SAIL 2.0

/

Build - AI Security Posture Management

/

Unvetted Use of Open-Source and Third-Party AI and Agentic Components

3.8

.

Unvetted Use of Open-Source and Third-Party AI and Agentic Components

sail
3.8
Risk

Unvetted Use of Open-Source and Third-Party AI and Agentic Components

Description

Incorporation of external libraries, pre-trained models, MCP servers, plugins, or marketplace agents without sufficient security, privacy, or compliance review, leading to inherited vulnerabilities or legal risk.

Example

Using a community MCP server that exposes filesystem access without scoping, or pulling a pre-trained model from a public repo that contains a backdoor.

Assets Affected

Model Files

Framework

3rd-Party AI Integration

Dataset / RAG

MCP Server

Agents Plugins

Agents Marketplaces

Mitigation
  • Vet all third-party and open-source components before use
  • maintain a Bill of Materials (SBOM) including agentic components
  • regularly monitor for vulnerabilities
  • review licensing and compliance
  • document all dependencies and their provenance.
Standards Mapping
  • ISO: A.10.3, A.6.2.3
  • OWASP agentic: ASI04
  • OWASP LLM: LLM03:2025
  • EU AI Act: Art. 25
  • DASF: Model 7.3, Agents-MCP Server 13.21
  • AIUC-1: E006, E010