AI Tool and Plugin Supply Chain Risk Assessment
Assess and manage supply chain risk from third-party tools, plugins, and extensions used by AI agents, including AI-generated code committed to production repositories, applying software supply chain security controls at the AI extension layer.
Objective
Prevent compromised or malicious third-party tools and plugins from becoming a vector for agent manipulation or data exfiltration, and ensure AI-generated code commits are treated as untrusted supply chain inputs until validated.
Maturity Levels
Initial
Third-party AI tools and plugins are installed without security assessment. AI-generated code is committed to production repositories without differentiated review.
Developing
Some tools are vetted informally before installation, but there is no standard assessment process. AI-generated code may be flagged in commit messages but is not subject to differentiated controls.
Defined
A formal AI tool and plugin supply chain risk assessment is required before any new tool or plugin is authorized for agent use. The assessment covers provenance, maintainership, data access scope, update policy, and incident history. AI-generated code commits are subject to mandatory human review before merge.
Managed
An authorized tool and plugin inventory is maintained. Agents are restricted to tools on the authorized list. Unauthorized tool use triggers an alert. AI-generated code is tagged at commit time and routed through a differentiated review pipeline.
Optimizing
Continuous monitoring detects when authorized tools release material updates that require reassessment. Supply chain risk for AI tools is integrated into the enterprise vendor risk management program. AI-generated code review results are tracked and used to calibrate review requirements.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Authorized AI tool and plugin inventory with assessment records for each approved tool.
- —Tool assessment template and completed assessments for all tools currently used by production agents.
- —Policy and enforcement evidence for AI-generated code commit tagging and differentiated review.
- —Monitoring records showing agent tool calls are restricted to the authorized inventory.
Implementation Notes
The supply chain surface for AI agents
AI agents typically call external tools in two ways: (1) API integrations where the tool is called at runtime, and (2) plugins or extensions installed into the agent framework or IDE that expand what the agent can do. Both represent supply chain risk. A compromised tool provider can inject malicious behavior into agent actions without any change to the agent's own code.
AI-generated code is a newer supply chain risk. When developers use AI coding assistants to generate code that is then committed to production repositories, the AI model's training data (which may include malicious examples), reasoning errors, or adversarial prompt injection in the development environment can introduce vulnerabilities. This code should be treated as untrusted supply chain input.
Tool and plugin assessment checklist
Provenance and maintainership
- Is the publisher known and verifiable? Is there a clear organizational owner?
- Is the plugin actively maintained? When was the last update?
- Is the source code auditable (open source) or opaque?
Data access and exfiltration risk
- What data does the tool receive? Can it see inputs that include regulated or sensitive data?
- Does the tool make outbound network calls? To where?
- Is data retained by the tool provider? Under what terms?
Update and versioning policy
- Does the tool auto-update? If so, does the update introduce new capabilities or data access without re-assessment?
- Is there a mechanism to pin specific versions?
Incident history
- Has the tool been involved in a security incident?
- Does the provider publish a security advisory feed?
AI-generated code controls
- Commit tagging: Require developers to tag commits that contain AI-generated code. This can be enforced via a commit hook.
- Differentiated review: AI-generated code should require at least one human reviewer who actively read and tested the code rather than approving based on the developer's description.
- Dependency scrutiny: AI models frequently suggest importing libraries. Require that AI-suggested dependencies are assessed against the standard dependency vetting process before adoption.
- Secret scanning: Apply secret scanning tools to AI-generated code before commit; AI models occasionally reproduce credential patterns from training data.
Example Implementation
AI Tool Inventory and Assessment Register (excerpt)
| Tool | Version | Publisher | Data access | Outbound calls | Auto-update | Assessment date | Status |
|---|---|---|---|---|---|---|---|
| Tavily Search API | v2.1 | Tavily Inc | Query text only; no user PII | tavily.com (HTTPS) | No (pinned) | 2026-04-10 | Approved |
| GitHub MCP Server | v0.8.2 | Anthropic | Repo content, commit history | api.github.com | No (pinned) | 2026-04-10 | Approved |
| Internal CRM Connector | v1.4 | Internal | CRM records, PII | Internal network only | Internal CI | 2026-05-01 | Approved — PII handling reviewed by DPO |
| LangSmith Tracing | v0.1.57 | LangChain | Agent traces, potentially includes PII | api.smith.langchain.com | Yes | 2026-04-15 | Conditional — traces scrubbed before export; no PII in traces |
| SuperPlugin X | latest | Unknown publisher | Unspecified | Multiple external | Yes | 2026-03-20 | Rejected — publisher unverifiable; auto-update; broad data access |
AI-generated code policy (excerpt):
Commits containing AI-generated code must include [ai-generated] in the commit message. The CI pipeline flags these commits for mandatory secondary reviewer assignment. The secondary reviewer must confirm they independently reviewed and tested the code (not just approved based on the PR description).