PRISM ML Scanner — Model Integrity for the AI Supply Chain
Block Backdoored ML Artifacts Before They Reach Production. PRISM ML Scanner detonates every model in an isolated sandbox — catching the evasive backdoors that static, signature-based scanners miss.
Why it matters
Models from public hubs, partner-provided checkpoints, and even internally trained artifacts moving between environments carry latent supply-chain risk. Generic software scanners do not understand ML formats.
No ML Artifact Scanning
Most enterprises deploy imported models, fine-tuned checkpoints, and third-party weights without scanning. The first signal of a compromised artifact is typically a production incident.
Generic Scanners Miss ML Formats
Conventional software composition analysis tooling scans for known CVEs in software dependencies. Pickle payloads, malicious hooks in weights, and ML loader injections are opaque to that class of scanner.
Runtime Firewalls Are Too Late
LLM-firewall tools moderate prompts at runtime. They cannot detect a backdoor already baked into the model — the compromise occurred before the firewall saw the first prompt.
Manual Model Review
Security teams visually inspect model files or run ad-hoc Python scripts. This is not repeatable and cannot scale to organizations importing dozens of models or operating continuous training pipelines.
Static Scanners Are Bypassable
Signature- and pattern-based ML scanners are routinely evaded by models engineered to slip past static inspection — the most common open-source pickle scanner was itself found to carry bypass vulnerabilities. They also lack integration with hardening and runtime workflows, and produce findings without remediation pathways or compliance evidence. Most require significant custom engineering.
Our Approach
PRISM ML Scanner uses a 4-step AI model scanning methodology to block compromised artifacts at the deployment gate.
Inspect
Scans pickle, .pth and accompanying deployment code. Includes an ML-code review of the algorithm and loader logic; broader format coverage (safetensors, ONNX, TensorFlow/Keras, joblib) is on the roadmap.
Detect
Identifies backdoor payloads in deserialization paths, malicious hooks (exec, subprocess, network call-out, encoded binaries), and dependency injections in loader scripts. Then detonates the model in an isolated SISA sandbox and detects backdoors behaviourally — catching evasive payloads that bypass signature-based scanning.
Quarantine
Blocks compromised artifacts at the deployment gate. Quarantine workflow with the sandbox verdict and code-review findings produces full forensic context for the security team.
Evidence
Generates ML Scanner reports and gate decision logs pre-mapped to ISO 42001 supply-chain controls, PCI DSS 4.0.1 and EU AI Act Art. 15. Through PRISM Govern, the same evidence maps to the payment-sector regulators (SAMA, CBUAE, RBI, MAS).
Service Offerings
PRISM ML Scanner combines ML-code review with sandbox detonation to catch backdoored models — hub-sourced and in-house alike — before they ever load.
PRISM ML Scanner runs the model file in an isolated SISA sandbox and detects backdoors behaviourally, catching evasive payloads that static, signature-based scanners miss — paired with an ML-code review of the algorithm and loader logic. Both hub-sourced and in-house models pass through the same gate.
Scans pickle files (.pkl, .pickle), PyTorch checkpoints (.pth, .pt) and accompanying deployment code. Coverage is expanding on the roadmap to safetensors, ONNX, TensorFlow/Keras and joblib.
Identifies hidden backdoor payloads embedded in pickle deserialization paths, malicious code/hook injections (e.g., shell execution via exec, encoded binary payloads), and malicious dependency injections in deployment code.
Integrates into MLOps pipelines as a deployment gate, blocks the artifact if a backdoor is detected and creates quarantine workflow with the sandbox verdict for the security team.
Built on SISA's patent-pending AI model scanning solution and detection rules informed by forensic insights, the scanner reflects how real adversaries embed payloads.

BENEFITS
PRISM ML Scanner verifies the integrity of every model artifact — hub-sourced or in-house — before it reaches production, and generates audit-ready evidence.
Backdoored ML artifacts blocked before production
The pickle-file and serialized-model attack vector is closed at the deployment gate - not discovered during a forensic investigation after the incident
Full ML portfolio protected, not just LLMs
Classical ML models (fraud
scoring, credit decisioning, diagnostic classification) get the same artifact integrity gate as imported LLM checkpoints. Coverage extends to every model entering production.
Imported third-party models become trustable
Models from public hubs, partner-provided checkpoints, and acquisition-inherited weights pass through the same gate as internal artifacts. Trust is verified, not assumed.
Supply-chain risk eliminated at the artifact level
Every pickle file and accompanying loader script is scanned before deployment. Supply-chain compromise is detected before it reaches runtime.
Compliance evidence generated automatically
Reports, quarantine records, and gate decision logs are pre-mapped to ISO 42001, EU AI Act Art. 15, NIST AI RMF MAP/MANAGE, HITRUST AI-44, PCI DSS 4.0.1, and the payment-sector regulators (SAMA, CBUAE, RBI, MAS) via PRISM Govern.
Standalone or Integrated
Can be deployed independently as a release gate, or as a release gate within the full PRISM lifecycle. As the platform matures, a flagged model can be routed into PRISM Secure Fine-tuning for remediation, and its integrity fed into PRISM Discover’s ML BOM.
Why Organizations Choose PRISM ML Scanner from SISA
PRISM ML Scanner combines sandbox-based behavioural detection, ML-code review and pre-deployment gating to secure every model — hub-sourced or in-house — before it reaches production.
Pre-production assurance
Compromised models are caught at the deployment gate rather than during a post-incident forensic investigation.
Forensics-informed, real-world detection
Detection rules are built on how actual adversaries embed payloads, drawn from SISA's breach-investigation intelligence, not theoretical or checklist-based risks.
Automatic audit readiness
Every scan produces compliance evidence pre-mapped to 40+ AI GRC frameworks. These include PCI DSS 4.0.1 and the payment-sector regulators (SAMA, CBUAE, RBI, MAS).
Deployment flexibility
Adoption on the organization's terms — a standalone release gate today, expanding into the full PRISM platform as AI governance matures.
Behavioural detection static scanners can’t match
PRISM ML Scanner detonates each model in an isolated sandbox rather than relying on static signatures alone — so it catches evasive backdoors that slip past the common open-source scanners, which themselves carry known bypasses.
PCI QSA heritage embedded in the evidence
18+ years as a PCI Qualified Security Assessor means every scan report, quarantine record and gate log lands in an assessor’s standard workflow — audit evidence, not just a technical finding.
Built for the payment ecosystem
The same integrity gate protects the fraud-scoring and credit-decisioning models payment regulators care most about, with evidence mapped to PCI DSS 4.0.1, SAMA, CBUAE, RBI and MAS.

Block Backdoored AI Before It Ships.
Foresight. Perspective. Leadership


