
Software supply chain security was difficult enough. Then AI joined the build pipeline.
For five years, “software supply chain security” meant one question: What’s in your code? What open source packages, what versions, what transitive dependencies three layers deep that no one intentionally chose?
SolarWinds, Log4Shell and XZ Utils Everyone has learned the same lesson: risk lies less in the code a team writes than in everything it produces. Shai Hulud, The self-propagating malicious packaging campaign that spread across developer toolchains this year taught the next lesson: Knowing what’s in your code is still necessary, but it’s no longer enough.
In the roughly 20 months since the launch of the Model Context Protocol, AI tools, models and the infrastructure surrounding them have become integral parts of the way software is built, deployed and executed. Code is written by agents. Packets are collected by autonomous tools that decide whether they are needed. Prompts have become a real input to the build, meaning they are a real way to compromise it. When most security programs were developed, none of this was foreseen.
Table of Contents
Where the risk actually moved
It’s tempting to treat AI-generated code as just another code, run it through the same scanners and call it covered. This gives a false indication of where the risk has moved.
The provenance question that has always defined supply chain security – where does it come from and can I trust it – now applies to the model, the agent and the tools, not just the artifact. An AI coding assistant suggests a dependency and a developer accepts it without the package ever exceeding a human’s threat model. An autonomous agent reaches for one tool through MCP to complete a task, and that tool reaches for another. A prompt created by an attacker and placed somewhere the model can read controls what is written or read.
Validating AI-generated code before handoff is a major challenge. The harder problem is controlling the agents that do the writing and the tools that call them.
What a program looks like when AI is in use
The teams we work with have no shortage of insights. They drown in it. Adding “Also scan the AI output” to an already overloaded queue makes the alert stack larger, not the program stronger. Two things change when AI is actually used.
First, lineage must extend to everything entering the pipeline, including models and agents. One approach is to extend lineage to the pipeline itself – tracking activity, lineage, and configuration changes from initial commit to runtime, and applying the same rigor to models and agents as any other dependency.
Second, prioritization must be based on actual exploitability and not quantity. The difference between a vulnerability list and a working exploit chain is relating the results to the runtime context and what is actually achievable. This difference matters more, not less, when an agent can generate a thousand lines of plausible code before lunch.
This is the gap that Gartner formalized in June when it published the first Magic Quadrant for Software Supply Chain Security – the market’s recognition that a problem that teams without a budget line have defended is now something worth systematically evaluating.
On July 22nd, OX researchers will host a webinar – How AI is transforming supply chain security as we know it – to review new research with security leaders who are doing this work from the inside out. We discuss how AI integration has changed the attack surface, insights from the first systematic look at MCP servers in the wild, and what a supply chain security program actually looks like when AI is integrated into the scope rather than added as an afterthought.
Register here. Bring tough questions.

Did you find this article interesting? This article is a contribution from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we publish.
https://thehackernews.com/2026/07/what-changes-when-your-software-supply.html
