Boards that treat artificial intelligence mainly as a route to quicker processes and sharper margins may be missing the more material issue: AI is becoming another layer of supply chain exposure. Steve Durbin, chief executive of the Information Security Forum, argues that the real challenge is not simply how AI is used inside the business, but how deeply it is woven into critical systems, external suppliers, data flows and third-party services.
That risk is often less visible t...
Continue Reading This Article
Enjoy this article as well as all of our content, including reports, news, tips and more.
By registering or signing into your SRM Today account, you agree to SRM Today's Terms of Use and consent to the processing of your personal information as described in our Privacy Policy.
han it appears. AI now arrives through cloud platforms, software-as-a-service products, managed service providers, data processors and ordinary vendor tools that include AI functions by default. The result is a form of passive adoption, where organisations can find themselves relying on AI without ever having made an explicit strategic decision to do so. Recent industry surveys suggest the gap is widening: most executives say AI has already been rolled out across major parts of the business, yet only a minority believe the necessary controls are in place.
Durbin’s warning echoes a broader governance problem now emerging across corporate boards. Axios recently reported that many Fortune 100 boards still lack even basic AI oversight structures, such as directors with relevant expertise, dedicated advisory committees or ethics panels. At the same time, specialist governance firms are promoting board-level assessment tools designed to measure how well organisations understand AI risk, an indication that oversight is becoming a market in its own right.
The parallel with supply chain security is clear. Businesses already understand that supplier relationships can create fragility, and that a vulnerability in one partner’s environment can be inherited by the customer. AI ecosystems now carry a similar profile. A single workflow may depend on cloud infrastructure, model providers, application interfaces, subcontractors and layered software suppliers. If one component changes unexpectedly, fails or is compromised, the effects can spread quickly through the wider system.
That creates practical governance blind spots. A legal review may focus on contract language but overlook model updates. Security teams may monitor infrastructure while missing prompts and outputs. Risk functions may assess internal use of AI without fully examining how suppliers are applying it on the company’s behalf. According to Durbin, these fragmented checks can leave boards unable to answer basic questions about data use, accountability or business continuity.
The concern is no longer theoretical. Organisations increasingly need to explain who controls the data that AI touches, how decisions influenced by AI are made, and what happens if a provider alters a model without notice, restricts access, or changes its terms. As AI becomes embedded in decision-making and third-party operations, companies that cannot produce those answers may find themselves exposed to regulatory, operational and reputational pressure.
Durbin says the response should be to govern AI using the same discipline applied to critical suppliers and regulated processes. That means mapping the full dependency chain, including indirect use through vendors and partners; assigning clear ownership for each use case; and applying a stronger control framework where the business impact is higher. It also means tightening information controls before deployment, so staff know exactly which data can be shared with external AI systems and under what conditions.
Resilience is another missing element. Too often, AI projects are judged on efficiency alone, when organisations should also be asking what happens if a provider changes its model, falls out of compliance or becomes unavailable. Alternative suppliers, manual workarounds and exit plans may be essential if AI is to remain dependable in operational settings.
The broader message is that AI governance cannot sit apart from supply chain governance. For boards, the danger is not only that AI will be adopted too slowly, but that it will be absorbed too casually, with dependencies building faster than oversight. In Durbin’s view, the safer course is to bring AI inside the same control environment used for other critical business links, before invisible reliance turns into a systemic weakness.
Source: Noah Wire Services
