chain Security module in Checkmarx One.