Artificial intelligence (AI) is increasingly embedded in critical systems across government, industry, and society. Most AI systems depend on a complex ecosystem of datasets, models, software libraries, and infrastructure sourced from multiple external actors. While this machine learning (ML) and AI supply chain enables rapid innovation through the reuse of existing components, it also introduces new and often underappreciated security risks. Vulnerabilities in widely used upstream components can propagate across many downstream systems, creating systemic exposure that is difficult to detect and contain.
The fifth report of the Pharos Series, authored by Max Smeets, Anna Sophie den Ouden, and James Shires, examines how security risks emerge within the machine learning and AI supply chain and what can be done to mitigate them. It makes three central arguments: many of the most significant AI security risks arise before deployment; scale and reuse amplify systemic risk; and effective mitigation depends on managing, not eliminating, interdependence.
To support this analysis, the report breaks the machine learning and AI supply chain into three levels: the data level, the model level, and the deployment level. Across these levels, malicious actors exploit trust, complexity, and limited visibility. They may involve poisoning training data, substituting malicious components, embedding hidden behaviours in models, or manipulating system inputs after deployment.
For policymakers, these dynamics have important implications. AI security cannot be addressed solely through regulation focused on model behaviour and outputs, or through post-deployment oversight alone. It also requires attention to upstream dependencies, development practices, and the broader ecosystem in which AI systems are built and maintained. This includes issues such as data governance, software supply-chain security, standards for documentation and provenance, the resilience of shared infrastructure, and mechanisms that improve visibility, verification, and accountability across different stages of AI development and deployment.
“Securing the AI supply chain depends on three core principles: visibility, control, and accountability.”
The report concludes that securing AI systems requires a shift in perspective – from viewing them as standalone technical artefacts to understanding them as part of a distributed and evolving supply chain. Managing risk in this environment will require coordinated action across technical, organisational, and policy domains. The objective is not to eliminate risk entirely, but to make risks more visible, constrain their impact, and strengthen resilience throughout the broader ecosystem.
Read the full report below.
This report is a part of the Pharos Series, a series shedding light on cybersecurity and emerging technology challenges. The series aims to offer clear expert insights helping policymakers, researchers, and practitioners navigate evolving threats.