AI Supply Chain Security:
Protecting LLMs and Agents
From Model Poisoning

Your AI system is only as trustworthy as its least-trustworthy ingredient — the base model you downloaded, the dataset you fine-tuned on, the adapter you merged, the package that loads the weights. In 2025, Anthropic and partners proved a backdoor takes just 250 poisoned documents, no matter how large the model. This is how the AI supply chain gets attacked, and how you defend it.

250
malicious documents can backdoor an LLM — a near-constant number regardless of model size
~100
models on Hugging Face were found by JFrog carrying code able to execute arbitrary commands
LLM03
+ LLM04
two of OWASP's Top 10 LLM risks are supply chain and data/model poisoning
0.01%
of a web-scraped corpus — poisonable for about $60 — was enough to compromise popular datasets

Every enterprise that deploys AI has quietly inherited a supply chain it didn't build and can't fully see. A modern LLM application is assembled, not authored: a base model pulled from a public hub, weights loaded by an open-source serialization library, capabilities extended with a LoRA adapter someone else trained, fine-tuned on a dataset scraped from the open web, wrapped in a framework with dozens of transitive dependencies. Every one of those components is a place where trust is assumed and provenance is rarely proven. That's the AI supply chain, and it's now one of the most actively researched attack surfaces in security.

The reason it deserves its own discipline — separate from traditional software supply chain security — is that AI adds failure modes software doesn't have. A poisoned dependency in a normal app runs malicious code you can, in principle, find by reading it. A poisoned model hides its behavior in billions of opaque parameters, behaves perfectly on every benchmark, and betrays you only when a secret trigger appears. You cannot code-review a set of weights. This guide walks the full chain — where poisoning happens, the real incidents that prove it's not theoretical, and the layered controls that actually defend it.

Free Tool · Polygraf AI Risk Calculator

Quantify the exposure your AI supply chain carries

A poisoned model or dependency doesn't announce itself. Polygraf's AI Risk Calculator models your organization's exposure across breach, regulatory, and litigation risk — and maps which obligations apply — so you can weigh supply-chain risk alongside every other AI exposure with a real number attached.

  • Quantified exposure across every major risk category
  • A tailored read on which regulatory regimes govern your AI
  • Gaps surfaced across provenance, verification, and runtime control
  • Modeled reduction from adding inline inspection and enforcement
Run the free AI Risk Assessment →
Sample result
Total Potential Exposure
$49.8M
Data breach
Regulatory
Litigation
Reputational
250DOCUMENTS
In October 2025, Anthropic, the UK AI Security Institute, and the Alan Turing Institute published the largest poisoning study to date. The headline result overturned a long-held assumption: the number of malicious documents needed to plant a backdoor is near-constant — around 250 — regardless of model size. A 13-billion-parameter model trained on 20× more data than a 600M model was backdoored by the same small, fixed count. Poisoning isn't a percentage game an attacker has to win against your dataset's scale. It's an absolute number, and it's small.
What the Study Did and Didn't Show

Precision matters here, because this finding is widely overstated. The researchers trained models from scratch and inserted documents that taught a narrow "denial-of-service" backdoor: when the model saw a trigger token (<SUDO>), it emitted gibberish. They found 100 documents didn't reliably work, but 250 did. Anthropic was careful to note this covers a low-stakes behavior and that attackers still face the hard part — actually getting their documents into a specific model's training set. It does not prove anyone can trivially implant a data-exfiltration backdoor in a frontier model. What it does prove is that the "dilution" defense — assuming big models are safe because poison is a tiny fraction — is false.

The Chain, Link by Link

Poisoning isn't one attack; it's a class that can strike at any stage where a component enters your pipeline. Click each stage to see how it's attacked and how it's defended.

Interactive · The AI supply chain attack surface

Six links, each a distinct attack surface

Tap a stage to see the attack vector and the control that defends it.
📚
Training Data
poisoning
🧠
Base Model
tampering
🔌
Adapters / Merges
backdoor
📦
Serialization
code exec
🧩
Dependencies
hijack
🔎
RAG Corpus
injection

The Three Families of Poisoning

Strip away the specifics and every supply-chain poisoning attack falls into one of three families, distinguished by when the poison enters.

📚 Data Poisoning
Corrupting the training or fine-tuning data so the model learns the attacker's desired behavior. Because provenance of web-scraped data is rarely verified, contributing poisoned samples to open datasets or seeding crafted web pages is genuinely practical.
ENTERS AT → training / fine-tuning time
e.g. 250 crafted documents planting a trigger backdoor
🧠 Model Poisoning
Directly modifying a trained model's weights to embed a backdoor or strip safety, then publishing it where victims will trust it. The model scores well on benchmarks — that's the point — and misbehaves only on targeted triggers.
ENTERS AT → model distribution time
e.g. PoisonGPT: a surgically modified open model
📦 Artifact / Code Poisoning
Hiding executable code in the model file itself or its loading path, so simply loading the weights runs attacker code on your machine. This is classic software supply-chain risk inherited by the ML stack.
ENTERS AT → load / deploy time
e.g. malicious pickle files, hijacked dependencies
🔎 Retrieval Poisoning (runtime)
Not a training attack at all: planting malicious content in a RAG knowledge base or a source the agent reads at inference, influencing outputs without ever touching the model. Increasingly common as RAG and agents proliferate.
ENTERS AT → inference / runtime
e.g. a poisoned document in the vector store
Why a Model Card Is Not Provenance

The most common misconception in AI procurement is treating a model card, a benchmark score, or a repository name as evidence of trustworthiness. They aren't. A model card is documentation, not provenance — it describes where a model claims to come from; it does not prove it. Benchmarks are actively gamed by poisoned models, which are specifically tuned to score well while hiding a trigger. And a familiar repo name is exactly what a typosquatting or namespace-confusion attack imitates. Provenance means cryptographic proof of origin and integrity — a signature and a hash you verify — not a description you read.

This Isn't Theoretical: The Incident Record

Every family above has already been demonstrated in the wild or in credible research. The timeline is what turns "possible" into "documented."

Aug 2017
BadNets formalizes the model backdoor
Researchers demonstrated that a model trained by a third party could carry a hidden backdoor that survives transfer learning — the foundational proof that outsourced model training is an attack surface.
Dec 2022
PyTorch dependency compromise (torchtriton)
A malicious torchtriton package on PyPI executed code during install that exfiltrated environment variables and credentials from PyTorch nightly users — proving ML stacks inherit classic package-repo risk. Maintainers discovered the compromise within about 24 hours and coordinated disclosure from there.
Feb 2023
"Poisoning Web-Scale Datasets Is Practical"
Carlini and coauthors showed poisoning a tiny fraction of a web-scraped dataset is achievable and affordable — you don't need to own the data, just to control a few of the pages it scrapes.
2023
PoisonGPT (Mithril Security)
Researchers surgically edited an open-source model to spread targeted misinformation, uploaded it under a plausible name, and showed it passed standard safety benchmarks — a live demonstration that a model hub can distribute a poisoned model that looks clean.
Early 2024
~100 malicious models found on Hugging Face
JFrog researchers identified roughly 100 models on Hugging Face carrying code capable of executing arbitrary commands on the loading machine — often via unsafe pickle serialization. Not a lab demo: live models on the world's largest hub.
Oct 2025
The 250-document study
Anthropic, UK AISI, and the Alan Turing Institute establish that backdoor poisoning requires a near-constant, small number of documents regardless of model scale — reframing how feasible training-time poisoning actually is.

The Defense: Provenance, Verification, Isolation, Runtime Control

No single control defends the whole chain, because the chain spans training you don't control, distribution you don't own, and runtime you do. Defense is layered, and it maps to where each risk enters.

ControlWhat it doesDefends
AI SBOM / ML-BOM A bill of materials tracking base model, fine-tuning datasets, adapters, ML packages, and versions. The foundational control — you can't defend components you haven't enumerated. whole chain
Provenance & signing Cryptographic attestation of origin, plus SHA-256 checksum verification against official releases before use. Turns "trust the name" into "verify the hash." data · model · adapter
Safe serialization Prefer safetensors over pickle-based formats; scan model files (e.g. for unsafe deserialization) before loading. Neutralizes the load-time code-execution vector directly. serialization
Dependency hygiene Pin versions, verify package integrity, and monitor the ML dependency tree the same way you'd govern any software supply chain. dependencies
Sandboxed loading & eval Load and evaluate untrusted models in an isolated environment with no network egress and no access to secrets, so a malicious load can't pivot into your estate. model · serialization
Backdoor / behavioral testing Red-team models for trigger behaviors and evaluate on your own data, not just public benchmarks — because benchmarks are what poisoned models are tuned to pass. data · model
RAG source integrity Retrieve only from trusted sources, hash and sign knowledge-base documents, and screen retrieved content for injection before it reaches the model. retrieval / runtime
Runtime output & data control Inspect what goes into and comes out of the model in production — catching the effects of a poisoning you didn't detect upstream (data exfiltration, triggered behavior) before they cause harm. runtime

Where does your program sit?

In our experience, most organizations operating AI today sit at Level 0 or 1 below — implicit trust, with at most ad-hoc hygiene. Level 2 is a reasonable floor for anyone running AI on sensitive data or in a business-critical path.

0
BLIND
Implicit trust
Models and datasets pulled from public hubs by name, loaded without verification. No inventory of what's in the pipeline. The default state — and the one the incident record targets.
1
AWARE
Basic hygiene
Safetensors over pickle, some checksum verification, dependencies pinned. Ad-hoc, not systematic — and no bill of materials tying it together.
2
MANAGED
Provenance & verification
An AI SBOM, enforced signature/checksum verification, sandboxed model evaluation, and behavioral testing before anything reaches production. The realistic target for regulated environments.
3
DEFENDED
Provenance + runtime control
Everything in Level 2, plus inline runtime inspection that catches the effects of any poisoning that slipped through — assuming upstream defenses will occasionally fail, and containing the blast radius when they do.
The Gap Even a Good Program Leaves

Here's the uncomfortable core of supply-chain defense: you cannot fully verify a model you didn't train. You can check its hash matches what the publisher released — but that only proves you got the model the publisher intended, not that the publisher's model is clean. The 250-document study shows a backdoor can be planted upstream, at pretraining, by whoever influenced the training data — entirely outside your visibility. Signature verification is necessary and it is not sufficient. Which is why the mature posture assumes some poisoning will get through, and shifts weight to controlling what the model can do and reach at runtime — the one part of the chain you fully own.

"You can verify the model you downloaded is the one the publisher shipped. You cannot verify the publisher's model isn't backdoored — the poison may have been planted upstream, before you ever entered the chain. That's why supply-chain security can't end at the download. It has to extend to runtime, where you control what a compromised model is actually able to do."

— Polygraf AI, on AI supply chain defense
Defense in depth — upstream controls filter, runtime control contains what gets through
Each layer catches what it can; the last layer assumes the others sometimes won't PROVENANCE SBOM · signatures · checksums — reject unverified components VERIFICATION safe formats · scanning · behavioral testing ISOLATION sandboxed load · no egress · least privilege RUNTIME CONTROL inspect I/O · contain effects Whatever poisoning survives every upstream layer meets a runtime control that limits what it can do.
Where Polygraf AI Fits: The Runtime Layer

Let's be precise about the division of labor, because it's where a lot of AI supply-chain marketing overclaims. The upstream defenses — AI SBOMs, model signing, safe serialization, dependency pinning, sandboxed evaluation — are how you keep poison out of the pipeline, and they belong in your MLOps and procurement processes. Polygraf doesn't replace them. What Polygraf does is own Level 3: the runtime layer, on the assumption that upstream controls will occasionally fail.

Polygraf AI's Behavioral Control Plane sits inline at the AI boundary and inspects every input and output in production. If a poisoned or backdoored model tries to exfiltrate sensitive data in its output, Polygraf detects and blocks the sensitive data leaving. If a compromised model or a retrieval-poisoning attack tries to drive an agent toward an unauthorized action, enforcement and least-privilege scoping contain what it can reach. And every decision is logged immutably, giving you the runtime evidence to detect anomalous behavior that a clean-looking benchmark would never reveal. It's the control for the part of the chain you fully own — and the safety net for the parts you don't. On-premise, zero data egress, sub-100ms latency.

Educational overview, not security or legal advice. This article is prepared by Polygraf AI for general information. Specific incident figures (e.g. the ~100 Hugging Face models identified by JFrog and the 250-document poisoning result) reflect the cited research and reporting as published; consult the primary sources for exact methodology and scope. Supply-chain defenses should be selected and validated against your own architecture, threat model, and regulatory obligations.
Polygraf AI

Defend the Part of the Chain You Own

Upstream controls keep poison out of the pipeline. Polygraf AI owns runtime — inspecting every AI input and output inline, blocking data exfiltration, containing compromised behavior, and logging every decision. The safety net for the poisoning that gets through. On-premise, sub-100ms, zero data egress.

Request a Demo →
Air-gap ready · OWASP-aligned · SOC 2 · HIPAA
Deploys in under an hour

NEWS & More

Insights & Updates from Polygraf.

Blog Posts

You can't manage AI risk you haven't measured. Polygraf's AI risk assessment framework helps security teams identify exposure, quantify likelihood, and manage all AI risks.

To learn more about Polygraf, please get in touch.

At Polygraf, we envision a future where AI augments human capabilities without compromising safety, privacy, or ethical standards. Trust in our commitment to building this future with you.

Products

thank you

Your download will start now.

Thank you!

Please provide information below and
we will send you a link to download the white paper.