DoW Anthropic Dispute Spotlights AI Supply Chain Risk

The decision by the U.S. Department of War to label Anthropic a supply chain risk has sparked a wider debate across the sector about how organizations should approach artificial intelligence deployment, what they can manage, and the best practices needed to minimize security risks.

When AI is deeply embedded in workflows, its absence is clear

As evidenced by the Trump Administration’s long back-and-forth with Anthropic and the management of expectations following the supply chain risk designation, Anthropic’s AI model Claude must have been deeply embedded in many tasks and processes across U.S. departments. 

Even now, members of the administration and their allies are calling for ways to compel AI developers to work with the government, clearly showing how valuable these models have become for high-level operations.

Why IT leaders and their channel partners need to think about AI infrastructure

For IT and security leaders, the episode highlights just how embedded AI systems are across enterprise infrastructure and why there needs to be a fundamental change in how risk is evaluated. 

Unlike traditional tools, AI systems require access to sensitive internal data, operational workflows, and third-party APIs, opening potential attack surfaces that could be exploited.

MSPs and other channel partners need to keep this in mind for their own operations as they increasingly leverage AI for automation and efficiency. They also need to be prepared for customers to ask questions related to risk evaluation, supply chain visibility, and general awareness of when and where AI is deployed in their organizations.

AI deployment plans remain a top supply chain and security risk

According to the security firm Cobalt, 68 percent of chief security officers view the deployment of generative AI and third-party software as a supply chain risk. 

A recent study by ConnectWise also found that AI software supply chain attacks were accelerating in both speed and scale, making it imperative for enterprises to ensure their systems are secure.  

“Supply chain risks are one of the commonly-exploited security vulnerabilities, so it makes sense that AI supply chains — more intricate and opaque than traditional software supply chains — face even greater risks,” said Anton Chuvakin, security advisor at Google Cloud.

Lack of transparency and clear ownership also pose risks to organizations

However, it is often unclear who is responsible for the security and management of these systems, as AI models are spread across multiple vendors and jurisdictions. 

Additionally, some organizations lack formal policies governing AI use, leaving employees to rely on public models without guardrails.

This can leave organizations with limited visibility into how AI systems are developed and maintained, and expose them to the risk that employees may not understand the potential consequences of certain use cases. 

The Royal United Services Institute has warned that this lack of transparency could dramatically increase the scope of a potential attack, given the number of systems that may be connected to a single AI model.

Treat AI as high-risk software 

Because of this, organizations are being advised to treat AI vendors as critical supply chain partners and apply the same due diligence they would use for a cloud provider or other essential software vendor. Risk assessments, contractual data protections, and access controls should all be considered well before any AI system is deployed.

Once deployed, organizations should also have tools in place to monitor and log AI interactions. This is becoming increasingly important as AI agents and agent-to-agent communication emerge in enterprise environments. 

If entire workflows can be managed by autonomous agents, organizations need clear step-by-step records of every interaction so they can identify exactly where a process failed and how to correct it.

Why the Department of War is just one example of things to come

The clash with the Pentagon may be unusual because of its political context, but it highlights a broader shift in how AI is used. 

What began as a tool used by individuals to improve productivity is increasingly becoming an all-encompassing service that touches almost every part of a business. 

Security leaders should therefore view AI tools as complex supply chains in their own right and give them the same level of scrutiny and oversight.