Synced 16 Jun 2026 15:24 UTC Account
← All guides

AI/ML supply-chain security: securing your model stack

AI security · 8-min read · Scan your ML stack → · updated June 2026

Your model stack is a supply chain: weights, datasets, runtimes and ML libraries all come from somewhere, and all can carry risk. Securing AI isn't only about prompts — it's about what you load and where it came from.

The four risk areas

Provenance

  • Know where models & datasets came from
  • Verify signatures/checksums
  • Pin versions you trust

Unsafe deserialization

  • Some formats run code on load
  • Prefer safe serialization formats
  • Never load untrusted model files

ML library CVEs

  • PyTorch, TensorFlow, Transformers, vLLM…
  • Match versions to known CVEs
  • Patch on a cadence

Registries & pipelines

  • Trust your model/registry sources
  • Guard training data against poisoning
  • Least-privilege CI/CD for ML

A practical sequence

1
Inventory the stack

List models, datasets, runtimes and ML dependencies with versions.

2
Match to known vulnerabilities

Scan dependencies/SBOM against CVE data; flag vulnerable ML libraries.

3
Lock down loading & provenance

Only load trusted, verified artefacts; avoid code-executing formats.

4
Monitor & re-scan

New CVEs land against ML libraries constantly — keep watching.

Two halves of one problem: this covers the software supply chain of AI. For the runtime behaviour of agents built on that stack, pair it with securing AI agents end-to-end.

Turn this into action. Models, weights, datasets and ML libraries are software too. How to handle provenance, unsafe deserialization, and CVEs in your ML dependencies.

Scan your ML stack — free →

Frequently asked questions

Is an AI/ML stack really a supply-chain problem?

Yes. Models, weights, datasets and ML libraries (PyTorch, TensorFlow, Transformers, vLLM and so on) are software and data with provenance and known vulnerabilities — the same supply-chain discipline applies.

What is the unsafe-deserialization risk?

Some model formats can execute arbitrary code when loaded (for example Python pickle-based formats). Loading an untrusted model file can be remote code execution — prefer safe formats and load only trusted artefacts.

Do ML libraries get CVEs?

Frequently. Treat your ML dependencies like any other: track versions, match them to known CVEs, and patch on a cadence — see reading an SBOM.

How do I track this in IsItPatched?

Scan your dependency manifest / SBOM to flag vulnerable ML components, and (soon) browse the AI & ML software vulnerabilities view. Start with the SBOM scanner.

This guide is vendor-neutral and informational, grounded in publicly-available guidance from bodies such as OWASP, NIST and CISA. IsItPatched is independent and not affiliated with them, and this is not legal or compliance advice. See our disclaimer.

← Browse all guides · Security glossary →