QuilrAI
Solutions / Open Source AI

Open Source AI ships with no guardrails. Your enterprise needs them.

Llama on dev laptops, vLLM clusters with no auth, community MCPs wired straight to production, model weights from unknown sources. QuilrAI discovers all of it, scans it, rates the risk, and enforces policy — one base_url change.

Discovers shadow AIZero model changes<50ms added latency
The Problem

Four surfaces. Zero governance.

Shadow AI on Dev Machines

Ollama · LM Studio · Jan · GPT4All

Llama 3 runs on 100 developer laptops. IT sees zero requests. No DLP event. No SIEM alert. Completely invisible.

Self-Hosted Model Servers

vLLM · HuggingFace TGI · Triton

OpenAI-compatible API, no auth by default. Any internal service can query the model. No rate limit, no logging, no content policy.

Community MCPs & Agents

GitHub · npm · PyPI · 1,000+ servers

Developers install MCP servers from the internet and wire them straight to production. No security audit. No CVE process. Tool scope is self-declared.

Model Supply Chain

HuggingFace · LoRA · GGUF quantizations

Weights from unknown sources. Backdoored models activate on trigger phrases. Fine-tunes trained on internal data leak IP through outputs.

The Pipeline

npm audit for AI tools.

Every model weight, MCP server, and agent framework goes through 5 stages before it touches your infrastructure.

  1. 01

    Discover

    Find every open source AI asset in your org

    • Ollama on port 11434 across the network
    • pip / npm installed MCP servers
    • HuggingFace cached models
    • Running vLLM / TGI endpoints
  2. 02

    Scan

    Check every tool before it runs

    • Pickle / safetensors weight integrity
    • Backdoor trigger detection in fine-tunes
    • MCP static analysis — network, env, filesystem access
    • Transitive dependency CVE scan
  3. 03

    Risk Rate

    Score across 5 dimensions

    • Provenance — known author, signed release
    • Permission breadth — how much does it claim?
    • Community trust — CVE history, last maintained
    • Data sensitivity — can it touch PII or source code?
  4. 04

    Extract Permissions

    Declared vs actual, close the gap

    • Declared scope vs runtime scope compared
    • Least-privilege set auto-generated
    • Over-permission flags surfaced for review
    • Diff alerts when tool updates change scope
  5. 05

    Allow / Block / Quarantine

    Enforce policy, protect the pipeline

    • Block by model hash — only approved weights run
    • Block by registry — no unapproved npm / PyPI MCPs
    • Quarantine new tools pending review
    • Auto-block Critical risk score tools org-wide
quilrai / oss-scanner / result
"tool":"github-mcp@0.3.1"
"source":"npm (unverified publisher)"
"risk_score":"HIGH (74/100)"
"permissions_declared":"["read:repo"]"
"permissions_actual":"["read:repo","write:repo","read:org","network:*"]"
"over_permissioned":"true — 3 undeclared scopes"
"enforced_scope":"["read:repo"] ← QuilrAI least-privilege"
"action":"QUARANTINED — pending review"

A community MCP that declared read-only access and used write — caught, scoped down, and quarantined before review.

Experience Center

See it in action.

Three real scenarios: shadow AI brought under governance, a telemetry leak stopped mid-flight, and an over-permissioned community MCP scoped down.

Ollama found on 12 dev machines

Shadow AI Discovered

  • System

    [AI-SPM] Network scan complete. Found 12 Ollama instances (port 11434). Models: Llama-3.1-8B, Mistral-7B, CodeLlama-13B. Zero corporate governance applied.

  • QuilrAI Guardian

    QuilrAI: Routing all 12 endpoints through gateway. Required change per developer: base_url http://localhost:11434 → https://gateway.quilrai.co/ollama

  • QuilrAI Guardian

    governed

    GOVERNED: Content policy active. PII redaction on. Audit log streaming to SIEM. Developers see no workflow change.

vLLM leaks PII via monitoring callback

Telemetry Exfiltration

  • User

    Summarise the Acme Corp customer record — primary contact, email, phone.

  • Self-Hosted Model

    Acme Corp, Jane Smith, jane.smith@acme.com, (555) 867-5309. Contract: $2.4M/yr. Renewal: March 2026.

  • System

    [NETWORK] vLLM attempting POST of full prompt+response to metrics.openllm-analytics.io:443

  • QuilrAI Guardian

    blocked

    BLOCKED: PII exfiltration prevented. External callback blocked. Response contained email, phone, financial data. Telemetry redirected to internal audit log.

Community package claimed read, used write

Over-Permissioned MCP

  • System

    [OSS SCAN] github-mcp@0.3.1 — declared permissions: ["read:repo"]. Actual runtime: ["read:repo", "write:repo", "read:org", "network:*"]

  • QuilrAI Guardian

    Risk score: HIGH (74/100). Over-permissioned: 3 undeclared scopes. Least-privilege set enforced: ["read:repo"] only.

  • QuilrAI Guardian

    blocked

    QUARANTINED: Tool held pending security review. All write:repo and network:* calls blocked at MCP Gateway.

What this looks like in Guardian setup

Allow model weight downloads?Approve

perm: Source: HuggingFace, Ollama (signed) · reason: approved registries only, hash-verified

Allow inference on PII data?Approve

perm: redaction: auto-strip before inference · reason: PII never reaches model weights

Allow outbound network calls?Deny

perm: blocked — no external API egress · reason: self-hosted models must not phone home

Ollama / vLLM endpoints governed
100%
Ollama / vLLM endpoints governed
Added latency per request
<50ms
Added latency per request
Model weight changes needed
Zero
Model weight changes needed
Audit trail, even local inference
Full
Audit trail, even local inference

Govern your open source AI today.

One base_url change. Every Ollama, vLLM, and MCP server in your org, fully governed.