Checkmarx Delivers Complete AI Asset Visibility and Governance for the Software Supply Chain, Closing the Shadow AI Gap

Deterministic Detection Gives Enterprises Visibility, Policy Control, and AI-BOM Audit-Ready Documentation for Models, Agents, and MCP Servers Running in Production

PARAMUS, N.J., June 23, 2026 (GLOBE NEWSWIRE) -- Checkmarx, the leader in agentic application security, today announced the general availability of Checkmarx AI Inventory, a new capability within Checkmarx One. Part of the platforms AI Supply Chain Security solution, AI Inventory gives enterprises continuous visibility into the AI components running in their applications, including models, agents, MCP servers, AI libraries, and SDKs. From that inventory, it generates an AI-BOM (AI Bill of Materials): the policy controls and audit-ready documentation for every AI component it discovers.

The Threat of Shadow AI

The launch comes as AI enters production faster than organizations can govern it. MIT's Project NANDA found that employees in over 90% of companies regularly use personal AI tools for work, and Checkmarx research shows the same gap inside the development pipeline: 70% of teams expect AI components in production by the end of 2026, yet 43% have no formal governance over which components developers can use.

When auditors, customers, or regulators ask what AI models are running and where they came from, most teams can't answer. Traditional SBOMs (Software Bill of Materials) were built to track software packages, not the models, agents, and MCP servers that increasingly shape how applications behave.

"Security teams are being asked to account for AI they often can't even see," said Ori Bendet, VP of Product Management at Checkmarx. "The first step in governing AI isn't writing a policy; it's knowing what's actually running in your code. Checkmarx AI Inventory gives teams a concrete inventory of the AI components in use, traceable to the exact line of source code. That's what makes governance real and audit evidence defensible."

How AI Inventory Works

Checkmarx AI Inventory is part of the AI Supply Chain Security solution available with Checkmarx One. It complements a suite of industry-leading hybrid scanning engines for Code Security, Runtime Security, and Software Supply Chain Security to provide a comprehensive application security solution. AI Inventory detects AI components through deterministic analysis, so every finding traces back to a specific file and line number rather than a confidence score, the kind of evidence that holds up in an audit. From a single platform, teams can:

• Inventory every AI component – models, agents, MCP servers, AI libraries, and SDKs are catalogued across every repository, current on every commit.

• Enforce policy at commit, blocking unapproved models, agents, and MCP servers in pull requests and CI/CD pipelines before they ship.

• Generate AI-BOM audit-ready documentation exportable on demand in CycloneDX 1.7.
  

Because AI-BOMs are versioned per release and traceable to source, the documentation maps directly to requirements emerging under the EU AI Act (Articles 11, 13, and Annex IV), the NIST AI Risk Management Framework, ISO/IEC 42001, and the EU Cyber Resilience Act – so when an assessment arrives, the evidence is already structured to answer it.

Market Validation

Major enterprises across financial services, technology, logistics, and retail participated in the early adopter program, with several already running AI Inventory in production. Early adopters reported that it gave them complete visibility into which applications embed AI components and what those components are. This served to surface previously untracked models, validate systems of record, and flag unauthorized or suspicious models for review.

These investments in AI and supply chain security have also earned market recognition. Checkmarx was named a Leader in the inaugural 2026 Gartner® Magic Quadrant™ for Software Supply Chain Security¹ and cited as a Representative Vendor in a recent Gartner Innovation Insight for AIBOMS report².

Availability

Checkmarx AI Inventory is available now as part of the AI Supply Chain Security module for Checkmarx One. For more information or to book a demo, visit the website.

¹Gartner, Magic Quadrant for Software Supply Chain Security, Aaron Lord, Johnny Walters, Jason Gross, 17 June, 2026. 

²Gartner, Innovation Insight: AI Bills of Materials (AIBOMs) Strengthen AI Governance, Manjunath Bhat, Angela Zhao, Aaron Lord, 27 May, 2026

Gartner Disclaimer

Gartner and Magic Quadrant are trademarks of Gartner, Inc., and/or its affiliates.

Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.

About Checkmarx

Checkmarx is the leader in agentic application security, delivering enterprise-grade protection while lowering engineering costs and accelerating development velocity. The Checkmarx One platform scans trillions of lines of code each year for companies, cutting vulnerability density by more than half. Its autonomous security agents detect and counter AI-driven threats across the SDLC, providing prevention-first protection for legacy, modern, and AI-generated code at enterprise scale. Follow Checkmarx on LinkedIn, YouTube, and X.

For more information, contact:

PR@checkmarx.com

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.