Open Source AI ships with no guardrails. Your enterprise needs them.
Llama on dev laptops, vLLM clusters with no auth, community MCPs wired straight to production, model weights from unknown sources. QuilrAI discovers all of it, scans it, rates the risk, and enforces policy — one base_url change.
Four surfaces. Zero governance.
Shadow AI on Dev Machines
Ollama · LM Studio · Jan · GPT4All
Llama 3 runs on 100 developer laptops. IT sees zero requests. No DLP event. No SIEM alert. Completely invisible.
Self-Hosted Model Servers
vLLM · HuggingFace TGI · Triton
OpenAI-compatible API, no auth by default. Any internal service can query the model. No rate limit, no logging, no content policy.
Community MCPs & Agents
GitHub · npm · PyPI · 1,000+ servers
Developers install MCP servers from the internet and wire them straight to production. No security audit. No CVE process. Tool scope is self-declared.
Model Supply Chain
HuggingFace · LoRA · GGUF quantizations
Weights from unknown sources. Backdoored models activate on trigger phrases. Fine-tunes trained on internal data leak IP through outputs.
npm audit for AI tools.
Every model weight, MCP server, and agent framework goes through 5 stages before it touches your infrastructure.
- 01
Discover
Find every open source AI asset in your org
- Ollama on port 11434 across the network
- pip / npm installed MCP servers
- HuggingFace cached models
- Running vLLM / TGI endpoints
- 02
Scan
Check every tool before it runs
- Pickle / safetensors weight integrity
- Backdoor trigger detection in fine-tunes
- MCP static analysis — network, env, filesystem access
- Transitive dependency CVE scan
- 03
Risk Rate
Score across 5 dimensions
- Provenance — known author, signed release
- Permission breadth — how much does it claim?
- Community trust — CVE history, last maintained
- Data sensitivity — can it touch PII or source code?
- 04
Extract Permissions
Declared vs actual, close the gap
- Declared scope vs runtime scope compared
- Least-privilege set auto-generated
- Over-permission flags surfaced for review
- Diff alerts when tool updates change scope
- 05
Allow / Block / Quarantine
Enforce policy, protect the pipeline
- Block by model hash — only approved weights run
- Block by registry — no unapproved npm / PyPI MCPs
- Quarantine new tools pending review
- Auto-block Critical risk score tools org-wide
A community MCP that declared read-only access and used write — caught, scoped down, and quarantined before review.
See it in action.
Three real scenarios: shadow AI brought under governance, a telemetry leak stopped mid-flight, and an over-permissioned community MCP scoped down.
Shadow AI Discovered
System
[AI-SPM] Network scan complete. Found 12 Ollama instances (port 11434). Models: Llama-3.1-8B, Mistral-7B, CodeLlama-13B. Zero corporate governance applied.
QuilrAI Guardian
QuilrAI: Routing all 12 endpoints through gateway. Required change per developer: base_url http://localhost:11434 → https://gateway.quilrai.co/ollama
QuilrAI Guardian
governedGOVERNED: Content policy active. PII redaction on. Audit log streaming to SIEM. Developers see no workflow change.
Telemetry Exfiltration
User
Summarise the Acme Corp customer record — primary contact, email, phone.
Self-Hosted Model
Acme Corp, Jane Smith, jane.smith@acme.com, (555) 867-5309. Contract: $2.4M/yr. Renewal: March 2026.
System
[NETWORK] vLLM attempting POST of full prompt+response to metrics.openllm-analytics.io:443
QuilrAI Guardian
blockedBLOCKED: PII exfiltration prevented. External callback blocked. Response contained email, phone, financial data. Telemetry redirected to internal audit log.
Over-Permissioned MCP
System
[OSS SCAN] github-mcp@0.3.1 — declared permissions: ["read:repo"]. Actual runtime: ["read:repo", "write:repo", "read:org", "network:*"]
QuilrAI Guardian
Risk score: HIGH (74/100). Over-permissioned: 3 undeclared scopes. Least-privilege set enforced: ["read:repo"] only.
QuilrAI Guardian
blockedQUARANTINED: Tool held pending security review. All write:repo and network:* calls blocked at MCP Gateway.
What this looks like in Guardian setup
perm: Source: HuggingFace, Ollama (signed) · reason: approved registries only, hash-verified
perm: redaction: auto-strip before inference · reason: PII never reaches model weights
perm: blocked — no external API egress · reason: self-hosted models must not phone home
- Ollama / vLLM endpoints governed
- 100%
- Ollama / vLLM endpoints governed
- Added latency per request
- <50ms
- Added latency per request
- Model weight changes needed
- Zero
- Model weight changes needed
- Audit trail, even local inference
- Full
- Audit trail, even local inference
Govern your open source AI today.
One base_url change. Every Ollama, vLLM, and MCP server in your org, fully governed.