What Supply Chain Risk Means for AI

When a tool you trust incorporates an AI component you don't know about, it may be sharing your data with an AI provider whose terms you've never reviewed. This is supply chain risk applied to AI.

Here's a concrete example: you use a project management tool. You've reviewed its privacy policy. You're comfortable with how it handles your data. Recently, the tool added an AI feature that generates summaries of project status. This feature is enabled by default. Your task descriptions, notes, comments — everything you've written in the tool — is now being sent to a cloud AI provider (let's say OpenAI, or Claude, or another large language model provider). The project management tool's privacy policy might mention this in a dense paragraph buried in an update you received but didn't read carefully. The AI provider's terms apply to your data now, but you never made an explicit choice to share with them.

This applies to writing assistants in word processors. Your documents are being sent to an AI provider. It applies to summaries in email clients. It applies to AI features in browser extensions. Each represents data you control that's flowing to a vendor you may not have evaluated.