What does the AI software supply chain risk entail?

AI software supply chain risk involves managing risks across the entire ecosystem that builds, trains, validates, and deploys AI systems, across multiple dimensions: people, processes, technology, data, and models. This broad view matters because threats can emerge at many points: data provenance and quality affect accuracy and privacy; data labeling and governance impact reliability and bias; model development, versioning, and deployment can introduce drift or tampering; software dependencies and build pipelines may harbor vulnerabilities or licensing conflicts; governance, change control, and incident response determine how quickly and safely issues are detected and remediated; and human factors such as insider threats or misconfigurations can expose the system. A holistic approach that covers all five areas is necessary to robustly manage risk, not just focusing on licensing, hardware latency, or training in isolation.