ARMO — Why AI Supply Chain Scanning Misses Half the Risk
AI relevance: AI workloads load critical components dynamically at runtime — model adapters, MCP server connections, and framework tools — none of which appear in CI/CD manifests, making pre-deployment scanning fundamentally incomplete for AI supply chain security.
Key Findings
- Yossi Ben Naim at ARMO (Kubescape) argues that most "AI security" scanning simply extends existing SCA or container scanners into AI workload namespaces — covering only one of three AI supply chain surfaces.
- The conditional-behavior gap: Malicious behavior in AI components can be triggered only when specific MCP parameters arrive, when a particular user identity invokes a tool, or after a certain runtime duration. Static analysis cannot distinguish conditional malice from conditional legitimate behavior.
- The irreducibility argument: Sufficiently sophisticated payloads pass every static check — the same open problem that has kept prompt injection ranked as the #1 risk in the OWASP LLM Top 10 across consecutive editions.
- Half the components that need assessment don't exist in any manifest until runtime: agents pull model adapters dynamically, frameworks load tools at first invocation, and MCP servers establish connections never declared in a Kubernetes manifest.
- The paper frames the problem as: "A scan run at CI/CD time is reading the floor plan; the building keeps adding rooms after move-in."
Why It Matters
Organizations deploying AI agents into production often rely on the same vulnerability scanning pipelines used for traditional applications. This analysis shows why that approach leaves a significant blind spot — the components agents actually use at runtime are different from what appears in deployment manifests, and dynamic loading patterns make static verification inherently incomplete.
What to Do
- Add runtime monitoring for AI workloads that tracks which model adapters, tools, and MCP servers are actually loaded during operation.
- Implement allowlists for which model sources, MCP registries, and tool endpoints agents can connect to at runtime.
- Combine pre-installation scanning with runtime behavioral detection — treat runtime loading events as security-relevant signals.
- Map your AI supply chain across three surfaces: packaged dependencies, dynamic runtime components, and external service connections.