Impact of AI Integration on Software Supply Chain Security and Provenance
The integration of AI writing code into the software supply chain shifts the focus of security from inspecting artifacts to governing the agents and tools involved in the build process. This requires extending lineage tracing to include AI models and autonomous agents, demanding new methods for validating provenance and prioritizing risk based on real exploitability.
Software supply chain security was hard enough. Then AI joined the build pipeline.
For five years, "software supply chain security" meant one question: what's in your code? Which open-source packages, which versions, which transitive dependencies three layers deep that nobody chose on purpose?
SolarWinds, Log4Shell, and XZ Utils all taught the same lesson: the risk lives less in the code a
*** END OF TRANSMISSION ***