AI development pipeline attacks expand CISOs’ software supply chain risk

“AI components — e.g., LLM, RAG — are embedded in the software supply chain, making them a new frontier for sophisticated attacks,” Garraghan told CSO. “As OWASP LLM 03:2025 points out, LLMs frequently integrate with external APIs and data sources, introducing significant risks through these dependencies.”

Simply encouraging secure coding practices, however, is not enough.

“CISOs must adopt a proactive security posture that includes continuous AI application testing, software bill of materials transparency, and automated threat detection across the AI development lifecycle,” Garraghan advised.