Application security posture management company Apiiro Ltd. today announced a new update that aims to help enterprises get ahead of the growing risks tied to artificial intelligence adoption by expanding its AI Bill of Materials with AI agent and Model Context Protocol server detection capabilities.

Apiiro first introduced what it calls its visibility-first approach in 2023 with Deep Code Analysis that is designed to uncover generative AI frameworks in codebases. The visibility gave security leaders a baseline for understanding what AI technologies were being introduced and the risks they carried.

Forward to 2025 and the pace of adoption has shifted from experimentation to production deployment, with developers embedding AI models, deploying MCP servers and building AI agents. The result is a new set of challenges for chief information security officers and application security teams, ranging from insecure inputs and outputs to secrets exposure and data leakage.

The new expansion is embedding AI directly into the broader software architecture graph by continuously inventorying AI-specific resources, including agents, frameworks, datasets, artifacts and secrets, contextualizing them alongside application programming interfaces, containers, open source and sensitive data.

The update turns what might look like small, isolated findings into meaningful risk insights. For example, the use of a Hugging Face Python client might seem minor on its own, but when mapped in the graph to a sensitive API and code vulnerabilities, the risk score changes dramatically. The idea is that by normalizing and enriching these issues with runtime and business context, security teams can cut through noise and focus on what truly matters.

Apiiro is also tying AI resources to business services and accountable owners through integrations with configuration management databases such as ServiceNow Inc. That allows security leaders to see where AI lives in the codebase and also who is responsible for governing it.

Developers receive risks contextualized in pull requests with remediation guidance, reducing the friction of separate AI-specific alerts.

The company argues that treating AI as part of the software graph provides a multidimensional view of risk, enabling governance policies that are both enforceable and developer-friendly. For AppSec teams and executives, the approach avoids siloed visibility and supports compliance, threat modeling and policy enforcement across the entire software ecosystem.

“The history of security tells us the same story again and again: cloud, containers, open source – each wave brought innovation and risk,” explains Apiiro. “Organizations that chased technology-specific scanners ended up with fragmented tools and unsustainable backlogs. Those that modeled the entire graph of software risk and governed it holistically were able to scale.”

“AI is the latest chapter, but not a unique one,” the company added. “By embedding AI into the software graph from the start, organizations can innovate with confidence, govern with clarity and avoid repeating the mistakes of past technology waves.”

Image: SiliconANGLE/Reve