Google Cloud open-sourced its Kubernetes tool for managing shadow AI.
Referred to as k8s-aibom, the controller surfaces a bill of materials (BOM) exposing AI operations in a user’s cloud estate. Deployed as a single, unprivileged action in the k8s-aibom-system namespace, k8s-aibom monitors AI inference, training, agents, and evaluations. It also scopes out retrieval-augmented generation (RAG), an AI framework that improves large language model (LLM) accuracy via an external knowledge base.
This is achieved by utilizing Cluster APIs and container platforms to automatically scan running AI environments. The output is a CycloneDX Machine Learning Bills of Materials (AI/ML-BOMs), a standard designed to ensure AI transparency through critical information about models, datasets, and their dependencies.
The resulting AI-BOM CRD (custom resource definition) comes per workload and is namespace-scoped.
Aiding AI auditors #
Glen Messenger, group product manager for Google Cloud, said the tool aided auditors in tackling shadow AI – unauthorized instances of artificial intelligence within an enterprise’s network – by removing the bloat of security measures and developer friction.
“Commercial AI security platforms extend the picture with cloud-native posture management, but typically through external scanning shaped around vendor-specific data models. Few, if any, of these tools help compliance reviewers, security operations (SecOps) teams, and platform engineers understand what is running right now, what is it connected to, and how can we verify those assertions,” Messenger said.
“Auditors remain deeply skeptical of standard observability telemetry because logs and metrics can be modified, dropped, and tampered with by compromised nodes or elevated administrators. k8s-aibom establishes an audit-grade evidence trail built on strict least-privilege isolation and data immutability,” he added.
According to Google, the controller removes resource bloat by doing away with sidecards and modifications to existing developer pod specifications. It also claimed to eschew kernel-level applications such as eBPF (Extended Berkeley Packet Filter), which injects code directly into the Linux kernel of the host machine running the Kubernetes nodes, and "DaemonSet” agents which run on every cluster node with root-level access to the underlying virtual machine (VM) host.
Essentially, k8s-aibom treats the Kubernetes cluster state in a read-only manner, altering nothing in the process. Google said the tool fits into GitOps workflows to allow site-reliability engineers (SREs) to scout for alterations and trigger precise change-detection alerts before AI models ‘slide’ out of alignment.
The service, which is compliant with the EU AI Act, NIST AI Risk Management Framework (AI RMF), and ISO/IEC 42001, also uses a structured taxonomy - declared, inferred, unresolved. Messenger said this allows compliance reviewers to “instantly separate explicit engineering intent from machine inference, establishing an unassailable chain of trust during audits,” according to Messenger.