Compromise a dependency, model artifact, connector, dataset, package, or prompt template.
LLM03:2025
Supply Chain
Supply chain risk covers compromised or unreviewed models, datasets, plugins, packages, MCP servers, prompts, templates, infrastructure, and vendors used by the AI application.
Step 01
Input
Step 02
Model
Step 03
Tool / Data
Step 04
Impact
What it is
The AI system depends on components whose provenance, permissions, behavior, or update path is not controlled well enough for the application's risk level.
Why it matters
AI supply chain issues can introduce unsafe model behavior, hidden data paths, compromised tooling, unreviewed connectors, and vendor dependencies that block enterprise review.
Failure path
How it usually fails.
A useful review breaks this chain before the system reaches production data, tools, or customer-facing decisions.
Wait for the application to ingest or execute that component inside trusted workflows.
Abuse inherited trust to change outputs, access data, or trigger downstream actions.
Defenses
Controls worth checking.
The strongest controls are enforced outside the model and can be retested after a prompt, model, or workflow change.
Inventory AI components
Track model providers, model versions, datasets, embedding models, MCP servers, plugins, packages, prompts, and runtime services.
Verify provenance and updates
Pin versions, check signatures or hashes where practical, review release channels, and separate test upgrades from production rollout.
Limit inherited authority
Do not let a third-party model, connector, or plugin inherit broad data or tool access by default.
Signals to review
- Unpinned model, package, or connector versions in production.
- MCP tools or plugins added without owner, scope, and rollback path.
- Model or embedding changes without regression results.
Questions for your team
- What model and connector versions are currently trusted?
- Who approves prompt, plugin, MCP, model, or dataset changes?
- Can a dependency update silently expand data or tool access?
