Key insight
A supply-chain attack targets something you already trust, not you directly, riding in through a door you willingly left open. AI models and their training data are two new links in that same chain: a model trained on data nobody personally verified is a supplier, and a subtly poisoned training set can shape behavior no code review would ever catch.
A supply chain, in the everyday sense, is every step and every supplier involved in getting a finished product into your hands. A supply-chain attack applies the exact same idea to security: instead of attacking you directly, an attacker targets one of the suppliers you already trust, and rides in through the door you willingly left open for them.
1 · The everyday idea of a supply chain
Every piece of outside code, every software library, every vendor tool, and every automatic update your own systems rely on is a link in a chain, and you generally trust every one of them without personally re-checking their work yourself. This is not carelessness; refusing to trust any outside code or vendor at all would make it practically impossible to build anything useful in a reasonable amount of time. The trust itself is completely ordinary and necessary. The risk lives in what happens if one trusted link is quietly compromised.
2 · Trusting a vendor versus verifying their code
Here is the distinction that matters most: trusting a vendor as a company, one you have every good reason to trust, is a completely different thing from verifying that one specific piece of code they shipped you today was not quietly tampered with somewhere between their computer and yours. Most teams do the first and skip the second, entirely reasonably, because doing the second for absolutely everything would be its own enormous, ongoing burden.
3 · A worked example: one tampered software update
A widely used software vendor is compromised, and an attacker quietly inserts malicious code into the vendor’s next routine update, before it is signed and shipped out. Every customer who trusts that vendor, which is nearly all of them, and who applies updates promptly, which is normally excellent practice, automatically installs the tampered version. None of those customers did anything wrong. The compromise happened one link upstream, at the vendor, and every customer downstream inherited it simply by trusting a supplier they had every reasonable ground to trust.
4 · Two new links: the model and its training data
Artificial intelligence brings two new links into this same chain that traditional software supply chains never had to consider. The model itself, trained by someone else on data you did not personally inspect, is now a supplier you are trusting, the same way you trust a software vendor. And the training data behind that model is a supplier’s supplier, one link further back, that almost nobody ever directly verifies at all. A subtly poisoned training set can quietly shape a model’s behavior in a way no line of ordinary code review would ever catch, because the resulting flaw lives in the model’s learned patterns, not in any reviewable line of source code.
5 · Defending the chain on purpose
- Verify, do not just trust. Check cryptographic signatures on updates and packages where practical, rather than installing purely on reputation.
- Track your dependencies. Know what libraries, tools, and models your systems actually rely on, so a reported compromise can be checked against your own list quickly.
- Ask about training data provenance. Where practical, understand what a model was trained on, and by whom, before depending on it for anything sensitive.
- Have a plan for a trusted supplier going bad. Assume it will eventually happen to at least one link, and know how you would find out and respond.
6 · A simple test you can run this week
1. List every outside library, tool, and AI model one important system depends on.
2. For each one, ask how you would find out if it were compromised.
3. If the honest answer is "we would not," that link is currently unmonitored.
4. Add a monitoring or verification step for your weakest link.
7 · Glossary — every short-form term, spelled out
- Supply-chain attack
- An attack that targets something you already trust and depend on, rather than targeting you directly.
- Dependency
- An outside piece of code, library, tool, or model your own system relies on to function.
- Training data
- The information used to teach an AI model its behavior, a supplier's supplier one link further back than the model itself.
A supply-chain attack targets a trusted supplier, not you directly, and rides in through a door you willingly left open.
Trusting a vendor as a company differs from verifying one specific delivery from them.
AI adds two new links: the model itself, and the training data behind it.
Verify where practical, track dependencies, and have a plan for a trusted link eventually going bad.
References
- NIST Special Publication 800-161, Revision 1, Cybersecurity Supply Chain Risk Management Practices, National Institute of Standards and Technology. csrc.nist.gov
- This guide’s Supply-Chain Trust field guide — judging third-party code, packages, and models before trusting them.