Connect AI platforms to agent Security Center - Security Center

Agent Security Center integrates with AI platforms to monitor your AI agent assets and associated security risks. This topic describes how to connect various AI platforms to Agent Security Center.

Scope

Account scope: This feature is in public preview and is available to all customers at no cost during the preview period.
Connect to an AI platform: This feature supports AI development platforms such as Alibaba Cloud Model Studio, PAI, Dify, OpenClaw, and AgentKit.
Collected Asset Types: Model Service, Dataset, and Application Configurations.

Connect AI Platforms

The Security Center agent supports the following platforms. The connection type and asset types that the agent collects vary by platform.

Platform Name	Connection details
Alibaba Cloud Model Studio	Create a RAM role in Alibaba Cloud Model Studio and grant it the AliyunServiceRoleForSasCspm service-linked role. Then sync assets.
PAI	After granting permissions in PAI, the system automatically syncs assets from all workspaces once per day.
Dify	Configure an IP whitelist. Enter the API endpoint, email address, and password. Supports both public network and VPC connections.
VolcEngine AgentKit	Connect VolcEngine assets using an AccessKey (AK). Grant required permissions such as `IAMReadOnlyAccess` and `AgentKitReadOnlyAccess`.
OpenClaw	Install the Security Center client. No separate integration is required.

Connect to Alibaba Cloud Model Studio

Step one: Create and authorize a Model Studio user

Go to the Alibaba Cloud Model Studio console.
In the navigation bar, select your target workspace and then click Permission Management.

Important
If you connect multiple workspaces, you must configure each one separately.
On the Permission Management page, click Add User.
Configure the user as described below and then click OK.
- Type: RAM role.
- RAM role: Select the service-linked role AliyunServiceRoleForSasCspm.
  
  Note
  After you grant the authorization, Agent Security Center uses this role to sync Alibaba Cloud Model Studio resources from the selected workspace in your account.
- Display name: Enter a descriptive name, such as agent_user.

Step two: Sync assets

Go to the Security Center console > Agent Security Center > Agent Overview. In the upper-left corner of the page, select the region where your protected assets reside: Chinese Mainland or Outside Chinese Mainland.
In the Connected Platforms section, click Asset synchronization in the upper-right corner.
The system synchronizes the platform's AI Agent, Model Service, toolset, Dataset, and Application Configurations data, and simultaneously performs threat detection.

Note
Asset synchronization may take some time to complete.

Connect PAI (first time)

Note

If you have already authorized PAI, the system automatically performs an Asset synchronization daily. No further integration steps are required.

Go to the Security Center console > Agent Security Center > Agent Overview. In the upper-left corner of the page, select the region where your protected assets reside: Chinese Mainland or Outside Chinese Mainland.
In the Connected Platforms section, click PAI.
In the PAI connection panel, click Activate Now. You are then redirected to the Platform for AI (PAI) authorization page.
After you complete the authorization, return to Agent Security Center.
On the Agent Overview page, go to the Connected Platforms section and click Asset synchronization in the upper-right corner.

Important
By default, assets from all workspaces are synced.

Connect Dify

Configure the IP whitelist: If Dify runs on a server that has access control policies, you must add the following IP addresses to the outbound whitelist. Use the public IP list if Dify is deployed on the public network. Use the private IP list if Dify is deployed on a private network.

Region	Public IP address	Private IP address
China (Hangzhou)	47.96.166.214	100.104.12.64/26
China (Shanghai)	139.224.15.48, 101.132.180.26, 47.100.18.171, 47.100.0.176, 139.224.8.64, 101.132.70.106, 101.132.156.228, 106.15.36.12, 139.196.168.125, 47.101.178.223, and 47.101.220.176	100.104.43.0/26
China (Qingdao)	47.104.111.68	100.104.87.192/26
China (Beijing)	47.95.202.245	100.104.114.192/26
China (Zhangjiakou)	39.99.229.195	100.104.187.64/26
China (Hohhot)	39.104.147.68	100.104.36.0/26
China (Shenzhen)	120.78.64.225	100.104.250.64/26
China (Guangzhou)	8.134.118.184	100.104.111.0/26
China (Hong Kong)	8.218.59.176	100.104.130.128/26
Japan (Tokyo)	47.74.24.20	100.104.69.0/26
Singapore	8.219.240.137	100.104.67.64/26
US (Silicon Valley)	47.254.39.224	100.104.145.64/26
US (Virginia)	47.252.4.238	100.104.36.0/26
Germany (Frankfurt)	47.254.158.71	172.16.0.0/20
UK (London)	8.208.14.12	172.16.0.0/20
Indonesia (Jakarta)	149.129.238.99	100.104.193.128/26

Go to the connection configuration page
1. Go to the Security Center console > Agent Security Center > Agent Overview. In the upper-left corner of the page, select the region where your protected assets reside: Chinese Mainland or Outside Chinese Mainland.
2. In the Connected Platforms section, click Dify.
3. In the Dify connection panel, click the connection button.
  - For a first-time connection, click Integrate Now as prompted.
  - For subsequent connections, go to the Import Account area and click the Add Asset button.
Enter connection information: In the connection dialog box, configure the following parameters.
- Common parameters
  - Username: Enter a descriptive name. The name can be up to 128 characters long.
  - Access Method:
    - Public Access: Select this option if Dify is deployed on the public network and accessible over the Internet.
    - VPC: Select this option if Dify is deployed on a private network and is not accessible over the Internet.
      
      Important
      VPC access is supported only if Dify is deployed on an Alibaba Cloud ECS instance.
  - Region: The region where your Dify server is deployed.
  - API Address: The URL used to log on to Dify. You can enter a public IP address (for example, http://192.xx.xx.xx:port), a domain name (for example, https://dify.test.cn), or a Server Load Balancer endpoint (for example, http://alb-04*****5a.cn-beijing.alb.aliyuncsslb.com).
  - Email: Enter the email address used to log on to the Dify platform.
  - Password: The logon password for the Dify platform.
    
    Note
    Passwords are encrypted and stored for identity verification purposes only.
- VPC:
  
  Note
  You can find the VPC information in the Configuration Information section of the ECS instance details page.
  - VPC ID: The VPC ID bound to the ECS instance that hosts Dify.
  - Internal IP Address: The private IP address of the ECS instance that hosts Dify.
  - Port: The port used to access the Dify service.
After you configure the connection, click Next to go to the Test Connection page.
Click Test Connection. If the test is successful, click Asset synchronization.

Connect VolcEngine AgentKit

In the Connected Platforms section, click AgentKit.
In the AgentKit connection panel, click the connection button. You are then redirected to Multi-cloud Configuration Management.
- For a first-time connection, click Configure as prompted.
- For subsequent access, click the Configure Asset button in the Import Account section.
On the Multi-cloud Configuration Management > Multi-cloud Assets tab, add authorization for Volcano Engine. For more information, see Connect VolcEngine assets using an AccessKey.
- Permission Description: Select CSPM.
- VolcEngine permission policies: IAMReadOnlyAccess, AgentKitReadOnlyAccess, IDReadOnlyAccess, ECSReadOnlyAccess, and ArkReadOnlyAccess.

Connect OpenClaw

On the server where OpenClaw is deployed, install the Security Center client. For more information, see Install the client.
After the client is installed, it automatically syncs your OpenClaw assets.

Manage Connected Platforms

Manage workspaces or accounts:
- Alibaba Cloud Model Studio: You can modify or remove workspaces by following these steps:
  
  Important
  When you remove a workspace, the system immediately deletes all related assets and alerts. Proceed with caution.
  1. You cannot modify or remove workspaces directly from the Security Center console. You must go to the Global Management menu (Singapore | US (Virginia) | Beijing | China (Hong Kong)). For more information, see Manage workspace permissions.
  2. After you make changes in the Alibaba Cloud Model Studio console, you must manually run Sync Assets immediately.
- PAI: You cannot modify or remove workspaces directly from the Security Center console.
  1. Go to PAI > Workspaces. For more information, see Create and manage workspaces and Delete a workspace.
  2. After you make changes in the PAI console, you must manually run Sync Assets.
- Dify: You can modify or remove connected accounts directly from the Security Center console.
  1. On the Agent Overview page, go to the Connected Platforms section and click Dify.
  2. In the Dify connection panel, perform the following actions:
    - Delete: Click the delete icon next to the target account.
      
      Important
      When you delete an account, the system immediately deletes all related assets and alerts. Proceed with caution.
    - Edit: Click the edit icon for the target account. Then, follow the connection configuration instructions to update the settings and test the connection.
- AgentKit: You cannot modify or remove connected accounts directly from the Agent Security Center console. Go to the Multi-cloud Configuration Management > Multi-cloud Assets tab to manage them.
Asset synchronization:
- When to use: Manually trigger an asset synchronization when data changes on the connected platforms. For example, you may need to run a manual sync after you add a new PAI workspace, update application configurations, or change models.
  
  Note
  The system performs an automatic synchronization once per day.
- Procedure: On the Agent Overview page, go to the Connected Platforms section and click Asset synchronization in the upper-right corner.