Your AI system is only as trustworthy as its least-trustworthy ingredient — the base model you downloaded, the dataset you fine-tuned on, the adapter you merged, the package that loads the weights. In 2025, Anthropic and partners proved a backdoor takes just 250 poisoned documents, no matter how large the model. This is how the AI supply chain gets attacked, and how you defend it.
Every enterprise that deploys AI has quietly inherited a supply chain it didn't build and can't fully see. A modern LLM application is assembled, not authored: a base model pulled from a public hub, weights loaded by an open-source serialization library, capabilities extended with a LoRA adapter someone else trained, fine-tuned on a dataset scraped from the open web, wrapped in a framework with dozens of transitive dependencies. Every one of those components is a place where trust is assumed and provenance is rarely proven. That's the AI supply chain, and it's now one of the most actively researched attack surfaces in security.
The reason it deserves its own discipline — separate from traditional software supply chain security — is that AI adds failure modes software doesn't have. A poisoned dependency in a normal app runs malicious code you can, in principle, find by reading it. A poisoned model hides its behavior in billions of opaque parameters, behaves perfectly on every benchmark, and betrays you only when a secret trigger appears. You cannot code-review a set of weights. This guide walks the full chain — where poisoning happens, the real incidents that prove it's not theoretical, and the layered controls that actually defend it.
A poisoned model or dependency doesn't announce itself. Polygraf's AI Risk Calculator models your organization's exposure across breach, regulatory, and litigation risk — and maps which obligations apply — so you can weigh supply-chain risk alongside every other AI exposure with a real number attached.
Precision matters here, because this finding is widely overstated. The researchers trained models from scratch and inserted documents that taught a narrow "denial-of-service" backdoor: when the model saw a trigger token (<SUDO>), it emitted gibberish. They found 100 documents didn't reliably work, but 250 did. Anthropic was careful to note this covers a low-stakes behavior and that attackers still face the hard part — actually getting their documents into a specific model's training set. It does not prove anyone can trivially implant a data-exfiltration backdoor in a frontier model. What it does prove is that the "dilution" defense — assuming big models are safe because poison is a tiny fraction — is false.
Poisoning isn't one attack; it's a class that can strike at any stage where a component enters your pipeline. Click each stage to see how it's attacked and how it's defended.
Strip away the specifics and every supply-chain poisoning attack falls into one of three families, distinguished by when the poison enters.
The most common misconception in AI procurement is treating a model card, a benchmark score, or a repository name as evidence of trustworthiness. They aren't. A model card is documentation, not provenance — it describes where a model claims to come from; it does not prove it. Benchmarks are actively gamed by poisoned models, which are specifically tuned to score well while hiding a trigger. And a familiar repo name is exactly what a typosquatting or namespace-confusion attack imitates. Provenance means cryptographic proof of origin and integrity — a signature and a hash you verify — not a description you read.
Every family above has already been demonstrated in the wild or in credible research. The timeline is what turns "possible" into "documented."
torchtriton package on PyPI executed code during install that exfiltrated environment variables and credentials from PyTorch nightly users — proving ML stacks inherit classic package-repo risk. Maintainers discovered the compromise within about 24 hours and coordinated disclosure from there.No single control defends the whole chain, because the chain spans training you don't control, distribution you don't own, and runtime you do. Defense is layered, and it maps to where each risk enters.
| Control | What it does | Defends |
|---|---|---|
| AI SBOM / ML-BOM | A bill of materials tracking base model, fine-tuning datasets, adapters, ML packages, and versions. The foundational control — you can't defend components you haven't enumerated. | whole chain |
| Provenance & signing | Cryptographic attestation of origin, plus SHA-256 checksum verification against official releases before use. Turns "trust the name" into "verify the hash." | data · model · adapter |
| Safe serialization | Prefer safetensors over pickle-based formats; scan model files (e.g. for unsafe deserialization) before loading. Neutralizes the load-time code-execution vector directly. | serialization |
| Dependency hygiene | Pin versions, verify package integrity, and monitor the ML dependency tree the same way you'd govern any software supply chain. | dependencies |
| Sandboxed loading & eval | Load and evaluate untrusted models in an isolated environment with no network egress and no access to secrets, so a malicious load can't pivot into your estate. | model · serialization |
| Backdoor / behavioral testing | Red-team models for trigger behaviors and evaluate on your own data, not just public benchmarks — because benchmarks are what poisoned models are tuned to pass. | data · model |
| RAG source integrity | Retrieve only from trusted sources, hash and sign knowledge-base documents, and screen retrieved content for injection before it reaches the model. | retrieval / runtime |
| Runtime output & data control | Inspect what goes into and comes out of the model in production — catching the effects of a poisoning you didn't detect upstream (data exfiltration, triggered behavior) before they cause harm. | runtime |
In our experience, most organizations operating AI today sit at Level 0 or 1 below — implicit trust, with at most ad-hoc hygiene. Level 2 is a reasonable floor for anyone running AI on sensitive data or in a business-critical path.
Here's the uncomfortable core of supply-chain defense: you cannot fully verify a model you didn't train. You can check its hash matches what the publisher released — but that only proves you got the model the publisher intended, not that the publisher's model is clean. The 250-document study shows a backdoor can be planted upstream, at pretraining, by whoever influenced the training data — entirely outside your visibility. Signature verification is necessary and it is not sufficient. Which is why the mature posture assumes some poisoning will get through, and shifts weight to controlling what the model can do and reach at runtime — the one part of the chain you fully own.
"You can verify the model you downloaded is the one the publisher shipped. You cannot verify the publisher's model isn't backdoored — the poison may have been planted upstream, before you ever entered the chain. That's why supply-chain security can't end at the download. It has to extend to runtime, where you control what a compromised model is actually able to do."
— Polygraf AI, on AI supply chain defenseLet's be precise about the division of labor, because it's where a lot of AI supply-chain marketing overclaims. The upstream defenses — AI SBOMs, model signing, safe serialization, dependency pinning, sandboxed evaluation — are how you keep poison out of the pipeline, and they belong in your MLOps and procurement processes. Polygraf doesn't replace them. What Polygraf does is own Level 3: the runtime layer, on the assumption that upstream controls will occasionally fail.
Polygraf AI's Behavioral Control Plane sits inline at the AI boundary and inspects every input and output in production. If a poisoned or backdoored model tries to exfiltrate sensitive data in its output, Polygraf detects and blocks the sensitive data leaving. If a compromised model or a retrieval-poisoning attack tries to drive an agent toward an unauthorized action, enforcement and least-privilege scoping contain what it can reach. And every decision is logged immutably, giving you the runtime evidence to detect anomalous behavior that a clean-looking benchmark would never reveal. It's the control for the part of the chain you fully own — and the safety net for the parts you don't. On-premise, zero data egress, sub-100ms latency.
Upstream controls keep poison out of the pipeline. Polygraf AI owns runtime — inspecting every AI input and output inline, blocking data exfiltration, containing compromised behavior, and logging every decision. The safety net for the poisoning that gets through. On-premise, sub-100ms, zero data egress.
At Polygraf, we envision a future where AI augments human capabilities without compromising safety, privacy, or ethical standards. Trust in our commitment to building this future with you.
© 2026 Polygraf AI. All rights reserved.
Your download will start now.
Please provide information below and we will send you a link to download the white paper.