AI Supply Chain Risk Management
What This Requires
Assess and manage risks in the AI supply chain including: foundation model dependencies, third-party APIs, training data provenance, and model hosting infrastructure. Require SBOMs or equivalent documentation.
Why It Matters
AI systems depend on complex supply chains (model vendors, cloud providers, data sources). A breach or failure upstream cascades to your systems. Proactive supply chain management reduces exposure to vendor incidents.
How To Implement
Map Dependencies
For each AI system, document: foundation model (GPT-4, Claude, etc.), API provider, hosting (AWS/Azure/GCP), training data sources, and libraries (LangChain, Hugging Face). Create dependency graph for critical systems.
Vendor Risk Tiers
Classify vendors by criticality (critical/high/medium/low). Critical vendors require: annual audits, incident notification SLA, disaster recovery plan review, exit strategy.
SBOM or Model Card
For custom models, generate SBOM listing training data, libraries, and dependencies. For vendor models, request Model Card or equivalent documentation. Store centrally with asset inventory.
Continuous Monitoring
Subscribe to vendor status pages. Monitor security advisories for dependencies (CVEs, model poisoning reports). Test failover to backup vendor quarterly.
Evidence & Audit
- Supply chain dependency maps for critical AI systems
- Vendor classification by risk tier
- SBOMs or Model Cards for all custom and key vendor models
- Vendor contract terms requiring incident notification and audit rights
- Monitoring logs showing vendor status checks