Data and AI Supply Chain Security: AIBOM, Fingerprinting, and Discovery
The AI supply chain — from training data to deployed models to running agents — presents a complex and often opaque attack surface. Unlike traditional software supply chains, AI systems involve models, datasets, embeddings, prompts, and agents that are difficult to inventory and track. This guide covers the tools and frameworks for securing the AI supply chain.
The AI Supply Chain Problem
Traditional supply chain security focuses on software dependencies. AI supply chains add multiple layers:
- Training data: Where did the data come from? Is it trustworthy?
- Model artifacts: What model is actually running? Has it been tampered with?
- Fine-tuning data: What additional data was used to specialize the model?
- Agent configurations: What tools and permissions do deployed agents have?
- MCP integrations: What external systems are agents connected to?
- Prompts: What system prompts and guardrails are in place?
AI Bill of Materials (AIBOM)
OWASP AIBOM
OWASP AIBOM defines a standard for AI Bill of Materials — the AI equivalent of Software Bill of Materials (SBOM):
- Model provenance: Track where models come from and how they were trained
- Data lineage: Document training data sources and processing steps
- Dependency mapping: Identify all components in the AI pipeline
- Version tracking: Track model versions, fine-tuning runs, and configuration changes
A comprehensive AIBOM enables:
- Vulnerability impact analysis when a model or dataset is compromised
- Compliance evidence for regulations requiring AI transparency
- Incident response when supply chain attacks are discovered
- License and usage rights tracking for training data
Trusera AI-BOM
Trusera ai-bom extends the AIBOM concept with discovery capabilities:
- Automated discovery: Find every AI agent, model, and API in your infrastructure
- Inventory management: Maintain a living inventory of all AI assets
- Risk assessment: Evaluate the security posture of discovered AI assets
- Continuous monitoring: Alert when new AI assets are deployed
Dataset Fingerprinting
datasig (Trail of Bits)
datasig provides dataset fingerprinting for AIBOM:
- Content hashing: Generate unique fingerprints for training datasets
- Integrity verification: Verify that datasets have not been tampered with
- Provenance tracking: Link models to the specific datasets used in training
- Comparison: Detect when datasets have been modified or augmented
# Generate a fingerprint for a datasetdatasig fingerprint --input training_data/ --output fingerprint.json
# Verify dataset integritydatasig verify --input training_data/ --fingerprint fingerprint.jsonDataset fingerprinting is critical for:
- Poisoning detection: Verify that training data has not been tampered with
- Reproducibility: Ensure experiments can be reproduced with identical data
- Compliance: Demonstrate data lineage for regulatory requirements
- Incident response: Quickly determine if compromised data was used in training
AI Supply Chain Attack Vectors
Model Supply Chain
| Attack | Description | Mitigation |
|---|---|---|
| Model tampering | Modified model files with backdoors | modelscan, picklescan, AIBOM |
| Dependency confusion | Malicious model registry packages | Verified registries, AIBOM |
| Pre-trained model poisoning | Backdoored models shared publicly | Fingerprinting, model scanning |
| Fine-tuning data injection | Malicious data in fine-tuning sets | Data validation, fingerprinting |
Data Supply Chain
| Attack | Description | Mitigation |
|---|---|---|
| Data poisoning | Malicious data in training sets | Anomaly detection, datasig |
| Data exfiltration | Sensitive data in model outputs | Output filtering, guardrails |
| Dataset theft | Unauthorized copying of proprietary datasets | Access controls, watermarking |
| Label flipping | Incorrect labels in supervised learning | Validation, quality checks |
Agent Supply Chain
| Attack | Description | Mitigation |
|---|---|---|
| Tool poisoning | Malicious MCP tool definitions | MCP scanning, validation |
| Agent impersonation | Unauthorized agents posing as legitimate | Agent identity (ANS) |
| Configuration tampering | Modified agent permissions or prompts | Integrity checks, versioning |
| Credential theft | Agent API keys stolen | OneCLI, credential vaults |
Building a Secure AI Supply Chain
Phase 1: Inventory
1. Run Trusera ai-bom to discover all AI assets2. Generate AIBOMs for all models using OWASP AIBOM3. Fingerprint all training datasets with datasig4. Document all MCP integrations and agent configurationsPhase 2: Validation
1. Scan all model artifacts with modelscan and picklescan2. Verify dataset fingerprints against known-good baselines3. Audit MCP server configurations with MCP-Scan4. Review agent permissions against least privilegePhase 3: Continuous Monitoring
1. Monitor AIBOM changes in CI/CD pipeline2. Re-fingerprint datasets on every training run3. Scan new MCP integrations before deployment4. Alert on unauthorized AI asset deploymentsKey Takeaways
- AI supply chains are more complex and opaque than traditional software supply chains
- AIBOM (OWASP) provides the standard for documenting AI system components
- Dataset fingerprinting (datasig) enables integrity verification and provenance tracking
- Discovery tools (Trusera ai-bom) help organizations find shadow AI deployments
- Supply chain security should cover models, data, agents, and integrations — not just code dependencies
- Combining AIBOM documentation with scanning tools and continuous monitoring provides comprehensive supply chain security