Enterprise AI Security Posture Management for regulated teams shipping AI in production.

AI Security Posture Management (AI-SPM) is a continuous-assurance discipline for organisations running LLM applications, agents, MCP servers, RAG pipelines, vector databases, and cloud AI services in production. An AI-SPM platform inventories every AI surface, runs scheduled adversarial scans, enforces runtime policy at the gateway layer, and maps each finding to industry frameworks so security and GRC teams share one audit-ready evidence loop. See the dedicated AI-SPM platform overview.

CSPM scores IAM, network, storage, and service configuration in the cloud accounts you operate. AI-SPM extends that with AI-specific control coverage: AI asset auto-discovery, adversarial scanning of prompt flows, runtime gateway DLP and tool allowlisting, and compliance mapping for AI-specific frameworks. CSPM and AI-SPM are complementary, not substitutes. The full comparison matrix covers manual pentest, guardrail-only gateways, and compliance spreadsheets as well.

LLM security focuses on testing and governing large language model applications and prompt flows. AI-SPM is the broader programme that covers asset discovery, runtime controls, compliance evidence, and audit posture across every AI surface. LLM Security Posture Management is a focused layer within AI-SPM - deep-dive on the dedicated LLM-SPM page.

Yes. Every finding is mapped at the article level to the EU AI Act (notably Articles 9, 15, and 17). The same finding row also carries control IDs from NIST AI 600-1, MITRE ATLAS, OWASP LLM Top 10, OWASP Agentic Top 10, and ISO/IEC 42001, so a single observation feeds the audit evidence pack for every framework. Detail on the compliance page.

The platform inventories 11 AI asset kinds today: LLM endpoints, tools and functions, AI applications, vector databases, embedding models, fine-tuned models, self-hosted models, model providers, RAG systems, data sources, and prompt gateways. Discovery is a mix of operator-registered records, tenant-scoped read-only API integrations for managed services, and the runtime gateway reporting back the upstream LLM hosts it sees in traffic. See the platform pillars for the full picture.

The runtime gateway is a self-hosted Go agent that runs inside the customer network in front of the LLM endpoint. The control plane is hosted by Penaxtra. Prompt content never leaves the customer network; only allow or block decisions and redacted finding records flow upstream. The agent loads Ed25519-signed rule blobs and refuses anything that fails signature verification. Architecture deep-dive on the architecture page.

Six ship pre-mapped at the control identifier level: OWASP LLM Top 10, OWASP Agentic Top 10, NIST AI 600-1, MITRE ATLAS, EU AI Act, and ISO/IEC 42001. Twenty-two cross-framework overlap pairs are pre-computed so one finding can satisfy multiple audit requirements without manual re-mapping. Browse the control catalogue.

Judging stays efficient through aggressive prompt caching with the judge providers and the Batch API where the scan SLA allows. Scan quotas and endpoint counts are bundled per tier rather than billed by API call. Full plan breakdown on the pricing page.

Yes. The Model Card Analyzer takes a public model registry URL or repository id and scores it against more than fifty supply-chain checks before the model reaches production. It flags pickle-format weights that execute code on load, license drift, trust_remote_code custom code, unsafe chat-template tokens, missing safety and bias evaluation, low-adoption uploads, deprecation status, and EU AI Act Annex IV disclosure gaps. Every finding maps to OWASP LLM Top 10, NIST AI 600-1, MITRE ATLAS, and the EU AI Act, and the analysis reads only public metadata - it never downloads or executes the model weights. Background on the supply-chain threat model lives in the MCP tool poisoning write-up.

Yes. Loading a pickle-format weight file (.bin, .pt, .pkl, .ckpt) executes arbitrary Python defined inside the file, so a tampered or malicious checkpoint runs code on the host that loads it. Safetensors and GGUF are byte-safe alternatives that carry no executable code. Penaxtra flags pickle-only repositories as critical, downgrades when a safetensors alternative ships alongside, and surfaces the registry's own pickle-scanner verdict where the registry publishes one.