Risk
Incomplete Asset Inventory
Description
Not all AI and agentic assets are identified and cataloged leading to security blind spots.
Example
An undocumented agent running on a developer endpoint with merge authority and connected MCP servers exists in production, unknown to security teams.
Assets Affected
All assets
Mitigation
- Conduct regular, comprehensive AI and agentic asset discovery audits
- implement automated discovery tools that identify agents, MCP servers, and agent identities
- maintain a centralized asset registry.
Standards Mapping
- ISO: A.4.2, A.4.4
- OWASP agentic: ASI10
- EU AI Act: Art. 11
- DASF: Governance 4.1, Governance 4.2
- AIUC-1: E004, E015