u/Ill-Database4116

Just had a realization that we have a full supply chain security program for normal software but almost ignore AI supply chain security.

I started thinking about what our ai agents are actually pulling at runtime. What third party skills they depend on, what model extensions they import, what those things import downstream. Could not answer a single one of those questions. We have agents running in prod that can take real actions in our systems and we have never even produced a list of their dependencies.

It hit me that we have better visibility into a random npm package than we do into the supply chain of an agent that can execute tool calls against our own infrastructure. Anyone else realizing their ai supply chain is a complete blind spot or did we just miss something obvious.

Did the math on our container maintenance last quarter and it wasnt pretty. Patching base images, updating Dockerfiles, chasing CVEs that didnt apply to us, gathering compliance evidence for audit. We were burning about 30% of every sprint on image upkeep.

Not security work. Not feature work. Just keeping images current.

We moved our base images to a platform that handles patching and compliance attestation upstream. Not naming names cause this isnt a pitch. The point is we got ~30% back and nobody on the team misses the Dockerfile commit spam.

Has anyone tracked time they are losing to image maintenance?

Ive been auditing AI agent deployments and one pattern keeps showing up. Almost every team thinks they have safety covered because they shipped the obvious stuff. Almost every one breaks the same way when you test it.

The playbook is always the same. A prompt prefix telling the agent to be helpful and harmless, which folds the moment someone says ignore previous instructions. Anther is a keyword blacklist that base64 or unicode homoglyphs walk right through. Rate limiting that counts requests but blinds itself to a slow drip over eight hours. A generic content filter checking for toxicity while the agent accesses internal endpoints it was never supposed to touch.

What ive seen to hold up across the deployments that survived is semantic intent analysis instead of matching strings. Am talking business specific policies that understand your context, knowing what the agent should and shouldnt do and runtime behavioral analysis watching what the agent does step by step.

The thing that scares me about agents isn't the model saying something dumb. It's the tool calls. Once an agent has get_transaction_history in its tool list, it'll happily fire it with whatever account number sounds plausible from the conversation context. Doesn't matter if the user shouldn't have access to that account. The model just sees a function signature and fills in the blanks.

There's nothing that can reason that there is no reason why this user shoud access this at this time, unless you build one yourself. the frameworks give you tool definitions and leave the access control to you. Tool call validation is the load-bearing part of agent security and barely anyone's talking about it. Appreciate any thoughts on how to handle this

Sharing this in case any other small platform team is on the fence. We were on python:3.12 and node:20 like everyone, scanner spitting out 200+ CVEs per image, 95% in code we never call. Spent more time writing exception tickets than fixing real issues.

Migrated to a hardened minimal base in November. CVE count dropped to single digits. Audit went from explain these 47 highs to everything looks fine.

Wish we'd done it a year earlier. The npm/pip side is still scary (the Axios thing was a wakeup call) but at least the base layer isn't guesswork anymore.