AI Supply Chain
ai-supply-chain · Frontier safety
The end-to-end pipeline of inputs, intermediate artefacts, and downstream applications by which an AI system is built and deployed — typically decomposed as training data → compute → model weights → fine-tuning → deployment → downstream applications.
Definition & scope
The AI supply-chain framing treats AI development as an industrial value chain in which each upstream stage constrains what the downstream stage can do, and each stage raises distinct governance questions. Training data raises copyright, consent, and bias questions (NYT v. OpenAI, GEMA v. OpenAI, Andersen v. Stability AI). Compute raises export-control and concentration questions (US BIS rules on advanced GPUs to China, the CHIPS Act, the 2024 EU Chips Act). Model weights raise open-vs-closed governance questions (Meta Llama, Mistral, DeepSeek vs. closed frontier labs). Fine-tuning raises capability-elicitation questions (Qi et al. 2023 'Fine-tuning Aligned LLMs Compromises Safety'). Deployment raises monitoring and incident-reporting questions. Downstream applications raise sectoral-liability questions (medical-device AI, automated decision-making in employment). Governance treatment is fragmented across the chain. EU AI Act Recital 60 + Art. 25 introduces explicit value-chain obligations: the GPAI provider and the downstream deployer have different obligations, and contracts must allocate them. US EO 14110 §4.2 targeted the compute stage (Defense Production Act reporting for foundation-model training above the threshold). NIST AI RMF GenAI Profile (NIST AI 600-1, 2024) names 'Value Chain and Component Integration' as one of twelve GenAI risk categories. ASEAN AI Guide §3 treats the supply chain as a 'shared responsibility' across actors. The supply-chain framing is increasingly the unit of governance analysis because chokepoints (compute access, training-data legality, weight distribution) determine where policy levers have purchase.
Stage Decomposition and the Chokepoint Logic
The supply-chain framing decomposes AI production into sequential stages — training data → compute → model weights → fine-tuning → deployment → downstream applications — where each upstream stage materially constrains the downstream one. Its analytical payoff is the identification of chokepoints: stages concentrated or detectable enough to host policy levers. Compute is the canonical case: Sastry et al. argue it is uniquely governable because it is "detectable, excludable, and quantifiable, and is produced via an extremely concentrated supply chain" 1. Lehdonvirta, Wú and Hawkins sharpen this geographically, mapping a "Compute North" hosting training-relevant capacity against a "Compute South" 2, so a single chokepoint distributes governance capacity unevenly across states. The corollary, flagged in this concept's notes, is that conflating a stage-level lever (GPU export controls) with an end-to-end claim is a recurring analytical error, because purchase varies sharply by stage.
Compute Thresholds and Data Legality as Stage-Specific Levers
Two stages illustrate how levers are engineered against stage-specific properties. At the compute stage, training-FLOP thresholds proxy for capability: Heim and Koessler find "training compute currently is the most suitable metric to identify GPAI models" while cautioning thresholds should trigger scrutiny rather than fix risk 3. The proxy is fragile — Pistillo and Villalobos document "enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities," opening legal loopholes 4. At the data stage, the lever is legality: Radeisen argues Art. 3 CDSM Directive's research TDM exception "does not grant rightsholders any control" and can be a training safe harbor 5, while Havlikova shows the opt-out is brittle in practice — "While the TDM exceptions may seem workable in theory, implementing them in practice presents" obstacles (robots.txt, machine-readability, memorisation).
Governance Allocation Across the Chain
Because obligations attach to different actors at different stages, the central design problem is allocation. The EU AI Act (Regulation (EU) 2024/1689) addresses this directly: Art. 25 ("Responsibilities Along the AI Value Chain") and Recital 88 introduce value-chain obligations under which value-chain parties must supply the downstream provider, by written agreement, the information and technical access needed for compliance — allocating duties by contract. US EO 14110 §4.2 targeted only the compute stage, invoking Defense Production Act reporting for training above a threshold, while NIST AI 600-1 (Jul 2024) names "Value Chain and Component Integration" among twelve GenAI risk categories, and ASEAN's AI Guide §3 frames the chain as "shared responsibility." Novelli et al. show why allocation is hard: generative-AI liability, GDPR, copyright and cybersecurity rules apply unevenly across the chain, leaving gaps 6. Definitional instability compounds this — Fernández-Llorca et al. trace how "AI system, general purpose AI system, foundation model, and generative AI" shifted across Act drafts 7.
Debates and Open Questions
With empirical consensus still emerging, several questions remain open. First, whether compute-based governance is durable or merely the most legible lever for now: Sastry et al. 1 treat compute as governable, yet Pistillo and Villalobos 4 show thresholds are circumventable, leaving the data and weights stages comparatively ungoverned. Second, fragmentation: Weymouth argues states assert "strategic digital sovereignty...through selective alliances," splintering infrastructure into techno-blocs 8, while Kollar and Stokols show sovereign-compute drives reorganise land, energy and regulation 9 — implying chokepoint levers may fracture rather than coordinate global governance. Third, data-stage tensions persist: Ruschemeier notes models that "memorize and leak pieces of training data" cannot be anonymous under GDPR 10, and Kretschmer et al. call the UK opt-in/opt-out framing a "missed opportunity" 11. The AI-SBOM regime (CISA/G7, 2026) signals the weights and component stage is the next frontier (CISA 2026).
Use in governance
How instruments operationalise this concept
| Instrument | Jurisdiction | Status |
|---|---|---|
| EU AI Act | EU | in force |
| NIST AI RMF Generative AI Profile | US | in force |
| ASEAN Guide on AI Governance and Ethics | ASEAN | in force |
Appears in topic articles
Editorial note
When citing 'AI supply chain' in policy contexts, name the stage of interest (data / compute / weights / deployment) because governance levers are stage-specific. Confusing stage-level interventions (e.g. export controls on GPUs) with end-to-end claims is one of the most common policy-analysis errors in this domain. Currency (2026-06-21): Definition still accurate, but AI-SBOM governance materially advanced since iter-443: CISA and G7 published Software Bill of Materials for AI Minimum Elements on 2026-05-13 (seven clusters), standardizing the AI-SBOM regime the evidenceBase only cites via SPDX 3.0 / OWASP CycloneDX, and the in-the-wild compromise remains rare caveat is now dated given scaled 2025-26 attacks (nullifAI pickle-backdoored models, a fake-OpenAI Hugging Face model at 244K downloads, the Mar-2026 LiteLLM PyPI 500K-credential compromise, 341 malicious ClawHub agent-skills).
See also
Further reading
Sources on the broader topics this concept relates to — complementing, not standing in for, the primary sources cited inline above. 78 academic & grey-literature sources; catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- Open Foundation Models and TDM Exceptions to Copyright – Building Blocks for an AI Ecosystem Peer-reviewed✦ AIArgues Art. 3 CDSM Directive's scientific-research TDM exception 'does not grant rightsholders any control' and can be a 'safe harbor' for training openly released foundation models without licensing data.
- Geopolitical ecologies of cloud capitalism: Territorial restructuring and the making of national computing power in the U.S. and China Peer-reviewed✦ AIUS and Chinese drives for sovereign AI/cloud dominance depend on reorganizing land, energy and regulatory systems to sustain large-scale national computing power.
- An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI Peer-reviewed✦ AITraces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime.
- The EU model of AI governance: regulating artificial intelligence through law and policy Peer-reviewed✦ AIAnalyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'.
- Generative AI and data protection Peer-reviewed✦ AIExamines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous.
- Defending Compute Thresholds Against Legal Loopholes Preprint✦ AIIdentifies 'enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities', exposing loopholes in compute-reporting thresholds.
- Copyright and AI in the UK: Opting-In or Opting-Out? Peer-reviewed✦ AIContends the UK opt-in/opt-out framing is a 'missed opportunity'; a broadened research exception plus market-entry transparency and creator remuneration would better serve both innovation and rightsholders.
- Technical Challenges of Rightsholders' Opt-out From Gen AI Training after Robert Kneschke v. LAION Peer-reviewed✦ AIExamines post-LAION practical obstacles to the EU TDM opt-out (robots.txt, machine-readability, memorisation): 'While the TDM exceptions may seem workable in theory, implementing them in practice presents a variety of practical…
- Digital Disintegration: Techno-Blocs and Strategic Sovereignty in the AI Era Peer-reviewed✦ AIArgues states increasingly assert 'strategic digital sovereignty...through selective alliances with firms and other governments,' fragmenting global AI infrastructure into techno-blocs rather than multilateral order.
- GPTs are GPTs: Labor market impact potential of LLMs Peer-reviewed✦ AIFinds around 80% of the U.S. workforce "could have at least 10% of their work tasks affected" by LLMs, which exhibit "traits of general-purpose technologies".
- Computing Power and the Governance of Artificial Intelligence Preprint✦ AIArgues compute is a uniquely governable lever because it is "detectable, excludable, and quantifiable, and is produced via an extremely concentrated supply chain".
- Training Compute Thresholds: Features and Functions in AI Regulation Preprint✦ AIFinds "training compute currently is the most suitable metric to identify GPAI models", but thresholds should only trigger further scrutiny, not determine risk measures alone.
+ 66 more across this concept's topics — see the literature index.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Sastry, Heim, Belfield, Anderljung, Brundage, et al. (2024) Computing Power and the Governance of Artificial Intelligence, arXiv. arXiv:2402.08797 — Argues compute is a uniquely governable lever because it is "detectable, excludable, and quantifiable, and is produced via an extremely concentrated supply chain". ↩
- Lehdonvirta, Wú & Hawkins (2024) Compute North vs. Compute South: The Uneven Possibilities of Compute-based AI Governance Around the Globe, AIES Proceedings. 10.1609/aies.v7i1.31683 — Census of hyperscale cloud regions shows a divide between "Compute North" states hosting training-relevant compute and a Compute South, shaping who can wield compute-based governance. ↩
- Heim & Koessler (2024) Training Compute Thresholds: Features and Functions in AI Regulation, arXiv. arXiv:2405.10799 — Finds "training compute currently is the most suitable metric to identify GPAI models", but thresholds should only trigger further scrutiny, not determine risk measures alone. ↩
- Matteo Pistillo, Pablo Villalobos (2025) Defending Compute Thresholds Against Legal Loopholes, arXiv (cs.CY). arXiv:2502.00003 — Identifies 'enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities', exposing loopholes in compute-reporting thresholds. ↩
- Arne Radeisen (2026) Open Foundation Models and TDM Exceptions to Copyright – Building Blocks for an AI Ecosystem, GRUR International. 10.1093/grurint/ikag002 — Argues Art. 3 CDSM Directive's scientific-research TDM exception 'does not grant rightsholders any control' and can be a 'safe harbor' for training openly released foundation models without licensing data. ↩
- Novelli, Casolari, Hacker, Spedicato & Floridi (2024) Generative AI in EU law: Liability, privacy, intellectual property, and cybersecurity, Computer Law & Security Review. 10.1016/j.clsr.2024.106066 — Examines how the EU AI Act, liability regimes, GDPR, copyright and cybersecurity rules apply to generative AI, identifying gaps and proposing targeted regulatory refinements. ↩
- David Fernández-Llorca, Emilia Gómez, Ignacio Sánchez, Gabriele Mazzini (2025) An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI, Artificial Intelligence and Law. 10.1007/s10506-024-09412-y — Traces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime. ↩
- Stephen Weymouth (2025) Digital Disintegration: Techno-Blocs and Strategic Sovereignty in the AI Era, International Organization. 10.1017/S0020818325101070 — Argues states increasingly assert 'strategic digital sovereignty...through selective alliances with firms and other governments,' fragmenting global AI infrastructure into techno-blocs rather than multilateral order. ↩
- Justin Kollar, Andrew Stokols (2026) Geopolitical ecologies of cloud capitalism: Territorial restructuring and the making of national computing power in the U.S. and China, Environment and Planning A: Economy and Space. 10.1177/0308518X251369704 — US and Chinese drives for sovereign AI/cloud dominance depend on reorganizing land, energy and regulatory systems to sustain large-scale national computing power. ↩
- Hannah Ruschemeier (2025) Generative AI and data protection, Cambridge Forum on AI: Law and Governance. 10.1017/cfl.2024.2 — Examines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous. ↩
- Martin Kretschmer, Bartolomeo Meletti, Lionel Bently, Gabriele Cifrodelli, Magali Eben, Kristofer Erickson, Aline Iramina, Zihao Li, Luke McDonagh, Emma Perot, Luis Porangaba, Amy Thomas (2025) Copyright and AI in the UK: Opting-In or Opting-Out?, GRUR International. 10.1093/grurint/ikaf093 — Contends the UK opt-in/opt-out framing is a 'missed opportunity'; a broadened research exception plus market-entry transparency and creator remuneration would better serve both innovation and rightsholders. ↩
- NIST AI 600-1 (Jul 2024), 'AI Risk Management Framework: Generative AI Profile' — names 'Value Chain and Component Integration' as a primary risk category.
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/ai-supply-chain — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
Social-science evidence — the “so-what”
What the peer-reviewed social science shows: whether the harm this concept addresses is empirically real, and whether governance of it works. The badge is the epistemic status of the evidence(not the policy debate) — “thin” or “absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
The AI supply chain as an exploitable attack surface is empirically demonstrated, not merely theorized: web-scale training-data poisoning is shown to be practical and cheap (Carlini et al. 2023 could have poisoned 0.01% of LAION-400M/COYO-700M for ~$60 via split-view and frontrunning attacks), pre-training poisons can persist through SFT/DPO alignment (Zhang et al. 2024 found 3 of 4 attack objectives persist after post-training, with denial-of-service persisting at a 0.001% poisoning rate, tested across 600M-7B models), and a near-constant document budget (~250 docs) backdoors models from 600M to 13B parameters regardless of dataset size (Anthropic/UK AISI/Alan Turing Institute 2025); downstream model-distribution tampering also has a working proof-of-concept (PoisonGPT, a ROME-edited GPT-J typosquatted on Hugging Face, Mithril Security 2023). Caveat: all of these are controlled red-team / proof-of-concept studies; documented in-the-wild compromise of a production frontier model via these vectors remains rare.
Sources: Carlini et al. 2023 (Poisoning Web-Scale Training Datasets is Practical, arXiv:2302.10149; IEEE S&P 2024); Zhang et al. 2024 (Persistent Pre-Training Poisoning of LLMs, arXiv:2410.13722); Anthropic / UK AI Security Institute / Alan Turing Institute 2025 (A small number of samples can poison LLMs of any size); Mithril Security 2023 (PoisonGPT, blog.mithrilsecurity.io)
There is no impact evaluation showing that any AI-supply-chain governance instrument measurably reduces supply-chain harm: provenance/documentation regimes (model cards, Mitchell et al. 2019; AI bills of materials / AI-SBOM via Linux Foundation SPDX 3.0 and OWASP CycloneDX ML-BOM) are standardized and advocated for transparency but unvalidated against outcomes, and the closest mature analogue — software SBOMs — shows documented incompleteness and tool/format inconsistency in vulnerability detection (O'Donoghue et al. 2024 found high variability in reported vulnerabilities attributable solely to SBOM generator and format) plus persistent practitioner concern that SBOMs function as a compliance checkbox or 'alleged compliance' rather than a demonstrated security improvement (SBOM systematic reviews and landscape studies, 2024-2025). The evidence that governance of the AI supply chain works is thin and largely extrapolated from software-supply-chain experience.
Sources: Mitchell et al. 2019 (Model Cards for Model Reporting, FAccT, arXiv:1810.03993); Linux Foundation 2024 (Implementing AI Bill of Materials with SPDX 3.0); O'Donoghue, Boles, Izurieta & Reinhold 2024 (Impacts of SBOM Generation on Vulnerability Detection, SCORED Workshop, ACM 10.1145/3689944.3696164)