Risk
Unauthorised / Prohibited Component Usage
Description
Experiment or build involves the use of unauthorized or prohibited components including models, datasets, and libraries while permitting sandboxed experimentation under allowlists
Example
Team imports an unvetted model from a public marketplace into a production agent's project scope, introducing execution risk.
Assets Affected
AI Model
Model Files
Framework
Dataset / RAG
3rd-Party AI Integration
MCP Server
Agents Plugins
Agents Marketplaces
AI Policy
Mitigation
- Generate AI SBOM/BOM at experiment start and on every change
- enforce allow/deny-lists across model registries, MCP servers, plugins, and marketplaces
- CI/CD gating for SCA and license scanning.
Standards Mapping
- ISO: A.10.3, A.10.2
- OWASP agentic: ASI04
- OWASP LLM: LLM03:2025
- EU AI Act: Art. 10, Art. 25
- DASF: Model 7.3, Algorithms 5.4
- AIUC-1: E006, E010