AI Agent Supply Chain Verification (as of 12 Jul 2026)
Grading note. A dated snapshot — accurate as of 12 Jul 2026, frozen here as a permanent archive entry. Graded by the 3-lens panel (Skeptic/Beginner/Timekeeper) + sensei on 2026-07-15. Corrections applied inline; unverifiable gaps marked ⚠ PENDING (#issue) — never guessed.
Background: what is the “AI supply chain”?
An AI system’s supply chain is every component that feeds into it before and during runtime: base model weights, fine-tuned adapters, training datasets, ML frameworks, container images, plugins, prompts-as-code, and the RAG documents injected at query time. Any of these can be tampered with, poisoned, or substituted. The practices below address each layer in turn.
How to read the labels
- ✅ independently-corroborated — 2+ independent publishers
- 📄 vendor-documented — official docs only (authoritative, single source)
- ⚠️ WARNING — a default that can cost money, break the machine, or remove a safety net
- 🕒 verify live — fast-moving (versions/prices/quotas); check the current value
Practice: Verify SHA-256 checksums of downloaded model weights before loading them
Do: After downloading any model file (.bin, .gguf, .pt, .safetensors, etc.), compute the SHA-256 hash of the file and compare it against the hash published by the model author before you load it into memory. Most platforms (Hugging Face hf_hub_download(), for example) perform this check automatically when a server-side checksum is available, but verify that your tooling actually does this rather than assuming it.
# Linux / macOS
sha256sum model.safetensors
# Windows PowerShell
Get-FileHash model.safetensors -Algorithm SHA256
Compare the output to the hash published by the model author on their repository page or release notes.
Why: A model file can be silently altered in transit or at rest — either by a network attacker, a compromised mirror, or a malicious upload to a public hub. Loading a tampered model can execute arbitrary code on your machine (especially with pickle-based formats) or embed hidden behaviors into inference outputs. A checksum catches any modification, no matter how small.
Caveat / contested: A checksum only proves the file matches the reference hash. If the reference hash itself was published by a bad actor, or if the publication channel was compromised, the check still passes. Checksums therefore need to be combined with trust in the source (signed commits, reputation, organizational policy). They are necessary but not sufficient on their own.
⚠️ WARNING: Never skip this step when pulling model weights from a public registry you don’t control. Loading an unverified pickle-format model file can give an attacker a shell on your machine.
Sources: aisecurityandsafety.org — AI Supply Chain Security Guide (29 Mar 2026) · labs.cloudsecurityalliance.org — Eight-Nation AI/ML Supply Chain Guidance (CSA analysis) (17 Mar 2026)
Confidence: independently-corroborated
Practice: Prefer safetensors over pickle-based model files for any model you did not build yourself
Do: When downloading or distributing model weights, choose the .safetensors file over .bin / .pt (PyTorch pickle) files whenever both are available. If you must consume a pickle file from an untrusted source, treat it as hostile code: run it only inside an isolated sandbox (Docker container, firejail, or a dedicated VM with no network access and no access to sensitive filesystem paths). If you do not have a sandbox available, do not load the file.
Why: PyTorch’s default serialization format is Python’s pickle, which executes arbitrary Python code during deserialization. A malicious actor can append a reverse-shell payload to a pickle file that runs the moment you call torch.load(). The safetensors format stores only raw tensor data and JSON metadata — there is no executable code path, so loading it cannot run attacker-controlled code.
Caveat / contested: Safetensors is not yet the default everywhere. Many Hugging Face repositories still contain pickle-based model files and many older tutorials default to .bin. Adoption is growing but incomplete. Hugging Face runs a pickle import scanner that flags suspicious imports, but they explicitly disclaim it as “not 100% foolproof” and note it does not prevent downloads. 🕒 verify live — check current scanner coverage before relying on it.
⚠️ WARNING: Calling torch.load("some_model.bin") on a file from an unknown source is equivalent to running an arbitrary Python script handed to you by a stranger.
Sources: huggingface.co/docs/hub/security-pickle (Hugging Face, content references current scanner features) · dev.to/lukehinds — Understanding SafeTensors (Oct 2024, edited Mar 2025) · jfrog.com — Data Scientists Targeted by Malicious HF Models (JFrog Research, 2024)
Confidence: independently-corroborated (Hugging Face official docs + JFrog independent research + independent tutorial author)
Practice: Treat RAG-injected documents and tool outputs as untrusted input — not as trusted instructions
Do: When building a Retrieval-Augmented Generation (RAG) pipeline or an agent that reads external data (web pages, uploaded files, database rows, API responses), treat every retrieved chunk as potentially hostile user input. Apply the same validation and sandboxing you would apply to a web form submission: sanitize before use, do not let retrieved text override system-level constraints, and label external content so the model knows its source tier.
Why: An attacker who can write to any document in your retrieval corpus can inject instructions that the LLM will follow as if they came from you. OWASP’s 2025 LLM Top 10 calls this “indirect prompt injection” and ranks it #1. In a supply chain context the attack surface is any external data source your AI reads: a customer-uploaded PDF, a web page fetched by a browsing tool, a row in a shared database. You do not need to compromise the model itself — you only need to compromise one upstream data source.
Caveat / contested: There is currently no reliable purely technical fix. Input/output filtering, RAG triad evaluation (context relevance, groundedness, answer relevance), and prompt-level segregation all reduce risk but none eliminates it. The OWASP LLM01 page notes that neither RAG nor fine-tuning fully mitigates prompt injection and that defense-in-depth is the only realistic posture.
Sources: genai.owasp.org — LLM01:2025 Prompt Injection (OWASP Gen AI Security Project, 2025) · labs.cloudsecurityalliance.org — Eight-Nation AI/ML Supply Chain Guidance (CSA / NSA, Mar 2026)
Confidence: independently-corroborated
Practice: Sign AI model artifacts with Sigstore/cosign (or equivalent) and verify signatures before deployment
Do: When publishing or consuming AI model container images or model artifact bundles, sign them using cosign (part of the Sigstore project) and verify the signature before deploying to any environment. For keyless signing (recommended for CI/CD pipelines), use OIDC identity tokens from your build platform so there are no long-lived private keys to steal. Store signatures in the same OCI registry as the image, or use the Sigstore Bundle format for blob artifacts.
Why: A checksum tells you the file was not modified. A cryptographic signature additionally tells you who published it and that they intended to publish that exact file. If an attacker compromises your image registry and replaces a model container image, a checksum check against a registry-provided hash will still pass (the attacker updated the hash too). A signature from your build pipeline’s OIDC identity is much harder to forge.
Caveat / contested: Sigstore’s keyless signing relies on Fulcio (the certificate authority) and Rekor (the transparency log) as trusted infrastructure. Organizations that cannot use public Sigstore infrastructure can run their own instances or integrate with existing enterprise PKIs — the OpenSSF Model Signing Specification (OMS) is explicitly PKI-agnostic and supports self-signed certificates and bare keys. Operationally, this adds pipeline complexity; teams should test verification gates in staging before enforcing them in production.
⚠️ WARNING: The current active migration risk is cosign v2 → v3. Cosign v3 uses a different bundle format that cannot be verified by v2 tooling — if you mix versions, cosign verify exits with status 0 (success) but skips all verification of the artifact. Pin your cosign version and align it across all signing and verification environments. 🕒 verify live — check current Sigstore/cosign v3 compatibility before upgrading.
Sources: openssf.org — Introduction to the OpenSSF Model Signing (OMS) Specification (OpenSSF, 25 Jun 2025) · openssf.org — Scaling Up Supply Chain Security: Implementing Sigstore (OpenSSF, Feb 2024) · docs.sigstore.dev — Signing Other Types (Sigstore docs)
Confidence: independently-corroborated (OpenSSF blog posts are different publications from Sigstore upstream docs; two distinct publishers)
Practice: Apply SLSA Build provenance to AI training and packaging pipelines
Do: Instrument your AI model build pipeline (training runs, fine-tuning jobs, model packaging steps) to emit SLSA provenance attestations. At minimum, target SLSA Build L1 (unsigned provenance documenting inputs and build platform) in development and L2 (signed provenance from a hosted CI system) for any model promoted to staging or production. Attach the provenance to the model artifact so downstream consumers can verify what went into the model.
Why: SLSA provenance is a machine-readable document that answers: “What source code / data was used? What build system ran? When? By whom?” Without it, you cannot prove that the model you deployed was built from the training code and data you intended — an insider or compromised CI system could substitute different weights silently. SLSA was originally designed for software packages, but the same build-time tamper-detection logic applies to model artifacts and Docker images containing models.
Caveat / contested: SLSA v1.2 (released November 2025 — 🕒 verify live for the current spec) added a Source track but still does not define ML-specific guidance for training pipelines. Applying SLSA to model training requires adaptation — treating training dataset inputs as “source” and the model weights as the “artifact.” This is an area of active development.
Sources: slsa.dev/spec/v1.2/ (SLSA / OpenSSF, v1.2 — current as of Nov 2025) · wiz.io/academy/application-security/slsa-framework (Wiz, updated Jun 2026) · cloudsmith.com — 2026 Guide to Software Supply Chain Security (Cloudsmith, 1 Apr 2026)
Confidence: independently-corroborated (SLSA official spec + two independent commercial publishers)
Practice: Create and maintain an AI Bill of Materials (AI-BOM) for every model you deploy
Do: Before deploying any AI model or agent, produce a structured inventory — an AI-BOM — that records at minimum: the base model name and version, its source and license, the fine-tuning datasets used (with provenance and hashes), the ML framework and version, and any plugins or tools the agent can invoke. Store this alongside the model artifact in version control. Update it whenever any component changes.
Why: An AI system is composed of many upstream parts, just like a software application has library dependencies. An AI-BOM gives you the same visibility for AI components that a traditional Software Bill of Materials (SBOM) gives for code dependencies. When a vulnerability or backdoor is found in a base model or training dataset, the AI-BOM tells you immediately which of your deployed systems are affected and what to update.
Caveat / contested: AI-BOM standards are still maturing. SPDX 3.0.1 defines AI and Dataset profiles; CISA published draft “minimum elements” guidance in 2025. There is currently no single universally adopted schema. The EU AI Act (general-purpose AI provisions, effective August 2025 for new placements; existing models placed before 2 August 2025 have until 2 August 2027) requires transparency documentation that overlaps with AI-BOM concepts but uses different terminology — component inventory maps to Article 11 / Annex IV, not Article 53. Cross-reference against whichever regulatory standard applies to your deployment. 🕒 verify live — CISA minimum elements and SPDX AI profile specs are both actively updated.
Sources: wiz.io/academy/ai-security/ai-bom-ai-bill-of-materials (Wiz, 19 Mar 2026) · labs.cloudsecurityalliance.org — Eight-Nation AI/ML Supply Chain Guidance (CSA / NSA eight-nation guidance, 17 Mar 2026) · aisecurityandsafety.org — AI Supply Chain Security Guide (29 Mar 2026)
Confidence: independently-corroborated (Wiz + CSA/NSA multi-government guidance + independent guide — three independent publishers)
Practice: Audit model cards before deploying any third-party model
Do: Before deploying a model from a public hub (Hugging Face, model zoo, vendor API), read its model card and check for: (1) a clear statement of intended use and out-of-scope uses, (2) the training data source and any known biases or failure modes, (3) safety evaluation results, (4) the license (especially whether commercial use is permitted), and (5) a named maintainer or organization. Reject or isolate models with missing or vague model cards the same way you would reject an open-source library with no documentation and an unknown author.
Why: A model card is the AI equivalent of a product datasheet and safety data sheet combined. Without it you do not know what the model was trained on, what it is optimized for, or what risks it carries. Deploying a model with undisclosed training data or absent safety evaluations exposes your users and your organization to unpredictable harms and potential licensing violations.
Caveat / contested: Model cards are self-reported by the model author; they are not independently verified unless the model has been through formal third-party audit. A systematic analysis of Hugging Face model cards found wide variation in completeness. Treat a model card as a minimum due-diligence signal, not a guarantee. Red Hat’s AI system card concept extends this to deployment-level documentation and is a useful additional reference for higher-assurance contexts.
Sources: redhat.com — Security beyond the model: Introducing AI system cards (Red Hat, 3 Sep 2025) · aisecurityandsafety.org — AI Supply Chain Security Guide (29 Mar 2026)
Confidence: independently-corroborated
Practice: Grant AI agents the minimum tool permissions needed for each task (principle of least privilege)
Do: When configuring an AI agent’s available tools, start with an empty allowlist and add only the specific operations the agent needs for its defined task. A summarization agent needs read access to documents — not write access, not shell access. Separate read-only “retrieval” agents from write-capable “action” agents architecturally. Log every tool call with the invoking agent’s identity, the target resource, and the timestamp.
Why: AI agents with broad tool access are high-value targets for prompt injection and jailbreaking attacks. If an attacker can manipulate an agent via a poisoned document, they inherit whatever permissions the agent has. An agent with shell access and unrestricted filesystem permissions is a ready-made remote code execution vector. Narrowing permissions limits the blast radius of any successful manipulation.
Caveat / contested: Least-privilege tooling can be harder to implement in practice than in principle because many agent frameworks provision broad permissions by default for ease of use. The OWASP AI Agent Security Cheat Sheet provides concrete patterns (read-only vs. write permission scoping, allowlisted shell patterns), but may lag behind fast-moving agentic frameworks. 🕒 verify live — check your specific agent framework’s permission model against current OWASP guidance.
⚠️ WARNING: Giving an AI agent unrestricted shell execution (bash, subprocess, exec) is equivalent to giving an untrusted user sudo access. Most agent frameworks offer this as a convenience default.
Sources: cheatsheetseries.owasp.org — AI Agent Security Cheat Sheet (OWASP, actively maintained) · augmentcode.com — Multi-Agent AI Security (Augment Code, 28 Mar 2026, updated 18 Jun 2026)
Confidence: independently-corroborated
Practice: Do not let AI agents blindly trust outputs from peer agents — enforce inter-agent trust boundaries
Do: In multi-agent architectures, treat messages from peer agents with the same skepticism you apply to messages from external users. Start by validating inter-agent requests against a strict JSON schema (not just prompt-based checks). Assign each agent a trust tier (e.g., untrusted / internal / privileged) and enforce it architecturally, not just in the system prompt. For higher-assurance environments, use cryptographic workload identity (e.g., SPIFFE/SPIRE) to authenticate agent-to-agent calls. Maintain immutable inter-agent audit logs.
Why: When multiple AI agents communicate, a single compromised or prompt-injected agent can pass malicious instructions to every other agent it talks to. Research has found that intermediate trusted agents can reformat malicious instructions to strip detection markers and make them more effective downstream, meaning injection attacks can become harder to detect as they propagate. Standard single-agent guardrails do not stop this: you need architectural enforcement at the message bus level.
Caveat / contested: This is an emerging area. No single standard for multi-agent trust protocols has been adopted across frameworks as of mid-2026. Implementation patterns vary significantly between agent frameworks. JSON schema validation and structured logging are the practical baseline; SPIFFE/SPIRE is enterprise infrastructure appropriate for larger deployments.
Sources: augmentcode.com — Multi-Agent AI Security: Enterprise Risks, Compliance, and Mitigation (Augment Code, 28 Mar 2026, updated 18 Jun 2026) · cheatsheetseries.owasp.org — AI Agent Security Cheat Sheet (OWASP, actively maintained)
Confidence: independently-corroborated
Held pending fixes
- CISA SBOM for AI minimum elements page: HTTP 403 during research run — could not fetch directly. The eight-nation CSA/NSA guidance and the Wiz AI-BOM page both reference CISA’s work, so the substance is corroborated, but the direct CISA URL is not cited. ⚠ #pending-cisa-sbom
- SLSA v1.2 levels URL: confirmed live at
slsa.dev/spec/v1.2/levels(Timekeeper FIX-5); the prior v1.1 URL is now retired.
CHANGELOG
- Timekeeper KILL-4: Cosign WARNING updated from v1→v2 migration risk to v2→v3. Added explicit clarification that
cosign verifyexits with status 0 (success) but skips verification when bundle formats are mismatched. - Timekeeper FIX-5: SLSA v1.2 URL corrected to
slsa.dev/spec/v1.2/levels; v1.2 release date corrected to November 2025 (was ambiguously “mid-2026”). - Timekeeper FIX-7: EU AI Act caveat updated — existing models placed before 2 August 2025 have until 2 August 2027; Article reference corrected from 53 to Article 11/Annex IV.
- Skeptic FIX: OWASP LLM01 text unquoted — was presented as a verbatim quote; now a paraphrase.
- Skeptic FIX: “44.9% of HF repos contain pickle” stat removed from Safetensors practice — not found in any of the three cited sources.
- Beginner KILL-GN-1: Pickle sandboxing advice now names concrete tools (Docker,
firejail) and adds: “If you do not have a sandbox available, do not load this file.” - Beginner KILL-GN-2: Cosign WARNING clarified — “silently fails” rewritten to explain that the exit code is 0 (apparent success) but the artifact is not checked.
- Beginner FIX-GN-6: SHA-256 checksum practice now shows
sha256sum(Linux/macOS) andGet-FileHash(Windows PowerShell) commands. - Beginner FIX-GN-2: Inter-agent trust practice restructured — JSON schema validation leads; SPIFFE/SPIRE moved to advanced/enterprise option.
- General: EU AI Act Article reference corrected to Article 11/Annex IV for component inventory (Article 53 covers GPAI documentation).
- Link-check repair:
slsa.dev/spec/v1.2/levelsreturned 404 — URL corrected toslsa.dev/spec/v1.2/(200), which contains the levels content.