Sonatype is applying its expertise in software supply chain security to AI and machine learning models with new capabilities that enable organizations and MSSPs to manage and secure them in much the same they already do open source software.
The Fulton, Maryland-based company’s new AI Software Composition Analysis (SCA) solution delivers such features as proactive AI threat detection to block malicious AI models from an enterprise’s development environment, governance for storing and managing models in DevOps workflows, automated AI policy management, and AI observability and compliance.
The AI SCA comes at a time of rapid enterprise adoption of AI and agentic AI and growth in the use of open source AI. According to Mitchell Johnson, Sontatype’s chief product development officer, more than 300,000 open source AI and machine learning models appeared in customer supply chains over the past year.
Open source AI comes with benefits and risks, Johnson told MSSP Alert.
“The promise is clear: Open source AI enables faster innovation and reduces barriers to advanced capabilities,” he said. “However, without the right controls, it also creates hidden costs. Teams frequently adopt redundant or conflicting AI models, leading to inefficiencies, higher cloud costs, and integration headaches.”
Like Open Source Software, But More Complex
The security and governance risks mirror those in traditional open source software, but with AI comes another layer of complexity, with Mitchell adding that “organizations that don’t get ahead of this now will be stuck with spiraling costs and unmanageable technical debt.”
The use of open source AI is growing along with the adoption of AI in general. Open AI comes with many of the benefits that traditional open source software brings, including lower costs, collaboration, faster innovation, and transparency and accountability. That said, there also are similar concerns, from security and compatibility to variations in quality and potential for misuse.
Organizations like the Open Source Initiative are trying to bring some structure to the idea of open source AI, with the industry organization in October 2024 introducing its
initial definition, which hits on the kinds of data being used in open source AI environments and requiring those building open AI technology to share the data, the model’s parameters, and the source code used to train and run the systems.
Adoption is Gaining Momentum
According to global consultancy McKinsey and Co., a survey of technology leaders and senior developers it did with the Mozilla Foundation and Patrick J. McGovern Foundation found that more than half of respondents were using open source AI technologies in some part of the AI stack, often with proprietary tools from the likes of OpenAI, Google, and Anthropic.
Those organizations that place a high priority on AI use are more likely to embrace open source technologies.
“Interest in open source AI is growing as the performance of more open foundation models closes the gap to proprietary AI platforms,” McKinsey
wrote in a column, pointing to such open models as Meta’s Llama and Google’s Gemma and newer models like DeepSeek-R1 and Alibaba’s Owen 2.5-Max.
MSSPs in the Mix
In a statement, Brian Fox, co-founder and CTO at Sonatype, said “it has never been easier for organizations to integrate open source AI models into software, but with open source AI consumption comes the same risk facing users of traditional open source. It is imperative that we, as an industry, secure their use now in order to prevent unmanageable security workloads in the future.”
Sonatype’s Mitchell said that in this emerging environment, MSSPs – which already are
seeing their market grow with the rise in the number and complexity of cyberthreats – will play an important role for many of the same reasons.
With Sonatypes new AI SCA, “MSSPs can now offer a best-in-class solution that not only prevents security risks but also streamlines AI model selection, reducing redundancy and cutting wasted spend,” he said, noting that Sonatype’s partner program includes not only MSSPs but also DevOps and security providers. “Their customers gain real-time visibility into AI usage, automated policy enforcement, and proactive threat detection, helping them maintain security while keeping AI adoption efficient and cost-effective.”
