AI supply-chain and infrastructure vulnerabilities
Vulnerabilities in AI frameworks, dependencies, hardware, or reused third-party/foundation models propagate risk to the deployed system.
- Risk family
- Third party & supply chain
- MIT domain
- 2. Privacy & Security
- MIT subdomain
- 2.2 > AI system security vulnerabilities and attacks
- AI type
- GPAI, Classical_ML, Agentic
- Scope
- Both
- Source standard
- MIT AI Risk Repository v4
Provenance
Framework crosswalk
Every framework item mapped to this risk. Items marked partial overlap only in part; definitions appear on hover where the source licence permits.
- A.11 ISO/IEC 23894 Annex A A.11
- A.10.3 ISO/IEC 42001 Annex A A.10.3
- A.4.4 ISO/IEC 42001 Annex A A.4.4
- CoP S&S Ch. Commitment 6
Expanded into this risk’s technique sub-risks.
- AISubtech-9.3.1 Malicious Package / Tool Injection
- AISubtech-9.3.2 Dependency Name Squatting (Tools / Servers)
- AISubtech-9.3.3 Dependency Replacement / Rug Pull
- NISTAML.05 Supply Chain Attacks
- NISTAML.051 Model Poisoning (supply chain)
- GENAI.12 Value Chain and Component Integration
- GENAI.9 Information Security
- LLM03:2025 Supply Chain
- ASI04 Agentic Supply Chain Vulnerabilities
Sub-risks (8)
Technique-level decompositions of this risk, each anchored to the MITRE ATLAS technique it derives from.
A compromised model, dataset, library, or hardware component enters the system through the supply chain.
A backdoored or poisoned model is published to a public registry to be adopted by victims.
Adversaries register packages or resources matching names the model commonly hallucinates, so its recommendations deliver malicious artifacts.
Malicious models or files are disguised to appear legitimate and trusted.
A malicious model file is deliberately corrupted so security scanners cannot inspect it.
Malicious agent tools are published for adoption, carrying hidden harmful behavior.
A genuinely useful AI component gains adoption, then a later update turns malicious.
Adversaries inflate the apparent trustworthiness of malicious AI components to drive adoption.
Part of the Deployer AI Risk Register, an open-source resource developed by MindXO. Version 1.0, 3 July 2026. Derived from the MIT AI Risk Repository (V4, December 2025) under CC BY 4.0; an independent derivative work, not endorsed by or affiliated with MIT. Sub-risk decomposition references MITRE ATLAS™ v5.6.0 (© 2021-2026 The MITRE Corporation, reproduced and distributed with permission). ISO/IEC and EU AI Act references are by number only. License: CC BY 4.0. Full attribution and licensing.