R-CS-08 Cybersecurity & Adversarial DAMAGE 4.0 / Critical

Supply Chain Compromise (Model, Plugin, Tool)

A compromised third-party component is inherited by every agent that invokes it. Supply chain controls validate components at deployment, not at runtime invocation.

The Risk

Agents dynamically discover and select tools, plugins, and models at runtime. An agent may query a tool registry, find a matching tool, and invoke it. The agent does not verify the tool's provenance or security. If a tool in the registry is compromised or malicious, every agent that invokes it is compromised.

Supply chain risk in agentic systems is multiplicative: a single compromised tool can affect thousands of agents, all processing millions of transactions. Traditional supply chain risk management (vendor assessment, contract review) assumes static relationships. Agentic supply chains are dynamic: new vendors are discovered at runtime, relationships are temporary, and oversight is impossible at scale.

How It Materializes

A financial services consortium operates a shared tool registry where vendors publish tools that agents can discover and use. The registry includes fraud detection tools, identity verification tools, sanction screening tools, and compliance checking tools.

A malicious vendor (or a vendor whose system is compromised) publishes a tool labeled "Advanced-Sanction-Screening-V2" to the registry. The tool's description claims it performs enhanced sanction screening using latest UN and EU sanctions lists.

Banks' agents discover the tool in the registry and begin invoking it for sanction screening. Hundreds of banks' agents invoke the malicious tool for millions of transactions over the next month. The malicious tool, rather than properly screening transactions, is designed to return approval for any transaction to an attacker-designated list of beneficiaries (sanctions evasion) and log all transaction details to the attacker's server (intelligence gathering).

Over 30 days, the attacker's tool processes 5 million transactions, approving 10,000 sanctions evasions and collecting transaction data on 5 million transactions. The compromise is discovered when a regulator notices unusual sanction approval rates from multiple banks simultaneously. Multiple banks face OFAC penalties for processing sanctions-evasion transactions and customer data exposure penalties.

DAMAGE Score Breakdown

Dimension Score Rationale
D - Detectability 3 Tool compromise is difficult to detect because tools are invoked as trusted services. Requires monitoring of tool behavior or external notification of compromise.
A - Autonomy Sensitivity 5 High when agents autonomously discover and invoke tools without human verification.
M - Multiplicative Potential 5 Single compromised tool affects all agents invoking it. At scale, affects millions of transactions.
A - Attack Surface 4 Tool registry, tool development infrastructure, and tool supply chain are all attack surfaces.
G - Governance Gap 4 Institutions may not have TPRM processes for tools discovered in registries. TPRM assumes known vendors.
E - Enterprise Impact 5 Compromised tool can execute arbitrary malicious behavior on behalf of agents. Material compliance, financial, and reputational impact.
Composite DAMAGE Score 4.0 Critical. Requires immediate architectural controls. Cannot be accepted.

Agent Impact Profile

How severity changes across the agent architecture spectrum.

Agent Type Impact How This Risk Manifests
Digital Assistant Low Human selects tools manually. Compromised tools are not automatically used.
Digital Apprentice Medium Agents discover tools but require human approval before first use.
Autonomous Agent Critical Agents autonomously discover and invoke tools. Compromised tools are invoked immediately.
Delegating Agent Critical Primary function is dynamic tool invocation. Compromised tools directly affect all delegations.
Agent Crew / Pipeline Critical Crew agents discover and invoke tools. Compromise affects entire crew.
Agent Mesh / Swarm Critical Mesh agents dynamically invoke tools. Compromise affects mesh-wide behavior.

Regulatory Framework Mapping

Framework Coverage Citation What It Addresses What It Misses
NIST AI RMF 1.0 Partial GOVERN 6.2 (Supply Chain Risk) Supply chain risk management. Dynamic tool discovery and supply chain risk.
OCC Guidance (TPRM) Partial SR 13-19 Third-party risk management. Runtime tool discovery and dynamic third-party relationships.
NIST CSF 2.0 Partial ID.SC-1, ID.SC-2 Supply chain risk management. Agentic supply chain and tool discovery.
NIST SSDF Partial PO 3.2 (Secure Development) Software security practices. Verification and validation of third-party tools at runtime.
NTIA SBOM Partial Software Bill of Materials Transparency of software components. Dynamic tool discovery and component tracking.

Why This Matters in Regulated Industries

Regulations explicitly require third-party risk management. Regulators assess whether institutions have processes to vet third parties, monitor their security, and manage risks. Supply chain compromises are a major regulatory focus.

If agents autonomously invoke third-party tools without TPRM oversight, the institution is operating outside its governance framework. A regulator will view this as inadequate third-party risk management, regardless of whether the tool was actually compromised.

Controls & Mitigations

Design-Time Controls

  • Require all tools in registries to be vetted through TPRM process before being available for agent discovery. Only approved vendors' tools can be published.
  • Implement cryptographic signing and verification of tools. Tools must be digitally signed by the vendor. Agents verify signatures before invoking.
  • Use Component 2 (Cryptographic Identity) to establish vendor identity. Only tools from verified vendors are trusted.
  • Maintain an approved tool list. Agents can only discover and invoke tools on the approved list, preventing discovery of compromised or malicious tools.

Runtime Controls

  • Implement tool behavior monitoring. Monitor tool outputs and identify anomalies (unusual approval rates, unusual data access, unexpected error patterns).
  • Monitor tool source location. Tools should be invoked only from official registry locations. If a tool is invoked from an unexpected source, flag for investigation.
  • Implement rate limiting on new tool adoption. If agents suddenly switch to a new tool or if a new tool appears in registry, escalate for review before allowing agent adoption.
  • Use Component 3 (JIT Authorization Broker) to validate tool invocations. Broker can verify tool is on approved list and authorized before allowing invocation.

Detection & Response

  • Conduct regular security assessments of tools in registries. Verify tool code, check for known vulnerabilities, assess vendor security practices.
  • Monitor for suspicious tool behavior. Track tool outputs and identify statistical anomalies (approval rates drifting from baseline, unusual data logging).
  • Implement incident response for compromised tools. If a tool is found to be malicious or compromised, immediately disable all agent access and investigate transactions affected.
  • Maintain supply chain security dashboard. Continuously monitor health of tools and vendors in registries. Alert on new vendors, tool updates, or security issues.

Related Risks

R-AC-02 Agent Communication
MCP Server Trust Boundary

Tools from compromised servers bypass trust boundaries.
R-AC-03 Agent Communication
Dynamic Skill/Plugin Acquisition

Compromised skills acquired dynamically expand attack surface.
R-CS-01 Cybersecurity & Adversarial
Prompt Injection (Direct and Indirect)

Compromised tools can inject adversarial instructions into agent processing.

Address This Risk in Your Institution

Supply Chain Compromise requires architectural controls that go beyond what existing frameworks provide. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.

Schedule a Briefing
Agentic AI Risk & Controls Workshop Our Methodology Regulatory Landscape