Gartner® Research
5 Steps to Secure Your AI Supply Chain
Learn how security leaders can protect AI applications by securing third-party models, datasets, agentic workflows, and runtime dependencies across the AI supply chain.
Generative AI has introduced an entirely new software supply chain.
Organizations are increasingly relying on foundation models, public repositories, vector databases, AI agents, and Model Context Protocol (MCP) servers, all of which introduce new security risks that traditional software supply chain practices weren't designed to address.
In this Gartner® research, discover a practical framework for securing AI assets throughout their lifecycle, from development through autonomous execution, and reducing exposure to emerging AI supply chain threats.
In this Gartner® research, you'll learn how to:
- Strengthen AI supply chain security by extending existing software supply chain practices
- Improve visibility into AI models, datasets, and third-party dependencies
- Build and operationalize AI Bills of Materials (AIBOMs)
- Reduce risk from compromised models, poisoned datasets, and malicious runtime dependencies
- Establish governance across the full AI lifecycle, from development through production
Download the report to explore the Gartner evaluation of the software supply chain security market and learn why Sonatype was recognized as a Leader.
Key Insights
By 2029, 660% of enterprise AI breaches will result from compromised third-party dataset or model providers, rather than software vulnerabilities.
Key insights
According to a 2025 research by Hiddenlayer, 97% of respondents use models from public repositories, up 12% from the previous year. However, only 42% of organizations currently perform comprehensive cybersecurity risks assessments of the model behind custom built.
Download the Research Report
Source: Gartner, 5 Steps to Secure Your AI Supply Chain, Angela Zhao, Deepti Gopal, Esraa ElTahawy, Rahul Balakrishnan, 24 March 2026.
Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact.
Do business with a leader