Supply Chain draft
Control over software supply chain, dependencies, and third-party components
L0 Unaware
No visibility into software dependencies or third-party components; no SBOM exists and supply chain risks are unquantified
Criteria
SUPPLY-L0-C1The organisation has no Software Bill of Materials (SBOM) and cannot enumerate its third-party dependenciesSUPPLY-L0-C2Dependencies are pulled directly from public registries at build time with no pinning, verification, or caching
Indicators
- Developers install packages from public registries without reviewing licenses, maintainers, or known vulnerabilities
- No process exists to evaluate the trustworthiness of new dependencies before adoption
Upgrade path
Implement basic dependency tracking by generating SBOMs for all production applications. Introduce dependency pinning and begin scanning for known vulnerabilities in third-party packages.
Risk if stagnant
Without supply chain visibility, the organisation is exposed to dependency confusion attacks, compromised upstream packages, and undisclosed vulnerabilities. A single poisoned dependency can compromise the entire production environment.
L1 Dependent
Basic dependency tracking exists but relies entirely on provider-managed tools with no independent verification or policy enforcement
Criteria
SUPPLY-L1-C1Dependencies are tracked through a provider-managed tool (e.g., GitHub Dependabot, Snyk) but the organisation has no independent SBOM generationSUPPLY-L1-C2Vulnerability alerts are received from the provider but there is no defined SLA for remediation or escalationSUPPLY-L1-C3AI For each SaaS tool with embedded AI features, the organisation has recorded which underlying model and which model provider powers that featureEvidence guidance
Request the AI feature inventory. For each AI-enabled SaaS tool in use, the inventory should name the model family and version where the vendor discloses it (e.g. GPT-4o behind a given Copilot capability, Claude 3.5 Sonnet behind a given assistant) and the legal entity operating the inference endpoint (OpenAI, Anthropic, the SaaS vendor's own model team, an Azure OpenAI deployment). An entry that lists only the SaaS vendor and a marketing name for the AI feature does not satisfy this criterion. Where the vendor refuses to disclose the model or provider, record that refusal explicitly so the gap is visible rather than hidden.
Indicators
- Automated dependency alerts are enabled but frequently ignored or unactioned
- The organisation cannot produce a complete SBOM independently of its tooling provider
- An AI feature inventory names the model and the model-providing entity for each AI-enabled SaaS tool, with explicit notes where the vendor will not disclose
Regulatory mappings
| Regulation | Articles | Risk | Note |
|---|---|---|---|
AI-ACT | art-25 | medium | Art 25 places obligations along the AI value chain, which only function if the deployer can identify the upstream provider behind a SaaS AI feature. An inventory that stops at the SaaS vendor name leaves the AI Act value-chain surface unmapped. |
NIS2 | art-21 | medium | Art 21(2)(d) supply-chain risk management treats the AI sub-processor chain as part of the supplier inventory. A SaaS tool whose embedded AI is powered by an undisclosed third party is a supplier dependency the organisation cannot risk-manage. |
Upgrade path
Establish contractual requirements for supply chain transparency with all software vendors. Define remediation SLAs for critical and high-severity vulnerabilities. Begin generating provider-independent SBOMs as part of the CI/CD pipeline.
Risk if stagnant
Reliance on a single tool for supply chain visibility creates a false sense of security. If the tool misses a vulnerability or the provider discontinues the service, the organisation has no fallback. Unactioned alerts accumulate into a growing attack surface. Where AI features are in use without a recorded model identity, the supplier chain is materially longer than the contract suggests, and the organisation cannot answer a regulator asking which model processed which data.
L2 Contractual
Supply chain requirements are formalised through contracts with vendors and internal policies for dependency management
Criteria
SUPPLY-L2-C1Contracts with software vendors require SBOM delivery in a standard format (SPDX or CycloneDX) and timely disclosure of known vulnerabilitiesSUPPLY-L2-C2Internal policy defines approved dependency sources, licence compatibility requirements, and vulnerability remediation SLAsSUPPLY-L2-C3AI For SaaS tools with embedded AI features, contracts require advance written notice before the underlying model, model version, or model-providing entity is changed, with a defined notice period and the organisation's right to evaluate the changeEvidence guidance
Review the AI-specific clauses in each SaaS contract. The clause should name a minimum notice period (typically 30 to 90 days) before any model swap, version upgrade, or change of the underlying model provider takes effect for the tenant. Acceptable evidence includes a contractual right to a written change notice describing what changes (model family, version, provider), a defined evaluation window during which the organisation can assess impact, and a documented escalation path. A general 'service may be updated from time to time' clause does not satisfy this criterion. Where the SaaS vendor refuses such terms, document the refusal and the residual risk rather than treating silence as agreement.
SUPPLY-L2-C4AI Where a SaaS vendor offers fine-tuning or customer-specific model adaptation, the contract requires disclosure of the training-data sources and licensing terms of the base model used as the starting pointEvidence guidance
Applies only to SaaS tools where the customer's data is used to fine-tune or otherwise adapt a model (vendor-managed fine-tunes, customer-specific embeddings backed by a vendor model, retrieval-augmented configurations that produce a customer model artefact). For each such tool, the contract or vendor documentation should describe the base model's training-data provenance at a useful level of detail (publicly disclosed corpora, vendor-curated datasets, third-party licensed data) and the licensing terms attached to outputs derived from that base. A clause that names only the customer's own fine-tune contribution and is silent on the base model's training data does not satisfy this criterion. Tools that do not offer fine-tuning are out of scope for this criterion and should be marked not applicable.
Indicators
- SBOMs are received from vendors as part of software procurement and reviewed before deployment
- A dependency policy document exists and is enforced through CI/CD pipeline gates
- AI clauses in SaaS contracts include a model-change notice period with a defined evaluation window for the tenant
- For SaaS tools offering fine-tuning, the contract or vendor documentation describes the base model's training-data sources and the licensing terms attached to derived outputs
Regulatory mappings
| Regulation | Articles | Risk | Note |
|---|---|---|---|
AI-ACT | art-10, art-25 | medium | Art 10 governs the data used to train and adapt AI systems; the deployer cannot assess that data without the provider disclosing the base model's training corpus. Art 25 places obligations along the AI value chain that depend on contractual visibility into model changes; a notice-on-swap clause is the deployer's mechanism to keep its value-chain map current. |
NIS2 | art-21 | medium | Art 21(2)(d) treats supplier changes as supply-chain risk management events. A model swap by an AI sub-processor is a supplier change in everything but name; a contractual notice obligation is the minimum control consistent with NIS2 supply-chain risk-management measures. |
DORA | art-28 | medium | DORA Art 28(2) requires financial entities to assess ICT third-party risk including planned material changes to the service. A model swap underneath a SaaS tool is exactly such a material change, and contractual notice is the precondition for the financial entity to perform that assessment in time. |
Upgrade path
Deploy a private package registry that mirrors approved dependencies. Implement automated SBOM generation and vulnerability scanning integrated into every build pipeline. Begin verifying package signatures and provenance attestations.
Risk if stagnant
Contractual requirements improve transparency but rely on vendor honesty and compliance. Without independent verification, the organisation cannot detect supply chain compromises that vendors themselves may not be aware of. A silent model swap by an AI sub-processor changes the behaviour, jurisdiction, and training surface of the service overnight without the tenant being notified, and a fine-tune built on an opaque base model carries forward whatever licensing risk the base model's training data introduces.
L3 Controlled
Full SBOM generation with automated vulnerability scanning, private package registries, and verified dependency provenance
Criteria
SUPPLY-L3-C1All builds produce machine-readable SBOMs automatically, and a private package registry serves as the sole source for all production dependenciesSUPPLY-L3-C2Dependency signatures and provenance attestations (e.g., SLSA, Sigstore) are verified before any package enters the private registrySUPPLY-L3-C3AI For each AI model in production use, a current model card or equivalent provenance record documents the model's identity, version, training-data categories, intended use, known limitations, and the upstream provider's evaluation resultsEvidence guidance
Request the model card library. For each model behind an in-production AI feature (vendor-hosted SaaS model, self-hosted model, fine-tune of a base model), the record should cover: model identity and version, the legal entity producing the model, training-data categories at the level the provider discloses (e.g. publicly disclosed corpora, licensed datasets, vendor-curated data), declared intended use and out-of-scope use, known limitations and bias evaluations, and version history with the date of the most recent change. Acceptable formats include the original Hugging Face model card, the provider's published model documentation (OpenAI system card, Anthropic model card, Microsoft Responsible AI transparency note), or an internally maintained record where the provider does not publish one. A marketing page describing the AI feature does not satisfy this criterion. Records older than the current model version in production are out of date and should be flagged as such.
Indicators
- No production build can pull dependencies directly from public registries; all packages flow through the private registry
- Provenance verification failures automatically block package ingestion with alerts to the security team
- A model-card library is maintained, with one current record per model in production use; records lagging the production version are flagged for refresh
Regulatory mappings
| Regulation | Articles | Risk | Note |
|---|---|---|---|
AI-ACT | art-13, art-25 | low | Art 13 instructions for use and Art 25 value-chain responsibilities both assume the deployer holds documentation of the model in operation. Maintaining a current model-card library converts those obligations from paperwork commitments into an artefact a deployer or auditor can read. |
NIS2 | art-21 | low | Art 21(2)(d) supply-chain risk management is satisfied for the AI tier when the deployer holds verifiable provenance for each model in production, comparable to SBOM evidence for conventional dependencies. |
DORA | art-28 | low | DORA Art 28(2)(b) ICT concentration-risk assessment for critical third-party services depends on the financial entity holding documentation of the underlying components. For services that embed AI in critical workflows, a current model card per model is the AI-tier equivalent of the SBOM evidence DORA expects for software components. |
Upgrade path
Establish a dedicated supply chain security team that audits critical dependencies at the source-code level. Contribute to or fork essential open-source projects to ensure long-term availability and trustworthiness.
Risk if stagnant
Automated scanning and private registries significantly reduce supply chain risk, but the organisation still depends on upstream maintainers for critical open-source components. A key maintainer abandoning a project or introducing a backdoor remains a residual risk. For the AI tier, model cards depend on what the upstream provider chooses to disclose; opaque training data and undisclosed evaluation results remain residual risks even where the documentation surface is current.
L4 Autonomous
Fully audited sovereign supply chain with source-level review of critical dependencies, maintained forks of essential components, and end-to-end provenance guarantees
Criteria
SUPPLY-L4-C1Critical dependencies are audited at the source-code level, and the organisation maintains forks or mirrors of essential open-source componentsSUPPLY-L4-C2End-to-end supply chain provenance is cryptographically verifiable from source code to production deployment, meeting SLSA Level 3 or higher
Indicators
- The organisation actively contributes to or maintains forks of its most critical open-source dependencies
- Every production artefact includes a cryptographically signed provenance chain traceable to reviewed source code
Risk if stagnant
Maintaining sovereign supply chain controls is resource-intensive. Source-code audits and maintained forks require dedicated staff and ongoing investment. Without sustained commitment, audit coverage degrades and forked dependencies drift from upstream.