Agentic Supply Chain

The Agentic Supply Chain is the full graph of third-party components an AI agent depends on at runtime: MCP servers, connectors, plugins, runtime libraries, hosted APIs, data sources, and the transitive dependencies of all of them. It is the attack surface that OWASP ASI04 (Agentic Supply Chain Vulnerabilities) names as one of the top 10 risks in the OWASP Top 10 for Agentic Applications 2026.

Unlike a classical software supply chain, the agentic supply chain has one defining property: every component that ships content into the agent's context window operates inside the agent's trust boundary. There is no privilege separation between "trusted prompt" and "untrusted dependency output" — the LLM reads tool descriptors, tool outputs, and connector responses with the same authority it gives to its system prompt. A compromised dependency is therefore not just an exploitable bug; it is a privileged participant in the agent's reasoning loop.

Why the Agentic Supply Chain Is Harder to Defend

Three properties of the agentic supply chain compound traditional supply-chain risk. First, the trust boundary is content-shaped, not process-shaped. A dependency does not need to call into sensitive subsystems — its descriptor or output already enters the LLM's context, where it can issue instructions to a non-deterministic reasoning engine. Second, dependencies are loaded with full host authority. An MCP server spawned via STDIO transport inherits the host process's UID, environment, and credential store; compromise of the dependency equals compromise of the host. Third, dependency behaviour is mutable post-install. A connector that was benign when audited can update its tool descriptor or response shape on the next invocation, weaponising itself without any new code being deployed.

Mapping the Agentic Supply Chain in Practice

For any production AI agent, the supply-chain graph typically includes the agent runtime itself, the Model Context Protocol host or equivalent tool-orchestration layer, every MCP server installed (with its npm/PyPI dependency tree), every hosted API the agent calls, and every data source the agent reads at runtime. A complete supply-chain audit must enumerate all of them, identify the install/update vector for each, and assign a trust level based on provenance, signing, and observed behaviour.

Defensive Posture

Treating the agentic supply chain as a first-class attack surface means applying the same controls developers already use for build-time supply-chain risk — version pinning, lockfiles, signature verification, SLSA-style provenance attestation — but extending them to runtime-loaded components and tool descriptors. The OWASP ASI04 explainer details the operational controls that match the disclosed-incident record.

For the live tracking of agentic-supply-chain incidents, see the MCP Breach Index 2025–2026, which catalogues the disclosed CVEs and supply-chain breaches in the MCP ecosystem.