Checkmarx has launched Checkmarx AI Stock inside its Checkmarx One platform to present firms visibility into the AI elements used of their functions.
The launch targets a governance drawback many organisations face as AI instruments transfer into software program manufacturing with out clear inner controls. The product identifies fashions, brokers, MCP servers, AI libraries and software program improvement kits in codebases, then generates an AI Invoice of Supplies for the elements it finds.
The stock is designed to point out what AI components are current in an utility and the place they seem in supply code. Every discovering is tied to a selected file and line quantity by deterministic evaluation somewhat than probability-based detection.
Companies are beneath rising strain to account for AI use in software program programs as regulators, clients and auditors demand clearer information on fashions and different AI instruments embedded in merchandise and inner functions. Conventional software program payments of supplies had been created to trace software program packages, not the newer AI layers that may affect utility behaviour.
Analysis cited by Checkmarx factors to a broader rise in so-called shadow AI. A research by MIT’s Undertaking NANDA discovered that staff in additional than 90% of firms recurrently use private AI instruments for work, whereas Checkmarx’s personal analysis discovered that 70% of groups count on AI elements in manufacturing by the top of 2026 and 43% don’t have any formal governance over which elements builders can use.
Governance focus
Checkmarx stated AI Stock sits inside its AI Provide Chain Safety providing on Checkmarx One. From the identical platform, customers can catalogue AI elements throughout repositories, apply coverage controls at commit stage, and export AI Invoice of Supplies documentation in CycloneDX 1.7 format.
The information are versioned by launch and traceable to supply code. Checkmarx stated this construction aligns with documentation calls for rising from frameworks and guidelines together with the EU AI Act, the NIST AI Threat Administration Framework, ISO/IEC 42001 and the EU Cyber Resilience Act.
That locations the product in a market the place software program safety distributors try to increase provide chain oversight from standard open-source dependencies to AI fashions and agent-based programs. The shift displays concern that improvement groups could undertake exterior AI instruments quicker than compliance, safety and procurement groups can overview them.
In keeping with Checkmarx, main enterprises in monetary providers, expertise, logistics and retail took half in an early adopter programme, and several other are already utilizing the product in manufacturing environments.
These early customers discovered beforehand untracked fashions, checked current programs of file and recognized unauthorised or suspicious fashions for overview, in line with the corporate. It didn’t title the taking part organisations.
Ori Bendet, Vice President of Product Administration at Checkmarx, stated the central subject for safety groups is a scarcity of visibility earlier than coverage enforcement can start. “Safety groups are being requested to account for AI they typically cannot even see,” he stated.
He added that source-level traceability is essential to creating governance sensible. “Step one in governing AI is not writing a coverage; it is figuring out what’s really working in your code. Checkmarx AI Stock offers groups a concrete stock of the AI elements in use, traceable to the precise line of supply code. That is what makes governance actual and audit proof defensible,” Bendet stated.
Broader market
The launch comes as software program consumers more and more ask safety distributors for proof not solely of vulnerabilities in code, but additionally of the provenance and management of AI components built-in into functions. AI fashions, brokers and linked providers have gotten a part of software program provide chains in the identical means third-party libraries have been for years, however with totally different oversight challenges.
One subject is that AI programs will be embedded by utility programming interfaces, packaged libraries or devoted agent frameworks, making them more durable to trace with instruments constructed for standard software program dependencies. One other is that governance groups could wish to ban some fashions or suppliers whereas permitting others, which requires a transparent stock earlier than insurance policies will be enforced.
Checkmarx stated its product can block unapproved fashions, brokers and MCP servers in pull requests and steady integration and supply pipelines earlier than code is launched. That implies it’s aiming not solely at discovery, but additionally at integrating AI oversight into current software program improvement controls.
The corporate additionally pointed to its standing within the software program provide chain safety market, saying it had been recognised by Gartner in current analysis. These references are a part of a broader effort by safety distributors to point out they will handle each conventional code threat and the newer governance calls for created by AI in manufacturing.
AI Stock is obtainable as a part of the AI Provide Chain Safety module in Checkmarx One.