Agentic AI Security CMM — D8 Supply Chain & AI-BOM (Deep Dive)

Companion deep-dive to the CMM’s D8 domain, written under the recalibration method. The threat this domain answers is Supply Chain Compromise (T17) in OWASP Agentic AI Threats and Mitigations — tampered models, libraries, tools, or build environments entering the agent — whose mitigation playbook calls for signed agent cards, prompt templates, and model definitions backed by verifiable AI SBOMs, the same artifacts the levels below grade. The recalibration splits D8 along the model-consumer vs model-producer axis. Much of the current D8 (build-time ML-BOM generation for self-trained models, training-data provenance, weight protection, ML-VEX publishing) is producer-grade and over-scoped for the common enterprise, which is a model consumer. This is why the regulated-FI stress test landed D8 at L1: the domain measured producer controls the persona has no occasion to operate and gave no credit for the consumer controls it could switch on cheaply.

Single-source grounding

Levels and cost model synthesize the recalibration method against the regulated-FI stress test plus vendor documentation. Tooling status is a May 2026 snapshot.

Threat coverage

D8 is the primary domain for ASI04 (Agentic Supply Chain Vulnerabilities), and it carries Class 1 (insider — AI-BOM provenance) and Class 4 (model-version — version provenance and pin-by-hash). AI-BOM with continuous reconciliation is the artifact-integrity half of the eval-harness control that absorbs Classes 1, 2, and 4. See the Threat Taxonomy Reconciliation matrix and the threat classes.

Control landscape (dated)

CapabilityWhat ships todayStatus (May 2026)Platform-native (MS / AWS / GCP)
AI-BOM / ML-BOM formatCycloneDX ML-BOM; SPDX 3.0 AI + Dataset profilesCycloneDX ML-BOM stable since v1.5; v1.7 current1; SPDX 3.0.1 current2no GA first-party hyperscaler ML-BOM generator; catalogs expose metadata only
Build provenance / SLSASLSA v1.0 (Build Track L1–L3 only — no L4)3; in-totoGA standardMS/GitHub: Artifact Attestations GA — SLSA Build L2 out of the box, L3 via reusable workflows4. AWS/GCP: CodeBuild / Cloud Build provenance
Artifact signingsigstore / cosignGA, production-grade5native verification on ACR / ECR / Artifact Registry
Dependency / SCA scanning + AI-dep remediationSnyk, Black Duck, WizGAMS/GitHub: GHAS + Dependabot GA; Dependabot alerts assignable to AI agents for auto-fix (Apr 2026)6. AWS Inspector; GCP Artifact Analysis
Slopsquatting defensehash-pinned lockfiles (npm ci-class); private-registry allowlistingGA techniqueall three CI systems enforce lockfiles; no major registry flags LLM-hallucinated names at publish time — an ecosystem gap7
Malicious-model scanningJFrog, ReversingLabs (Pickle / backdoor detection)GA (COTS)8not first-party-native; HF-side + COTS
MCP server / skill provenanceOfficial MCP Registry — namespace authpreview; no cryptographic name→binary signing in the spec9MS publish path; no single Azure service for MCP-specific protection
Runtime AI-BOM (reconciliation)Miggo DeepTracingnewly GA (≈2 months past launch)10vendor platform, not hyperscaler-native

Three corrections to the current D8 text. CycloneDX ML-BOM is stable since v1.5 and v1.7 is current, so state the capability (“a CycloneDX or SPDX-3.0 ML-BOM”), not a pinned version. SLSA Level 4 does not exist in SLSA v1.0 (the Build Track is L1–L3); the current L5+ “SLSA Level 4” criterion references deprecated numbering and belongs at research-stage, not merely “challenging.” Third, GitHub Artifact Attestations (GA; SLSA L2 free, L3 via reusable workflows) is the platform-native build-integrity path the current D8 omits.

The Microsoft ZT4AI Devices / supply-chain pillar (verify explicitly) supplies the Microsoft-native controls behind these rungs — Defender for Cloud AI model scanning in CI/CD and AI-SPM AI-BOM discovery — crosswalked to D8 in the 2026-Q2 ZT4AI review, which keeps MCP tool-integrity a documented gap.

The federal anchor for this domain, NIST SP 800-218A, requires provenance tracking and points at generic SBOM/SLSA but prescribes no AI-specific bill-of-materials format or field set — the 2026-Q2 standards review (claim 3) records this AI-BOM-artifact absence, which the CycloneDX ML-BOM / SPDX-3.0 formats above fill.

D8 is the strongest single area of the SAIF / CoSAI pair per CoSAI standards review: CoSAI WS1 (Software Supply Chain Security for AI Systems) ships Establish Risks and Controls for the AI Supply Chain (2025-06-25) and Signing ML Artifacts (2025-09-29, SLSA-based, building “tamper-proof ML metadata records”), and SAIF supplies Model and Data Inventory Management, Model and Data Integrity Management, and Secure-by-Default ML Tooling. That review also confirmed neither instrument mandates a named AI-BOM artifact with required fields — Signing ML Artifacts builds provenance metadata, not a BOM schema — so the AI-BOM grading below remains this domain’s net-new contribution.

Capability-decoupled levels

Stated as capabilities per rule 1; a control counts when it operates in production per rule 2. Producer-only items are tagged [P] — a model consumer skips them and records the reduced scope as an intentional trade-off.

  • L1 — Initial. No model, skill, or dependency provenance; no AI-BOM.
  • L2 — Developing. Model and library versions tracked; vendor model cards collected; an AI-component inventory exists (models, skills, MCP servers, framework deps, third-party AI APIs) with source / version / hash / maintainer / date.
  • L3 — Defined. An AI-BOM is generated at build/deploy in a standard format; dependency/SCA scanning runs in CI with lockfile enforcement (the slopsquatting control); acquired models are scanned for malicious serialization or a Safetensors-only load policy is enforced; skills and MCP servers pass registry-provenance plus a pre-install scan; the org’s own agent artifacts are signed.
  • L4 — Managed. Every acquired and produced artifact is signature-verified at load/deploy; build provenance reaches SLSA Build L2–L3 for the org’s agent artifacts; a runtime AI-BOM reconciles against the build/deploy AI-BOM (drift detection); cognitive-file integrity baselines cover identity / system-prompt files; AI-dependency disclosures are consumed and acted on within an SLA. [P] training-data provenance tracked; [P] ML-VEX published for own components.
  • L5 — Optimizing. A closed loop runs in production — provenance, AI-BOM, and posture reconcile, and every finding produces a controls update within a published SLA; runtime↔build AI-BOM reconciliation under a near-zero-drift policy; SLSA Build L3 for agent artifacts; deploy gating blocks unsigned/unverified artifacts. [P] ML-VEX feed published; [P] model weights protected (NIST SP 800-218A PS.1.3.R4). The acquired-artifact verification this domain grades is anchored federally by 218A PW.4.4.R1/R2 (verify integrity and provenance of acquired models and components before use) and PS.3.2 (track model provenance via SBOM/SLSA), confirmed by the 2026-Q2 standards review.
  • L5+ — Leading Edge. Cross-vendor AI-BOM federation (aspirational); [P] SLSA L4-class hermetic/reproducible builds — not specified for stochastic model artifacts in SLSA v1.0, so research-stage; cryptographic name→binary signing for MCP servers (does not exist today); named contribution to a CycloneDX / SPDX / OWASP-AIBOM / MCP-registry-signing working group.

The structural move: producer-grade items leave the consumer’s mandatory ladder, so a consumer reaches L4/L5 on verification-and-reconciliation of acquired artifacts alone. This mirrors D2 (per-task tokens to L5+) and D6 (attestation to L5, the common-case control to L3).

Right-sizing by deployment shape

Deployment shapeRealistic D8 targetWhy
Member-facing RAG bot / model consumer (the persona)L2 → L3Inventory + AI-BOM at deploy, dependency scanning with lockfiles, signature-verify and backdoor-scan acquired models. No producer-grade generation, provenance, or ML-VEX. Closed first-party model supply = low artifact-swap surface
Coding copilot — heaviest D8L4This shape is the slopsquatting / AI-generated-dependency frontier; lockfile enforcement, pre-install SCA on AI-suggested deps, MCP/IDE-extension provenance, and AI-assisted dependency remediation are first-order. Its dependency channel is irreducibly external, so the trifecta lever does not apply
MCP / skill provider serving othersL4 → selective L5Signing published artifacts is critical; namespace provenance now, cryptographic signing when it ships; federated disclosure
Model producer (self-trains / fine-tunes)L4 → L5 incl. [P]Full AI-BOM generation, training-data provenance, weight protection, ML-VEX, SLSA L3 — the original D8 spine, correct here and over-scoped everywhere else

A consumer pulling only first-party hosted models over a closed corpus has a narrow artifact-acquisition surface. Removing third-party model/skill/MCP acquisition removes most of the D8 attack surface architecturally, which makes a sound L3 defensible.

Cost model

LevelLicensingOperational laborRun-rate
L2~0~0.25 FTE: stand up the AI-component inventory
L3~0 for E5 + GitHub Enterprise (GHAS, Dependabot, lockfile CI, Artifact Attestations entitled); COTS malicious-model scanning is the one likely add-onCI lockfile/SCA rollout, AI-BOM generation wired into pipelines, scan triageSCA/scan consumption; AI-BOM storage (negligible)
L4~0 native (Artifact Attestations → SLSA L2/L3 free); runtime AI-BOM (Miggo-class) is the one net-new COTS linesignature-verify-at-load enforcement; runtime↔build reconciliation tuning; cognitive-file baseliningruntime-AI-BOM telemetry into the SIEM (agent-count-scaled)
L5mostly ~0 incremental on the GitHub path; federation / ML-VEX [P] off-stackclosed-loop SLA process, drift-policy upkeepcontinuous reconciliation + SIEM ingest

For an E5 + GitHub-Enterprise incumbent, licensing is near-zero through L3 and largely through L4; the spend is CI/pipeline engineering labor plus the single L4 runtime-AI-BOM COTS line. The expensive producer-grade [P] work is exactly what the consumer does not incur, which is why D8 scored L1 but is cheap to lift to L3.

Customer critiques folded in

  • “A model consumer should not be held to producer-grade AI-BOM.” Accepted and structural: producer items are tagged [P] and removed from the consumer’s mandatory ladder.
  • “Why did the persona score L1?” Because the current D8 measured producer controls and gave no credit for the consumer-appropriate controls the persona could switch on cheaply. The recalibration removes the producer ceiling and credits the consumer floor, so the persona moves L1 to L3 mostly via tooling already owned.
  • “L5 tracks just-GA’d products.” Runtime AI-BOM (Miggo, launched Mar 2026) stays a capability; its only current implementation being recent keeps the product dependency out of the mandatory rung.
  • “Cost was invisible.” Licensing is near-zero through L4 for the incumbent; the spend is CI/pipeline labor plus the single runtime-AI-BOM line.

Open questions

  • Runtime AI-BOM (Miggo) is press-release-fresh with no independent deployment evidence. That evidence is the variable that moves runtime reconciliation from L4-aspirational to L4-standard.
  • The MCP Registry gives namespace provenance only; no name→binary signing exists, so the MCP-provider L5+ rung references a capability that does not yet ship.
  • No GA hyperscaler-native ML-BOM generator exists; consumers rely on OSS or COTS.
  • SLSA v1.0 has no L4 and no model-specific track; reproducible builds for stochastic weights are unsolved.
  • No major registry flags LLM-hallucinated package names at publish time — an ecosystem gap; the buyer-side control is lockfile plus allowlist.
  • No FFIEC/GLBA/NCUA mapping yet for third-party-model risk; deferred to the crosswalk, where D8 is likely material (vendor/third-party risk is squarely an examiner topic).

Cross-domain dependency note

D8 is cross-cutting with no active cap. The relevant candidate is DR-C001 (D8 caps D6) in the dependency rules, a candidate rather than an active rule: a poisoned skill, MCP server, or model can corrupt the retrieval corpus, so a weak D8 will eventually cap D6. It is gated on a second documented cross-domain incident and not yet binding; the D8 deep-dive should not assume independence from D6.

Notes

Footnotes

  1. CycloneDX — v1.7 released, 2025. ML-BOM stable since v1.5; v1.6 the Ecma-standardization milestone; v1.7 current.

  2. SPDX 3.0.1 — AI profile, 2024–2026. AI + Dataset profiles.

  3. SLSA v1.0 — Security levels, 2023. Build Track L1–L3; no L4 in v1.0.

  4. GitHub — Using artifact attestations and reusable workflows to achieve SLSA v1 Build L3, 2024–2026. Artifact Attestations GA; SLSA L2 default, L3 via reusable workflows.

  5. Sigstore — Cosign 1.0 GA, 2021–2026. Production-grade signing; Rekor v2 GA 2025.

  6. GitHub changelog — Dependabot alerts assignable to AI agents for remediation, 2026.

  7. Spracklen et al. — package hallucination (“slopsquatting”) research, 2025. ~20% hallucinated-package rate; 43% recurring.

  8. JFrog — Detect malicious AI models, 2026. Pickle / backdoor detection.

  9. Model Context Protocol — official registry, 2026. Namespace-level provenance; no cryptographic name→binary signing.

  10. Miggo Security — runtime AI-BOM, agentic detection, MCP monitoring, 2026. DeepTracing launch (Mar 2026).