The collection of models, tools, plugins, prompts, memory stores, and middleware that an AI agent depends on to operate. Weaknesses in this chain can introduce hidden instructions, poisoned context, or exposed secrets, so security teams need inventory, trust validation, and isolation controls across the entire path.
Expanded Definition
An agentic supply chain is the full dependency path that gives an AI agent its authority and context: models, prompts, tools, plugins, memory stores, middleware, and the NHI credentials behind each connection. In practice, it is the agent equivalent of a software supply chain, but with far more dynamic trust boundaries.
Definitions vary across vendors, and no single standard governs this yet, so security teams should treat the term as an operational construct rather than a fixed product category. The most useful way to define it is by trust impact: if a dependency can change the agent’s output, actions, or reach, it belongs in the supply chain. That framing aligns with the risk patterns described in the OWASP Agentic AI Top 10 and the governance lens used by the NIST AI Risk Management Framework.
Unlike traditional application supply chains, agentic supply chains can mutate at runtime when an agent loads new tools, retrieves fresh context, or follows instructions embedded in external content. The most common misapplication is to secure the base model while ignoring tool plugins, retrieval sources, and memory stores, which occurs when teams assume the agent’s real risk stops at the model endpoint.
Examples and Use Cases
Implementing agentic supply chain controls rigorously often introduces integration friction, requiring organisations to weigh autonomous workflow speed against tighter trust validation and isolation.
- A customer support agent uses a ticketing plugin, a vector database, and a CRM connector. If the connector is over-permissioned, a poisoned prompt can turn routine retrieval into data exfiltration.
- A coding agent pulls dependencies from package registries and internal prompt libraries. The Shai Hulud npm malware campaign shows how upstream compromise can carry hidden instructions or secret-harvesting logic into downstream workflows.
- An internal analyst agent reads documents from shared drives and memory stores. A single tainted source can inject false context that changes decisions, even if the underlying model is trustworthy.
- A DevOps agent uses CI tools and deployment middleware to open pull requests. If its NHI credentials are not isolated, the agent can inherit broad repository access and expand blast radius across environments.
- Security teams may benchmark these paths against the OWASP Non-Human Identity Top 10 and OWASP NHI Top 10 to identify where secrets, workload identity, and agent tool access overlap.
NHIMG research on AI LLM hijack breach and the MITRE ATLAS adversarial AI threat matrix both reinforce the same lesson: the dependency path is often the attack path, not just the model itself.
Why It Matters in NHI Security
agentic supply chain risk matters because each dependency can carry its own identity, permissions, and failure mode. When those dependencies are fragmented, security teams lose visibility into where secrets live, which tools are trusted, and how far an agent can move once compromised. In NHI security, that is not a theoretical concern. It is a control gap.
NHIMG research from The State of Secrets in AppSec reports that organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control. That fragmentation becomes especially dangerous when an agent can retrieve secrets from multiple stores, reuse stale context, or inherit access through middleware. The risk is amplified by concerns captured in the OWASP Agentic Applications Top 10, where hidden instructions and unsafe tool use are recurring failure modes.
Practitioners should also align with the CSA AI Agent Disclosure Accountability Gap whitepaper and the Anthropic – first AI-orchestrated cyber espionage campaign report to understand how agent autonomy changes threat modeling. Organisations typically encounter the operational consequences only after a tool misuse, secret leak, or poisoned retrieval event forces them to trace the entire chain, at which point agentic supply chain controls become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | N/A | Covers tool use, prompt injection, and agent dependency risks in agentic apps. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Addresses secret handling and NHI exposure across agent workflows. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires continuous verification of services, identities, and access paths. |
Inventory every agent dependency and restrict tool execution to validated, least-privilege paths.
