Skip to content

Google puts runtime AI bills of materials inside GKE clusters

Original: Securing the AI supply chain on GKE: Introducing k8s-aibom for automated AI BOMs View original →

Read in other languages: 한국어日本語
AI Jul 14, 2026 By Insights AI 2 min read 1 views Source

The harder AI governance problem is no longer just documenting a model before deployment. It is proving what is actually running inside a cluster after teams start shipping vLLM, Triton, Ollama, LangChain, AutoGen, vector stores, RAG services, and evaluation jobs at speed. Google Cloud’s July 14 release of k8s-aibom moves that inventory problem into the Kubernetes runtime.

k8s-aibom is an open-source, unprivileged controller for GKE and conformant Kubernetes clusters. Instead of asking developers to change pod specs or insert sidecars, it watches cluster resources such as KServe objects, Deployments, StatefulSets, DaemonSets, and Jobs. It then inspects images, command lines, and environment signals to identify AI serving stacks, autonomous agent frameworks, vector databases, RAG components, distributed training jobs, and evaluation harnesses.

The output is a standards-based Machine Learning Bill of Materials using CycloneDX 1.6. That matters because many existing AI BOM workflows are tied to build-time artifact scanning. Build-time evidence tells a security team what was intended to ship; runtime evidence helps answer the more operational question of what is executing now and what it is connected to.

Google’s design is intentionally low-friction. The controller runs as a single Deployment and avoids privileged DaemonSets, eBPF modules, sidecar injection, and CI/CD changes. For organizations dealing with shadow AI, that choice is not cosmetic. If a security control slows every experiment, teams route around it; if it observes live workloads with minimal integration work, it has a better chance of becoming default infrastructure.

The controller also labels discoveries by confidence. “Declared” assets come from explicit workload configuration, “inferred” assets are detected from patterns, and “unresolved” assets flag cases where AI presence is visible but model parameters or versions are not deterministic. That separation gives auditors and SecOps teams a cleaner chain of evidence than a flat inventory table.

The release points to a broader direction for AI security: the compliance layer is moving closer to runtime state. Google maps the tool to EU AI Act logging and transparency needs, NIST AI RMF functions, and ISO/IEC 42001 asset tracking. The larger message is practical: AI supply-chain security now has to cover live model-serving and agent infrastructure, not just source repositories and container registries.

Share: Long

Related Articles