Asset Management
The central registry of every AI asset in your organization — discovered, approved, and actively governed. Assets are the foundation of agent dependency tracking, blast radius analysis, and access control.
What is an asset?
An asset is any AI-related resource in your environment: an API endpoint, a model, a training data repository, a container image, a cloud service, or a service account with AI permissions. Assets are discovered automatically via discovery channels or created manually.
Asset Fields
Core identification
| Field | Description |
|---|---|
id | Unique asset identifier |
name | Asset name (e.g. openai-api-prod, customer-data-vector-db) |
description | What this asset is and what it's used for |
externalId | Fingerprint used for cross-channel deduplication |
discoveryChannelId | Which channel first found this asset |
Classification
| Field | Description |
|---|---|
assetCategory | Broad category: AI_SERVICE, AI_MODEL, DATA_STORAGE, ML_PIPELINE, SOURCE_CODE, CONTAINER, IDENTITY_ACCESS, USAGE_PATTERN |
assetType | Specific type — 60+ types including ML_ENDPOINT, AI_BOT, MCP_SERVER_INSTANCE, AI_REPOSITORY, etc. |
metadata | Platform-specific details: endpoint URL, repository owner, cloud region, container registry, etc. |
Status & risk
| Field | Description |
|---|---|
status | Current lifecycle status (see below) |
riskLevel | NONE, LOW, MEDIUM, HIGH, or CRITICAL — computed from findings |
activeRiskCount | Number of open, unresolved findings against this asset |
Lifecycle timestamps
| Field | Description |
|---|---|
firstSeenAt | When the asset was first discovered |
lastSeenAt | Most recent confirmation the asset still exists |
lastScannedAt | Most recent security scan |
Asset Status Lifecycle
| Status | Meaning | Transitions to |
|---|---|---|
PENDING_APPROVAL | Discovered, awaiting review | APPROVED, BLOCKED |
APPROVED | Reviewed and cleared for use | ACTIVE, PROMOTED, REMOVED, ARCHIVED |
ACTIVE | Approved and in active use by governed agents | REMOVED, ARCHIVED |
BLOCKED | Denied — no agent may access this asset | — |
PROMOTED | Graduated to a fully governed entity | ARCHIVED |
REMOVED | No longer detected in the environment | ARCHIVED |
ARCHIVED | Retained for audit history only | — |
UNKNOWN | Status could not be determined | Any |
Approving and Denying Assets
From the dashboard
In Discovery > Assets, filter by status PENDING_APPROVAL. For each asset, view its risk score, findings, and discovery sources before deciding. Click Approve or Deny and optionally add review notes.
Via API
# Approve an asset
POST /api/admin/discovery/assets/{assetId}/approve
{
"reviewNotes": "Confirmed legitimate OpenAI usage by the ML team"
}
# Deny an asset
POST /api/admin/discovery/assets/{assetId}/deny
{
"reviewNotes": "Unauthorized API key — rotating credentials and blocking"
}
Promoting Assets
An approved asset can be promoted — converted into a fully governed entity with an AppContext, detection key, and active enforcement. This is how shadow infrastructure becomes official, monitored infrastructure without disruption.
Promotion target types:
| Type | What it becomes |
|---|---|
| AGENT | A registered agent identity — gets a trust score, ownership fields, and appears in agent governance |
| DATA_SOURCE | A governed data source with access policy enforcement |
| MODEL | An approved model in an AppContext's allowed model list |
| INTEGRATION | A governed third-party integration |
| SERVICE | An approved AI service endpoint with active enforcement |
Asset Relationships
Assets don't exist in isolation — they form a dependency graph with the agents that use them. Rivaro tracks which agents use which assets, how they use them, and how often. This powers:
- Blast radius analysis — if this asset is removed or blocked, which agents break?
- Access surface mapping — per agent, what categories of assets can it reach?
- Shadow dependency detection — agents using assets not declared in code
- Cost attribution — total spend per asset across all agents that use it
See Agent Management for the full dependency tracking reference.
Risk Scoring
Each asset has a riskLevel computed from its open findings. Risk levels are: NONE, LOW, MEDIUM, HIGH, CRITICAL. An asset with a CRITICAL finding (e.g. exposed credentials in its source code) will be riskLevel: CRITICAL until that finding is resolved or ignored.
The approval workflow surfaces the risk score prominently so reviewers can make informed decisions. High-risk assets should either be blocked or remediated before approval.
Stale Asset Detection
Assets that haven't been seen by any discovery channel for an extended period are flagged as stale. Stale assets that are still in APPROVED or ACTIVE status may represent decommissioned infrastructure that hasn't been cleaned up from Rivaro — or legitimate assets whose discovery channel isn't scanning frequently enough.
Managing Assets
| Endpoint | Description |
|---|---|
GET /api/admin/discovery/assets | List assets with filtering (status, category, risk level) |
GET /api/admin/discovery/assets/{assetId} | Get full asset detail including findings |
POST /api/admin/discovery/assets/{assetId}/approve | Approve an asset |
POST /api/admin/discovery/assets/{assetId}/deny | Block an asset |
POST /api/admin/discovery/assets/{assetId}/promote | Promote to a governed entity |
GET /api/admin/discovery/assets/{assetId}/findings | Get all findings for an asset |
POST /api/admin/discovery/assets | Manually add an asset (auto-approved) |
Next steps
- Discovery & Shadow AI — How assets are found and what channels are supported
- Agent Management — Agent dependency graphs and blast radius
- Remediation — Fix findings on assets before approving them