AI supply chain risk arises when external models or datasets are tampered with, have undisclosed characteristics, or cannot be traced to trusted origins. End-to-end provenance and audit trails address these risks by enabling verification of integrity and origin at every stage of the supply chain.
Why A is Correct: According to ISACA AAIR supply chain risk management guidance, verifiable provenance and audit trails are the most important supply chain protection mechanism. Provenance documentation traces the origin, handling, and transformation history of every externally sourced AI artifact—enabling the organization to verify that models and datasets have not been tampered with, that data sources are legitimate, and that the supply chain has not been compromised. Without provenance, organizations cannot distinguish trustworthy from compromised artifacts.
Why B is Wrong: Indemnity clauses assign financial liability after harm occurs. They provide legal recourse but do not prevent supply chain attacks or help the organization verify artifact integrity before deployment.
Why C is Wrong: Training method documentation provides useful technical context but does not verify that the actual artifacts delivered match the documentation. Documentation can be falsified; provenance verification with cryptographic integrity checks cannot.
Why D is Wrong: A vendor risk manager provides governance oversight and relationship management. While important for managing vendor relationships, a single contact point does not substitute for technical provenance verification of every artifact in the supply chain.
