Seven steps to AI supply chain visibility — before a breach forces the issue

· Source: VentureBeat · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Advanced, medium

Summary

A significant visibility gap exists in enterprise AI adoption, with 62% of security practitioners unable to track LLM usage across their organizations, despite 40% of enterprise applications featuring task-specific AI agents this year. This lack of visibility contributes to a rise in prompt injection (76%), vulnerable LLM code (66%), and jailbreaking (65%) attacks. IBM's 2025 report indicates 13% of organizations experienced AI model breaches, with 97% lacking proper AI access controls and shadow AI incidents costing an additional $670,000. Traditional software SBOMs are insufficient for AI models due to dynamic runtime dependencies and executable model formats like pickle, which can execute arbitrary code upon loading. While alternatives like SafeTensors exist, adoption is slow. New standards like CycloneDX 1.6 (ML-BOM) and SPDX 3.0 (AI profiles) address these issues, but operational urgency for their implementation is lacking, leaving organizations vulnerable to escalating AI supply chain threats.

Key takeaway

For Directors of AI/ML and AI Security Engineers grappling with escalating AI supply chain risks, you must prioritize establishing comprehensive AI model visibility and governance now. Implement the seven steps for AI supply chain visibility, focusing on creating a model inventory, mandating SafeTensors for new deployments, and piloting ML-BOMs. This proactive approach will significantly reduce your organization's exposure to breaches and regulatory fines, making incident response manageable before a major event forces a reactive scramble.

Key insights

AI supply chain visibility is critical for security, but current enterprise practices and traditional SBOMs are inadequate for dynamic AI models.

Principles

Method

Implement a seven-step process including model inventory, shadow AI redirection, human approval workflows, SafeTensors adoption, ML-BOM piloting, rigorous model pull verification, and AI governance in vendor contracts.

In practice

Topics

Code references

Best for: AI Security Engineer, MLOps Engineer, Director of AI/ML

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by VentureBeat.