A searchable directory of AI assets built so teams can find, compare, and reuse them. It usually stores descriptive metadata, intended use, and access information. A catalog improves discovery, but by itself it does not prove that an asset is approved, current, or accountable for production use.
Expanded Definition
An AI model catalog is more than a list of models. In NHI and AI governance, it acts as a controlled inventory of model assets, typically including ownership, version, provenance, intended use, deployment status, access path, and risk notes. Used well, it helps teams discover reusable models without creating shadow AI or duplicating effort. Used poorly, it becomes a loose directory that signals availability but not approval.
The term is still evolving across vendors and platforms, so organisations should distinguish between discovery metadata and governance state. A catalog may point to a model card, policy entry, or deployment record, but it does not by itself establish whether a model is approved for production, whether its training data is acceptable, or whether access is properly restricted. That distinction matters because model reuse often creates hidden dependency chains across teams and environments. For governance alignment, the catalog should support traceability, not merely searchability, and it should map cleanly to controls described in the NIST Cybersecurity Framework 2.0. The most common misapplication is treating a catalog entry as an approval record, which occurs when teams assume listed assets are production-ready without validating ownership or control status.
Examples and Use Cases
Implementing an AI model catalog rigorously often introduces governance overhead, requiring organisations to weigh faster reuse against stricter review, version control, and access management.
- A platform team catalogs internal foundation models with tags for owner, supported workloads, and approved regions so application teams can choose a safe default.
- A security team links catalog entries to model lineage, access policy, and validation evidence so a model can be traced from training source to deployment decision.
- A procurement or vendor-risk group records external models alongside contractual limits, data handling notes, and expiration dates so unauthorised reuse is less likely.
- A product team uses the catalog to compare two fine-tuned models, then checks whether either is restricted from customer-facing workflows before deployment.
- An engineering group references a catalog entry during incident response to identify which applications depend on a compromised or deprecated model.
For deeper context on how AI-related assets become exposed through operational shortcuts, see the DeepSeek breach and the NIST guidance on inventory and governance alignment in NIST Cybersecurity Framework 2.0. A mature catalog also helps teams separate a reusable model from a model that is merely accessible, which is a common source of confusion in AI operations.
Why It Matters in NHI Security
AI model catalogs matter because model assets increasingly sit at the junction of identity, secrets, and tool access. If a catalog omits owner identity, deployment scope, or access restrictions, teams can redeploy sensitive models into new environments without understanding what data, credentials, or integrations they bring along. That creates the same kind of control failure seen in other NHI problems: inventory exists, but accountability does not. This is especially important when models interact with secrets, APIs, or agent workflows, where a catalog entry can become the first place an attacker looks for reuse paths or weak governance.
NHIMG research on The State of Secrets in AppSec shows that 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, which makes model provenance and access records operationally relevant. A catalog also becomes more important when organisations try to compare approved models against exposed or unreviewed assets highlighted in DeepSeek breach. Organisations typically encounter model sprawl, unclear ownership, or unsafe reuse only after an incident, audit finding, or production failure, at which point the catalog becomes operationally unavoidable to reconcile.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM-1 | AI model catalogs are asset inventories that support identification and governance of AI resources. |
| NIST AI RMF | AI RMF addresses mapping, measuring, and managing AI risks across the model lifecycle. | |
| OWASP Agentic AI Top 10 | Agentic AI guidance depends on knowing which models and tools are approved for use. |
Inventory model assets, owners, and dependencies so governance can track what exists and where it is used.
Related resources from NHI Mgmt Group
- What does AI model abuse reveal about the current NHI threat surface?
- What is the difference between controlling an AI model and controlling an AI agent?
- How should organisations handle privileged access when workloads and AI systems are part of the model?
- What is the difference between an AI model answering IAM questions and a RAG-enabled IAM agent?
