ai-supply-chain
Safeguard articles tagged "ai-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
18 articles
CoSAI Releases Model Signing and Incident Response Frameworks
The Coalition for Secure AI published two operational frameworks in November 2025: Signing ML Artifacts and AI Incident Response. We unpack what each contains and how to adopt them.
Agent Goal Hijacking: Redirecting Autonomous AI Objectives
Attackers are hijacking autonomous AI agents by planting instructions in content they read—no exploit needed. Here's how it works, real 2025 incidents, and defenses.
SPDX 3.0 AI Profile: Building an AIBOM in Practice
SPDX 3.0 was published in March 2025 with a dedicated AI profile and a Dataset profile. We walk through how to produce a defensible AIBOM in SPDX format alongside or in place of CycloneDX.
How Snyk AI-BOM generates a CycloneDX v1.6-compliant ML-BOM
How Snyk's aibom CLI uses static analysis to detect models, agents, and MCP servers, then maps them into a CycloneDX v1.6-compliant ML-BOM structure.
What an AI Model Risk Registry Should Actually Track
Most AI model inventories are name-and-owner spreadsheets. Here's the provenance, licensing, CVE, and revalidation fields a real AI model risk registry needs to track.
DeepSeek ClickHouse Exposure: When the AI Vendor Forgets the Database
In January 2025 Wiz Research found a wide-open ClickHouse instance belonging to AI startup DeepSeek, leaking chat history, API keys, and internal log streams. We unpack the AI-supply-chain implications.