Model Supply Chain

Expanded Definition

The model supply chain is broader than a model file or hosted endpoint. It includes the data pipelines, retrieval layers, plugins, tool connectors, embedding stores, APIs, and third-party services that influence what an LLM application can see and do. In NHI security, that means every upstream dependency can become part of the trust boundary, especially where service accounts, tokens, and automation credentials are used to bind those components together.

Definitions vary across vendors because some teams treat the model supply chain as an ML engineering concern, while others include only runtime integrations. For security governance, the practical view is more precise: if a dependency can change model behaviour, inject instructions, exfiltrate data, or alter outputs, it belongs in scope. That aligns with the risk framing used in the OWASP Non-Human Identity Top 10, where exposed credentials and weak trust assumptions are treated as material attack paths.

The most common misapplication is treating the model itself as the only asset, which occurs when teams ignore upstream plugins, vector stores, and SaaS connectors that actually control what the agent can access.

Examples and Use Cases

Implementing model supply chain controls rigorously often introduces more review overhead and dependency mapping, requiring organisations to weigh faster model delivery against stronger integrity and provenance checks.

• A customer-support agent uses a retrieval layer that pulls policy documents from a vector database; if that store is poisoned, the agent can produce confident but incorrect guidance.
• A coding assistant connects to a GitHub app and package registry; if the app token is overprivileged, a malicious dependency update can expand access beyond the intended repository scope.
• An internal copilot calls a third-party summarisation API; if the API key is embedded in a CI pipeline, compromise of the pipeline can expose both the key and downstream data.
• A procurement workflow agent integrates with Slack and Jira; if a plugin trusts unverified prompts from those channels, instructions can be smuggled into the execution path.
• NHIMG case studies such as the LiteLLM PyPI package breach and the Reviewdog GitHub Action supply chain attack show how package and workflow trust can become an NHI exposure path before the model is even reached.

Why It Matters in NHI Security

Model supply chains are a high-value attack surface because they concentrate secrets, automation rights, and trust decisions across multiple systems. If one connector, plugin, or upstream package is compromised, an attacker may not need to break the model at all; they can simply influence the inputs, permissions, or retrieval context that shape the agent’s behavior. That is why supply chain governance belongs alongside credential hygiene, not after it.

The NHIMG The State of Secrets in AppSec research from GitGuardian and CyberArk found that the average time to remediate a leaked secret is 27 days, which is long enough for a compromised model dependency to remain exploitable in production. NHIMG reporting also shows that 52 NHI breaches Report cases repeatedly involve secret exposure and overtrusted integrations, which is why supply chain review must include service identities, not just code provenance.

Organisations typically encounter the operational impact only after an agent starts leaking data, invoking the wrong tool, or producing altered outputs following a dependency compromise, at which point model supply chain control becomes unavoidable to address.

Related resources from NHI Mgmt Group

• Why do exposed model registry tokens create supply-chain risk?
• Why do hallucinated packages create supply-chain risk even when the model is not directly compromised?
• What is supply chain amplification in Agentic AI security?
• How do attackers turn a supply-chain incident into wider NHI compromise?