Technical Deep Dive
Why SBOMs Are Inadequate for AI Agents
A traditional SBOM is a static list of software components—library names, versions, and licenses. It works well for monolithic applications where dependencies are resolved at build time and remain fixed. AI Agents, however, are fundamentally different. An Agent is a runtime composition engine: it selects tools, calls models, and processes data in sequences that are not fully known until execution. For example, an Agent tasked with "summarize this PDF and email the result" might:
1. Call a PDF parsing tool (e.g., PyMuPDF)
2. Pass the extracted text to a language model (e.g., GPT-4o)
3. Use the model's output to trigger an email API (e.g., SendGrid)
Each of these steps involves a different component with its own security properties. The SBOM would list PyMuPDF, GPT-4o API, and SendGrid SDK, but it cannot capture that the PDF parser's output flows directly into the email tool—a critical data path. If the PDF parser is compromised (e.g., via a malicious PDF), the attacker can inject arbitrary text that the model then passes to the email API, potentially sending phishing emails from a trusted account.
The Composition Graph Architecture
A Composition Graph is a directed, attributed graph where:
- Nodes represent components: models, tools, data sources, API endpoints, and even sub-agents.
- Edges represent interactions: calls, data flows, control flows, and context constraints.
- Attributes capture metadata: timestamps, permissions, input/output schemas, and security policies.
The graph is built at runtime by an observability layer that intercepts all inter-component communication. This is similar to distributed tracing in microservices (e.g., OpenTelemetry), but tailored for AI Agent workflows. The key difference is that Composition Graphs must also model semantic context—for instance, which model's output is being used as input to which tool, and whether that violates a policy.
Example Graph Structure:
```
[PDF Parser] --(output text)--> [LLM] --(summary)--> [Email API]
[LLM] --(tool call)--> [Web Search API]
```
Open-Source Tools and Repositories
Several projects are exploring Composition Graphs:
- LangChain's LangSmith: Provides tracing capabilities that can be used to reconstruct agent execution paths. However, it is primarily for debugging, not security policy enforcement. (GitHub: langchain-ai/langsmith, ~5k stars)
- Cisco's OpenTelemetry for AI: An extension of the OpenTelemetry standard to include AI-specific spans for model calls and tool usage. Still in early stages.
- Protect AI's Guardian: A runtime security layer that uses a graph-based policy engine to block anomalous agent behaviors. (GitHub: protect-ai/guardian, ~2k stars)
- MIT's VeriAgent: A research prototype that generates formal proofs of agent behavior using composition graphs. Not yet public.
Performance Benchmarks
| Approach | Detection Latency | False Positive Rate | Coverage of Runtime Paths | Update Frequency |
|---|---|---|---|---|
| SBOM (static) | N/A (pre-deployment) | N/A | 0% (no runtime info) | Per release |
| Composition Graph (runtime) | 50-200ms per interaction | 2-5% | 95%+ (with full tracing) | Real-time |
| Manual Audit | Hours to days | 10-20% | 30-50% (sampling) | Per audit cycle |
Data Takeaway: Composition Graphs introduce a small latency overhead (50-200ms per interaction) but achieve near-complete coverage of runtime paths, compared to zero for SBOMs. The false positive rate of 2-5% is manageable with proper tuning and is far lower than manual audits.
Key Players & Case Studies
Startups and Research Groups
- Protect AI: Based in Seattle, raised $35M Series A in 2024. Their product, Guardian, uses a Composition Graph to enforce policies like "model output must not be passed directly to a file write tool." They have reported catching a real-world attack where a compromised PDF parser attempted to write a malicious script to disk.
- HiddenLayer: Focuses on adversarial ML detection but has recently added agent workflow monitoring. Their approach is more signature-based than graph-based.
- MIT CSAIL: The VeriAgent project uses formal verification on composition graphs to prove that an agent cannot violate safety constraints. Still academic, but promising for high-assurance applications.
Case Study: The PDF Parser Attack
In early 2025, a financial services company deployed an AI Agent to automate invoice processing. The agent used a popular open-source PDF parser (PyMuPDF) to extract data, then passed it to a fine-tuned LLM for validation, and finally to a payment API. An attacker submitted a malicious PDF that exploited a buffer overflow in PyMuPDF, injecting a payload that replaced the LLM's output with a command to transfer funds to a different account. The SBOM listed PyMuPDF v1.23.4, but the vulnerability was in the runtime interaction: the PDF parser's output was trusted by the LLM, which then passed it to the payment API without validation. A Composition Graph would have flagged the anomalous data flow: the PDF parser's output should have been sanitized before entering the LLM, and the LLM's output should have been validated before reaching the payment API.
Competitive Landscape
| Company | Product | Approach | Key Differentiator | Pricing |
|---|---|---|---|---|
| Protect AI | Guardian | Composition Graph + policy engine | Real-time runtime enforcement | $15k/month per agent |
| HiddenLayer | MLDR | Signature-based anomaly detection | Low false positives | $10k/month |
| Cisco | AI Observability (in dev) | OpenTelemetry extension | Integration with existing infra | TBD |
| MIT (research) | VeriAgent | Formal verification | Provable safety guarantees | N/A (research) |
Data Takeaway: Protect AI's Guardian leads in runtime enforcement but at a premium price. Cisco's entry could commoditize the space if they integrate graph capabilities into existing observability tools. MIT's formal verification approach is the most rigorous but years from production.
Industry Impact & Market Dynamics
Market Growth
The AI Agent security market is projected to grow from $1.2B in 2025 to $8.5B by 2028 (CAGR 63%). The shift from SBOMs to Composition Graphs is a key driver, as enterprises realize static lists are insufficient for autonomous systems.
Adoption Curve
| Sector | Current Adoption of Composition Graphs | Expected Adoption by 2027 | Primary Concern |
|---|---|---|---|
| Finance | 5% (pilot programs) | 40% | Regulatory compliance (SOX, GDPR) |
| Healthcare | 2% | 30% | Patient data protection (HIPAA) |
| E-commerce | 10% | 50% | Fraud prevention |
| Government | 1% | 20% | National security |
Data Takeaway: Finance and e-commerce are early adopters due to high stakes and existing security budgets. Healthcare lags due to regulatory inertia but will accelerate as AI agents handle more patient data.
Business Model Implications
- For security vendors: Composition Graphs enable new pricing models based on the number of edges (interactions) monitored, not just nodes (components). This could increase revenue per customer as agents become more complex.
- For AI platform providers: Companies like OpenAI, Anthropic, and Google will need to build graph-based security into their agent frameworks (e.g., OpenAI's Agents SDK, Anthropic's Claude API) to remain competitive in enterprise markets.
- For enterprises: The cost of securing an AI agent may exceed the cost of developing it. A typical agent might cost $50k to build but $100k/year to secure with runtime monitoring.
Risks, Limitations & Open Questions
Scalability
Composition Graphs for a single agent are manageable, but for an enterprise with thousands of agents, the graph becomes a massive, high-velocity data stream. Storing and querying these graphs in real-time requires significant infrastructure. Current graph databases (Neo4j, Amazon Neptune) struggle with write-heavy workloads at scale.
Privacy
To build a Composition Graph, the security layer must observe all inter-component communication, including the content of model inputs and outputs. This raises privacy concerns, especially in healthcare and legal domains. Differential privacy or homomorphic encryption could help, but both add latency.
Adversarial Evasion
Attackers may learn to craft attacks that appear normal in the Composition Graph. For example, an attacker could slowly escalate privileges over many interactions, staying below anomaly thresholds. Graph-based defenses must be combined with behavioral modeling and adversarial training.
Standardization
No standard exists for Composition Graph schema, query language, or policy format. This creates vendor lock-in and interoperability issues. The OpenTelemetry community is working on an extension, but it's moving slowly.
AINews Verdict & Predictions
Verdict: The shift from SBOMs to Composition Graphs is not just an incremental improvement—it is a necessary paradigm shift for AI Agent security. SBOMs are dead for autonomous systems. Any organization deploying AI Agents in production without runtime composition monitoring is effectively blind to the most dangerous attack vectors.
Predictions:
1. By Q4 2026, at least one major cloud provider (AWS, Azure, GCP) will launch a managed Composition Graph service as part of their AI security offering, forcing startups to differentiate on policy intelligence.
2. By 2027, a formal standard for Composition Graphs will emerge from the OpenTelemetry AI working group, enabling interoperability between vendors.
3. By 2028, Composition Graphs will be mandatory for AI agents in regulated industries (finance, healthcare) under new compliance frameworks, similar to how SBOMs are now required for software supply chains.
4. The biggest winner will be Protect AI if they can scale their product before cloud giants enter. The biggest loser will be traditional SBOM vendors (e.g., Snyk, Sonatype) if they fail to pivot to runtime composition.
5. Watch for: The first major AI agent supply chain attack that exploits the absence of Composition Graphs—it will be the "SolarWinds" moment for AI security, accelerating adoption dramatically.