What is AI Discovery?

AI discovery refers to the systematic process of scanning an organization’s entire technology infrastructure to find every artificial intelligence system that has been built, deployed, or is currently in use. This includes machine learning models, large language model applications, AI powered automations, agent systems, and any other form of AI, regardless of whether it was formally approved or deployed informally by individual teams.

The purpose of discovery is to create a complete and accurate inventory of AI across the organization. Without discovery, governance teams have no way of knowing the full scope of AI usage, which means risk assessments are incomplete, compliance records have gaps, and entire systems can operate without any oversight at all.

Why Discovery is the First step of AI Governance

Every governance activity depends on knowing what AI systems exist. Risk assessment, compliance tracking, bias testing, monitoring, and audit reporting all require a complete inventory to work from. If your inventory is missing systems, every downstream governance process inherits those gaps.

In most enterprises, the AI landscape is far larger than leadership realizes. Research consistently shows that organizations have three to five times more AI systems than their official records suggest. This gap exists because teams across the company build and deploy AI independently using cloud platforms, open source tools, and third party APIs, often without informing central governance or IT teams.

How the Discovery Process Works

Discovery operates through a structured, multi stage flow that takes raw data from connected platforms and transforms it into a governed AI inventory.

• Sources: The process begins by establishing connections to the platforms where AI systems are built and run. These include code repositories, cloud platforms, machine learning tools, LLM providers, agent frameworks, and enterprise systems. Each connection is read only, meaning the platform only observes and never makes changes to your existing systems.
• Artifacts: Once connected, the platform scans each source and collects individual AI components. These components are called artifacts. An artifact could be a Jupyter notebook containing model training code, a serialized model file, a live API endpoint serving predictions, an experiment logged in a model registry, or a record of API calls to an LLM provider.
• Classification: Each discovered artifact is then classified by type. The platform determines whether it is a traditional machine learning model, an LLM application, a multi agent system, a data pipeline with AI components, or another form of AI. It also assigns an initial risk level based on the type and context of the artifact.
• Reconciliation: Individual artifacts are often pieces of the same AI system spread across multiple platforms. For example, one AI system might have its training code in GitHub, its model stored in a registry on Databricks, and its serving endpoint running on AWS SageMaker. Reconciliation is the process of recognizing that these separate artifacts belong together and grouping them into a single, unified record.
• Assets: The final stage creates a governed asset record for each AI system. This record is stored in the AI CMDB (the platform’s central AI registry) and includes structured metadata about the system’s type, ownership, technical profile, risk level, and compliance status. This asset becomes the unit that all governance activities operate on going forward.

How Holistic AI Runs Discovery

In the Holistic AI Governance platform, discovery is handled by the IDENTIFY module. It connects to over 30 platforms using OAuth 2.0 authentication with read only permissions. No agents need to be installed on your infrastructure and no code changes are required in any of your existing systems.

Once connections are established, IDENTIFY runs the full discovery flow automatically and on a continuous basis. This means the AI inventory stays current as teams deploy new models, connect new APIs, or build new systems. New AI activity is detected and added to the inventory without anyone needing to manually register it.

The result is a living, always current view of your organization’s complete AI landscape, which becomes the foundation for all risk assessment, compliance, and monitoring activities in the PROTECT and ENFORCE modules.