R28 — AI Supply Chain Compromise

Q: How do security teams mitigate AI Supply Chain Compromise?

In CISO Game, AI Supply Chain Compromise is reduced by Prevention (30%), Detection (15%), Response (15%), Recovery (10%) subscores. Real-world programs use the same control families, with category investments such as SCA (dependency scanning), AI Firewall (LLM I/O guardrails), AI Governance & ISO 42001 program.

Q: Why does AI Supply Chain Compromise matter to a CISO?

Severity 8 (Major). AI supply chain compromise — poisoned model weights from public registries (Hugging Face), compromised training datasets, hostile fine-tunes published as benign — is the AI-specific variant of R06. The defenses (model-card review, weight integrity verification, sandboxed evaluation) are still being productized.

Stress-test AI Supply Chain Compromise in the AI startup scenario Series-B, AI-first, six new AI risks in your register.

Start playing →

R28 AI Severity 8 · Major Residual offset +20

Compromised foundation models, malicious model hubs, dependency confusion in ML pipelines. Detection + prevention; high residual because trust must be transitive.

What is AI Supply Chain Compromise?

Compromised foundation models, malicious model hubs, dependency confusion in ML pipelines. Detection + prevention; high residual because trust must be transitive. CISO Game tracks this as R28 in the live risk register, severity 8 (Major), category AI.

How does CISO Game model AI Supply Chain Compromise?

Exposure for R28 runs from 0 to 100, recomputed live as you buy, cancel, or reassign products. How the exposure model works →

Real-world parallel

AI supply chain compromise — poisoned model weights from public registries (Hugging Face), compromised training datasets, hostile fine-tunes published as benign — is the AI-specific variant of R06. The defenses (model-card review, weight integrity verification, sandboxed evaluation) are still being productized.

How do security teams mitigate AI Supply Chain Compromise?

The dominant subscore levers for this risk are:

Prevention subscore — weight 30%
Detection subscore — weight 15%
Response subscore — weight 15%
Recovery subscore — weight 10%

Residual offset: +20 exposure points are structural — no product fully removes them. Real-world parallels: zero-day windows, vendor monoculture, regulator unpredictability.

Gated: only active when AI focus is enabled in Setup.

Which investments mitigate AI Supply Chain Compromise?

Products in CISO Game that reduce exposure to R28:

Which related risks should you also watch?

Risks with similar dominant subscores or shared category — addressing one often helps the others:

Why does AI Supply Chain Compromise matter to a CISO?

AI risk is the newest category in the register. AI Supply Chain Compromise requires controls that are still maturing — model cards, AI red-teaming, AI-SPM, prompt-injection detection. CISO Game's AI focus toggle activates these.

How can you test your mitigation strategy?

Click Play CISO Game free to see R28 appear live in your risk register and watch each purchase move the exposure number in real time. No signup required.

Stress-test AI Supply Chain Compromise in the AI startup scenario →