SAIL 2.0

/

Code/ No Code - AI Asset Discovery

/

Unidentified Third-Party AI and Agentic Integrations

2.2

.

Unidentified Third-Party AI and Agentic Integrations

sail
2.2
Risk

Unidentified Third-Party AI and Agentic Integrations

Description

Existing integrations with external AI services, agent marketplaces, plugins, libraries, or data sources are not discovered or documented, meaning their associated risks are unassessed.

Example

An agent is found to be using an unmaintained third-party plugin from a public marketplace with known prompt-injection vulnerabilities.

Assets Affected

3rd-Party AI Integration

AI App

Pipeline Job

Agents Plugins

Agents Marketplaces

Mitigation
  • Perform thorough code and configuration reviews to identify all external dependencies
  • implement Software Composition Analysis (SCA) tools that recognize agentic components
  • review vendor contracts and service agreements
  • document all third-party resources.
Standards Mapping
  • ISO: A.10.3, A.4.2
  • OWASP agentic: ASI04
  • OWASP LLM: LLM03:2025
  • EU AI Act: Art. 25
  • DASF: Model 7.3
  • AIUC-1: E006