Loading…
Loading…
The chain of third-party providers, models, datasets, APIs, and infrastructure components that an AI system depends on to function. A typical AI product sits on layers of foundation models, fine-tuning services, embedding providers, data pipelines, and cloud infrastructure — each governed by different terms of service, carrying different security and privacy risks, and subject to unilateral changes by their providers. Supply chain risk in AI includes model update surprises, provider shutdowns, API deprecation, data source contamination, and cascading compliance failures when an upstream component changes its privacy practices.
Why this matters for your team
Map your AI supply chain the same way you'd maintain a software bill of materials. You need to know what you depend on, what each provider's data handling terms are, and how you'd respond if any component changed or became unavailable. This map is also required for EU AI Act technical documentation.
An AI startup's customer-facing product depends on: OpenAI's API (foundation model), a vector database hosted by a European provider, a fine-tuning service from a US startup, and cloud infrastructure on AWS. A change to any one of these can affect the product's behavior, data handling, or compliance posture.