AI Supply Chain Risk
What is AI Supply Chain Risk?
AI Supply Chain RiskThe set of threats arising from the third-party datasets, base models, libraries, plug-ins, and infrastructure that organisations combine to build and deploy AI systems.
Modern AI is rarely built from scratch. Teams pull base models from Hugging Face, fetch datasets from public crawls, install Python and Node packages, integrate with vector databases, and consume hosted-model APIs. Each link is a supply-chain risk: poisoned or backdoored model weights, malicious pickle files, typosquatted PyPI packages, prompt-injection payloads embedded in datasets, dependency confusion, compromised plug-ins, and unsafe inference infrastructure. The OWASP LLM Top 10 explicitly calls out supply-chain vulnerabilities, while NIST AI 100-2 and the EU AI Act push for traceability. Controls include AIBOMs, signed model artefacts (Sigstore for models, Model Signing Spec), provenance tracking, sandboxed loading of weights, dependency-pinning, and continuous monitoring of upstream registries.
● Examples
- 01
A Hugging Face model uploaded with a malicious pickle payload that executes code when loaded.
- 02
A vector database client library typosquatted on PyPI that exfiltrates API keys during install.
● Frequently asked questions
What is AI Supply Chain Risk?
The set of threats arising from the third-party datasets, base models, libraries, plug-ins, and infrastructure that organisations combine to build and deploy AI systems. It belongs to the AI & ML Security category of cybersecurity.
What does AI Supply Chain Risk mean?
The set of threats arising from the third-party datasets, base models, libraries, plug-ins, and infrastructure that organisations combine to build and deploy AI systems.
How does AI Supply Chain Risk work?
Modern AI is rarely built from scratch. Teams pull base models from Hugging Face, fetch datasets from public crawls, install Python and Node packages, integrate with vector databases, and consume hosted-model APIs. Each link is a supply-chain risk: poisoned or backdoored model weights, malicious pickle files, typosquatted PyPI packages, prompt-injection payloads embedded in datasets, dependency confusion, compromised plug-ins, and unsafe inference infrastructure. The OWASP LLM Top 10 explicitly calls out supply-chain vulnerabilities, while NIST AI 100-2 and the EU AI Act push for traceability. Controls include AIBOMs, signed model artefacts (Sigstore for models, Model Signing Spec), provenance tracking, sandboxed loading of weights, dependency-pinning, and continuous monitoring of upstream registries.
How do you defend against AI Supply Chain Risk?
Defences for AI Supply Chain Risk typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for AI Supply Chain Risk?
Common alternative names include: AI/ML supply-chain risk, Model supply chain.
● Related terms
- ai-security№ 025
AI Bill of Materials (AIBOM)
A machine-readable inventory of every component that goes into an AI system — datasets, base models, fine-tuning data, libraries, prompts, and evaluation artifacts — used for security, compliance, and accountability.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- ai-security№ 281
Data Poisoning
An attack on a machine-learning system in which adversaries inject, alter, or relabel training data so the resulting model behaves incorrectly or contains hidden backdoors.
- ai-security№ 081
Backdoor Attack (ML)
A training-time attack that implants a hidden behaviour in a model so it acts normally on clean inputs but produces an attacker-chosen output whenever a secret trigger appears.
- ai-security№ 691
MLSecOps
The discipline of integrating security and risk controls across the entire machine-learning lifecycle, from data sourcing through training, deployment, monitoring, and retirement.
- ai-security№ 1026
Shadow AI
The use of AI tools, models, or services by employees without the knowledge or approval of an organisation's security, privacy, or governance functions.
● See also
- № 528Indirect Prompt Injection
- № 703Model Extraction
- № 777OWASP LLM Top 10
- № 028AI Hallucination
- № 1123Synthetic Media
- № 898RAG Security
- № 729Nightshade Attack
- № 391EU AI Act