TKOResearch
Menu
OWASP LLM Top 10 guide

LLM03:2025

Supply Chain

Supply chain risk covers compromised or unreviewed models, datasets, plugins, packages, MCP servers, prompts, templates, infrastructure, and vendors used by the AI application.

Step 01

Input

Step 02

Model

Step 03

Tool / Data

Step 04

Impact

What it is

The AI system depends on components whose provenance, permissions, behavior, or update path is not controlled well enough for the application's risk level.

Why it matters

AI supply chain issues can introduce unsafe model behavior, hidden data paths, compromised tooling, unreviewed connectors, and vendor dependencies that block enterprise review.

Failure path

How it usually fails.

A useful review breaks this chain before the system reaches production data, tools, or customer-facing decisions.

Path 01

Compromise a dependency, model artifact, connector, dataset, package, or prompt template.

Path 02

Wait for the application to ingest or execute that component inside trusted workflows.

Path 03

Abuse inherited trust to change outputs, access data, or trigger downstream actions.

Defenses

Controls worth checking.

The strongest controls are enforced outside the model and can be retested after a prompt, model, or workflow change.

Control 01

Inventory AI components

Track model providers, model versions, datasets, embedding models, MCP servers, plugins, packages, prompts, and runtime services.

Control 02

Verify provenance and updates

Pin versions, check signatures or hashes where practical, review release channels, and separate test upgrades from production rollout.

Control 03

Limit inherited authority

Do not let a third-party model, connector, or plugin inherit broad data or tool access by default.

Signals to review

  • Unpinned model, package, or connector versions in production.
  • MCP tools or plugins added without owner, scope, and rollback path.
  • Model or embedding changes without regression results.

Questions for your team

  • What model and connector versions are currently trusted?
  • Who approves prompt, plugin, MCP, model, or dataset changes?
  • Can a dependency update silently expand data or tool access?