Identifying the Supply Chain of AI for Trustworthiness and Risk Management in Critical Applications

TL;DR

This paper surveys AI supply chain risks in critical applications, introduces a taxonomy for categorizing AI entities, and aims to improve systematic risk assessment and management for stakeholders.

Contribution

It provides a novel taxonomy for AI supply chain entities to facilitate risk assessment in critical applications.

Findings

Survey of current AI risk assessment practices

Introduction of a taxonomy for AI supply chain entities

Bridging AI governance and risk management gaps

Abstract

Risks associated with the use of AI, ranging from algorithmic bias to model hallucinations, have received much attention and extensive research across the AI community, from researchers to end-users. However, a gap exists in the systematic assessment of supply chain risks associated with the complex web of data sources, pre-trained models, agents, services, and other systems that contribute to the output of modern AI systems. This gap is particularly problematic when AI systems are used in critical applications, such as the food supply, healthcare, utilities, law, insurance, and transport. We survey the current state of AI risk assessment and management, with a focus on the supply chain of AI and risks relating to the behavior and outputs of the AI system. We then present a proposed taxonomy specifically for categorizing AI supply chain entities. This taxonomy helps stakeholders, especially those without extensive AI expertise, to "consider the right questions" and systematically inventory dependencies across their organization's AI systems. Our contribution bridges a gap between the current state of AI governance and the urgent need for actionable risk assessment and management of AI use in critical applications.