AI Supply Chain Security: Quantum Risks & Model Provenance

AI systems face a growing trust crisis. Researcher Robert Campbell highlights that reliance on pre-trained models and third-party data creates a supply chain security problem. His study, "AI Supply Chain Security: MBOM-PQC Provenance, PQC Attestation, and a Maturity Model for Quantum-Resistant Assurance," warns that current AI governance frameworks don't fully verify model lineage or dataset integrity. This is especially critical as post-quantum cryptography changes digital security. Modern AI systems, built from many components, offer multiple attack points before reaching users. Training-time compromise is a major risk, as poisoned datasets or tampered model weights can subtly alter behavior. What's interesting is that AI artifacts are harder to inspect than traditional software, making cryptographic verification and detailed provenance records essential. Existing security frameworks are useful but don't offer AI-specific lineage records or post-quantum safe signing requirements. This gap is serious for AI systems in defense, healthcare, and critical infrastructure, which will operate for years. The study introduces "harvest-now, forge-later" for AI signatures, meaning adversaries could collect classically signed model artifacts today and forge them later, eroding trust. The bottom line is that ensuring the integrity and trustworthiness of AI systems requires a complete rethinking of their security from start to finish.