{"id":108380,"date":"2026-04-19T10:38:28","date_gmt":"2026-04-19T08:38:28","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=108380"},"modified":"2026-04-19T10:39:10","modified_gmt":"2026-04-19T08:39:10","slug":"securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/","title":{"rendered":"Securing Your AI Supply Chain:\u00a0Your AI Is Running, But You Don&#8217;t Know What\u00a0It&#8217;s\u00a0Doing\u00a0"},"content":{"rendered":"<p>You passed your security audit. SAST came back clean. SCA found no critical vulnerabilities. Secrets scanning turned up nothing. Your release moved forward with confidence.&nbsp;<\/p>\n\n\n\n<p>Then, weeks later, leadership asks: &#8220;Are we using AI in any of our applications?&#8221;&nbsp;<\/p>\n\n\n\n<p>Honestly? No one knows.&nbsp;<\/p>\n\n\n\n<p>Somewhere in your codebase, invisible to every tool you have, an application is calling a hosted LLM service. An agent framework arrived through a dependency. Prompts are loading from runtime configuration. Embeddings are being sent to a vector store.&nbsp;<\/p>\n\n\n\n<p>None of it shows up in your SBOM. None of it is on anyone&#8217;s radar.&nbsp;<\/p>\n\n\n\n<p>This&nbsp;isn&#8217;t&nbsp;a failure of your security team.&nbsp;It&#8217;s&nbsp;a structural gap.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">\n<strong>The Supply Chain is Changing (Again)<\/strong>&nbsp;<\/h2>\n\n\n\n<p>For years, traditional AppSec protected a predictable set of things: application code, open-source packages, secrets, containers, and infrastructure. SAST, SCA, vulnerability management, all built for that world.\u00a0<\/p>\n\n\n\n<p>Then AI became a production dependency.&nbsp;<\/p>\n\n\n\n<p>More than&nbsp;<a href=\"https:\/\/www.gartner.com\/en\/newsroom\/press-releases\/2025-08-26-gartner-predicts-40-percent-of-enterprise-apps-will-feature-task-specific-ai-agents-by-2026-up-from-less-than-5-percent-in-2025\" target=\"_blank\" rel=\"noreferrer noopener\">75% of enterprises are already embedding LLMs, AI SDKs, and AI services directly into their applications<\/a>. But the security and governance programs designed to manage software&nbsp;haven&#8217;t&nbsp;caught up.&nbsp;<\/p>\n\n\n\n<p><strong>Modern applications now depend on:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hosted AI services (LLM APIs)\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AI frameworks and SDKs\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agent code and MCP servers\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prompts and datasets\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Embeddings and vector stores\u00a0<\/li>\n<\/ul>\n\n\n\n<p><strong>These&nbsp;don&#8217;t&nbsp;behave like traditional dependencies:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A model can be safe in testing and unsafe under real-world prompts\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A prompt can quietly change system behavior without changing application logic\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An MCP tool can expand execution capability beyond what developers intended\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A service provider can change data retention terms without a code change\u00a0<\/li>\n<\/ul>\n\n\n\n<p>Traditional AppSec tools&nbsp;don&#8217;t&nbsp;detect these risks because they&nbsp;weren&#8217;t&nbsp;designed to. They&nbsp;can&#8217;t&nbsp;assess model poisoning, unverified weights, unsafe adapters, malicious MCP servers, or licensing violations.&nbsp;&nbsp;<\/p>\n\n\n\n<p>None of these are hypothetical.\u00a0They&#8217;re\u00a0showing up in real pipelines, real codebases, and real compliance conversations, often without anyone realizing it.\u00a0<\/p>\n\n\n\n<p>At the same time, regulatory&nbsp;pressure is real. The EU AI Act, ISO 42001, and&nbsp;other&nbsp;frameworks&nbsp;are&nbsp;creating&nbsp;real accountability for AI governance.&nbsp;Yet, most organizations lack even a basic AI asset inventory, let alone the ability to&nbsp;demonstrate&nbsp;compliance.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">\n<strong>The Hidden Threats in Your AI Dependencies<\/strong>&nbsp;<\/h2>\n\n\n\n<p>Below are 10 prominent AI supply chain risks&nbsp;validated&nbsp;by&nbsp;<a href=\"https:\/\/genai.owasp.org\/llmrisk\/llm032025-supply-chain\/\" target=\"_blank\" rel=\"noreferrer noopener\">OWASP LLM03:2025<\/a>&nbsp;(the industry standard) and our own&nbsp;Checkmarx&nbsp;Zero research team.&nbsp;<\/p>\n\n\n\n<p>These risks reflect where visibility gaps&nbsp;typically become security gaps in this new supply chain structure:&nbsp;<\/p>\n\n\n\n<p><strong>Group A: Trust &amp; Provenance<\/strong>&nbsp;Poisoned models, fake models, abandoned models, vulnerable AI packages\u2014risks tied to where models actually come from and whether you can trust them.&nbsp;<\/p>\n\n\n\n<p><strong>Group B: Modification &amp; Fine-Tuning<\/strong>&nbsp;Malicious adapters, model merge exploits\u2014risks introduced when models are altered without visibility.&nbsp;<\/p>\n\n\n\n<p><strong>Group C: Deployment Risks<\/strong>&nbsp;Mobile and edge model attacks where compromised models are embedded outside standard update mechanisms.&nbsp;<\/p>\n\n\n\n<p><strong>Group D: MCP Supply Chain<\/strong>&nbsp;Tool poisoning, compromised dependencies, shadow MCP servers, unauthorized integrations that expand what AI can&nbsp;actually do.&nbsp;<\/p>\n\n\n\n<p><strong>Group E: Governance &amp; Exposure<\/strong>&nbsp;Licensing violations, unclear terms-of-service, privacy policy drift that quietly changes how your data is used.&nbsp;<\/p>\n\n\n\n<p>Each reflects a different failure mode: compromised artifacts, unmanaged modifications, invisible deployments, unauthorized connections, and untracked obligations.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\n<strong>Where Does Your Organization Actually Stand?<\/strong>&nbsp;<\/h3>\n\n\n\n<p>Most security teams assume&nbsp;they&#8217;re&nbsp;at least partially aware of their AI exposure. In practice, the answer is usually Stage 1: Unknown.&nbsp;There&#8217;s&nbsp;no inventory, no policy enforcement,&nbsp;and&nbsp;no audit trail,&nbsp;just scattered usage across repos and environments.&nbsp;<\/p>\n\n\n\n<p>Getting from Unknown to Governed&nbsp;isn&#8217;t&nbsp;a single leap.&nbsp;It&#8217;s&nbsp;a defined progression: from discovery, to control, to compliance-ready reporting. Understanding where you sit today is the prerequisite to knowing what to do next.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">\n<strong>Visibility First, Then Everything Else<\/strong><strong>&nbsp;<\/strong>&nbsp;<\/h2>\n\n\n\n<p>What connects&nbsp;all&nbsp;these risks is something simple: if you&nbsp;don&#8217;t&nbsp;know an AI&nbsp;component&nbsp;exists in your software, you&nbsp;can&#8217;t&nbsp;assess it, govern it, or protect against what it might do.&nbsp;<\/p>\n\n\n\n<p>This requires building what&nbsp;didn&#8217;t&nbsp;exist before: an AI-BOM, an inventory that captures what AI is running your applications and what that implies for risk and compliance.&nbsp;<\/p>\n\n\n\n<p>This requires four capabilities:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>\n<strong>Discover<\/strong>\u00a0AI assets across code and configuration\u00a0<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>\n<strong>Assess<\/strong>\u00a0AI-specific risks (not just CVEs)\u00a0<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>\n<strong>Control<\/strong>\u00a0through policy enforcement and approved registries\u00a0<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li>\n<strong>Report<\/strong>\u00a0compliance-ready documentation\u00a0<\/li>\n<\/ol>\n\n\n\n<p>AI is already embedded in your stack, whether you know it or not. The goal&nbsp;isn&#8217;t&nbsp;to slow adoption,&nbsp;it&#8217;s&nbsp;to bring the same AppSec discipline to AI dependencies that teams already apply to everything else they ship.&nbsp;<\/p>\n\n\n\n<p>That starts with visibility.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">Want to go deeper?&nbsp;&nbsp;<\/h2>\n\n\n\n<p>We&#8217;ve&nbsp;put together a full breakdown of the threat&nbsp;landscape&nbsp;with&nbsp;all 10 risk categories, real-world examples, and the controls mapped to each. But more than that: the guide walks through a practical AI Supply Chain Maturity Model so you can identify where your organization stands today, a side-by-side comparison of traditional SBOMs vs. AI-BOMs, and a two-floor security architecture that tells you what to preserve from your existing AppSec program and what to add on top of it.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/checkmarx.com\/resources\/10-ai-supply-chain-risks-hiding-in-your-codebase\/\" target=\"_blank\" rel=\"noreferrer noopener\">Read it now<\/a>&nbsp;&nbsp;<\/p>","protected":false},"excerpt":{"rendered":"<p>You passed your security audit. SAST came back clean. SCA found no critical vulnerabilities. Secrets scanning turned up nothing. Your release moved forward with confidence.&nbsp; Then, weeks later, leadership asks: &#8220;Are we using AI in any of our applications?&#8221;&nbsp; Honestly? No one knows.&nbsp; Somewhere in your codebase, invisible to every tool you have, an application [&hellip;]<\/p>\n","protected":false},"author":141,"featured_media":108381,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1284,85,84,844],"tags":[1510,1272,361,385],"class_list":["post-108380","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai-llm-tools-in-application-security","category-application-security-trends","category-blog","category-supply-chain-security","tag-adlc","tag-agentic-ai","tag-software-supply-chain","tag-supply-chain-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Securing Your AI Supply Chain:\u00a0Your AI Is Running, But You Don&#039;t Know What\u00a0It&#039;s\u00a0Doing\u00a0<\/title>\n<meta name=\"description\" content=\"Learn how modern AppSec falls short, explore key AI risks, and discover how to build visibility, governance, and compliance with an AI-BOM approach\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Securing Your AI Supply Chain:\u00a0Your AI Is Running, But You Don&#039;t Know What\u00a0It&#039;s\u00a0Doing\u00a0\" \/>\n<meta property=\"og:description\" content=\"Learn how modern AppSec falls short, explore key AI risks, and discover how to build visibility, governance, and compliance with an AI-BOM approach\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-19T08:38:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-19T08:39:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/04\/Screenshot-2026-04-19-112542.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1502\" \/>\n\t<meta property=\"og:image:height\" content=\"791\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Emma Datny\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Emma Datny\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/\"},\"author\":{\"name\":\"Emma Datny\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/f2f13af2bbd7334f86e05c26025b82cc\"},\"headline\":\"Securing Your AI Supply Chain:\u00a0Your AI Is Running, But You Don&#8217;t Know What\u00a0It&#8217;s\u00a0Doing\u00a0\",\"datePublished\":\"2026-04-19T08:38:28+00:00\",\"dateModified\":\"2026-04-19T08:39:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/\"},\"wordCount\":949,\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/04\/Screenshot-2026-04-19-112542.webp\",\"keywords\":[\"ADLC\",\"Agentic AI\",\"Software Supply Chain\",\"SSCS\"],\"articleSection\":[\"AI &amp; LLM Tools in Application Security\",\"Application Security Trends &amp; Insights\",\"Blog\",\"Supply Chain Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/\",\"url\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/\",\"name\":\"Securing Your AI Supply Chain:\u00a0Your AI Is Running, But You Don't Know What\u00a0It's\u00a0Doing\u00a0\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/04\/Screenshot-2026-04-19-112542.webp\",\"datePublished\":\"2026-04-19T08:38:28+00:00\",\"dateModified\":\"2026-04-19T08:39:10+00:00\",\"description\":\"Learn how modern AppSec falls short, explore key AI risks, and discover how to build visibility, governance, and compliance with an AI-BOM approach\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/04\/Screenshot-2026-04-19-112542.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/04\/Screenshot-2026-04-19-112542.webp\",\"width\":1502,\"height\":791},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/f2f13af2bbd7334f86e05c26025b82cc\",\"name\":\"Emma Datny\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/05\/Emma-Datny-150x150.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/05\/Emma-Datny-150x150.jpg\",\"caption\":\"Emma Datny\"},\"sameAs\":[\"https:\/\/checkmarx.com\/\"],\"url\":\"https:\/\/checkmarx.com\/author\/emma_datny\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Securing Your AI Supply Chain:\u00a0Your AI Is Running, But You Don't Know What\u00a0It's\u00a0Doing\u00a0","description":"Learn how modern AppSec falls short, explore key AI risks, and discover how to build visibility, governance, and compliance with an AI-BOM approach","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/","og_locale":"en_US","og_type":"article","og_title":"Securing Your AI Supply Chain:\u00a0Your AI Is Running, But You Don't Know What\u00a0It's\u00a0Doing\u00a0","og_description":"Learn how modern AppSec falls short, explore key AI risks, and discover how to build visibility, governance, and compliance with an AI-BOM approach","og_url":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_published_time":"2026-04-19T08:38:28+00:00","article_modified_time":"2026-04-19T08:39:10+00:00","og_image":[{"width":1502,"height":791,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/04\/Screenshot-2026-04-19-112542.webp","type":"image\/webp"}],"author":"Emma Datny","twitter_card":"summary_large_image","twitter_creator":"@checkmarx","twitter_site":"@checkmarx","twitter_misc":{"Written by":"Emma Datny","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/#article","isPartOf":{"@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/"},"author":{"name":"Emma Datny","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/f2f13af2bbd7334f86e05c26025b82cc"},"headline":"Securing Your AI Supply Chain:\u00a0Your AI Is Running, But You Don&#8217;t Know What\u00a0It&#8217;s\u00a0Doing\u00a0","datePublished":"2026-04-19T08:38:28+00:00","dateModified":"2026-04-19T08:39:10+00:00","mainEntityOfPage":{"@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/"},"wordCount":949,"publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"image":{"@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/04\/Screenshot-2026-04-19-112542.webp","keywords":["ADLC","Agentic AI","Software Supply Chain","SSCS"],"articleSection":["AI &amp; LLM Tools in Application Security","Application Security Trends &amp; Insights","Blog","Supply Chain Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/","url":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/","name":"Securing Your AI Supply Chain:\u00a0Your AI Is Running, But You Don't Know What\u00a0It's\u00a0Doing\u00a0","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/04\/Screenshot-2026-04-19-112542.webp","datePublished":"2026-04-19T08:38:28+00:00","dateModified":"2026-04-19T08:39:10+00:00","description":"Learn how modern AppSec falls short, explore key AI risks, and discover how to build visibility, governance, and compliance with an AI-BOM approach","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/securing-your-ai-supply-chain-your-ai-is-running-but-you-dont-know-what-its-doing\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/04\/Screenshot-2026-04-19-112542.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/04\/Screenshot-2026-04-19-112542.webp","width":1502,"height":791},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]},{"@type":"Person","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/f2f13af2bbd7334f86e05c26025b82cc","name":"Emma Datny","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/05\/Emma-Datny-150x150.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/05\/Emma-Datny-150x150.jpg","caption":"Emma Datny"},"sameAs":["https:\/\/checkmarx.com\/"],"url":"https:\/\/checkmarx.com\/author\/emma_datny\/"}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/108380","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/141"}],"replies":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/comments?post=108380"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/108380\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/108381"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=108380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/categories?post=108380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/tags?post=108380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}