3rd Party Risk Management,
Artificial Intelligence & Machine Learning,
Governance & Risk Management
Rising Trend of Third-Party Breaches Affects AI Suppliers
The recent breach affecting Korean Air, which compromised sensitive data belonging to thousands of employees, was initially dismissed as a commonplace data breach. However, investigations revealed that the incident stemmed from a supply chain attack on a catering vendor responsible for inflight services. This vendor utilized Oracle E-Business Suite, which contained a critical vulnerability known as CVE-2025-61882, identified in October 2025. Attackers had exploited this flaw to access and exfiltrate data.
This breach did not arise from failures within Korean Air’s internal IT systems but rather from a trusted upstream supplier, highlighting the critical vulnerabilities posed by third-party dependencies in large organizations, particularly those reliant on technologies such as AI.
Transitioning from Software to Intelligence Dependencies
Traditionally, companies managed their technology supply chains by mapping vendor dependencies and enforcing contractual controls. Historically, when breaches occurred, the effects were confined to relatively fixed vendor relationships. However, the emergence of AI introduces a dynamic environment characterized by external foundational models, numerous APIs, and continuous data exchanges. This framework complicates the security landscape, as these dependencies influence how decisions are made and operationalized.
The breach at Korean Air serves as an example of the cascading risks that arise when reliance on operational integrations overshadows risk visibility. When the feeding system experienced failure, the repercussions spanned downstream, reflecting how vulnerabilities introduced by AI can rapidly escalate across an organization.
Challenges in Containing AI Supply Chain Risks
AI supply chains present unique challenges distinctly different from traditional software pipelines. They operate continuously, making it difficult to track data flows and assess potential vulnerabilities. More concerning is the common practice of embedding AI features within SaaS platforms with minimal architectural oversight, leading to a lack of visibility that many organizations face regarding the origins and applications of AI models they employ.
The current state of AI model governance can be likened to the “Wild West,” due to the absence of established frameworks for tracking dependencies and lineage. Without a comprehensive understanding of how models interact and evolve, organizations leave themselves vulnerable to speculation regarding their operational integrity.
Gartner’s Insights on AI Strategy Deficits
According to Gartner, only 23% of organizations have developed a formal AI strategy. This absence signifies an early stage of maturity in AI governance, as AI adoption continues to outpace the establishment of necessary oversight mechanisms. Many enterprises embark on AI initiatives incrementally and invisibly, opting for tailored pilot projects and seamless integrations into existing systems without a comprehensive architectural framework to treat AI as an accountability supply chain.
The pervasive nature of AI leads to a fragmented responsibility for associated risks, diffusing accountability across IT, security, data teams, and business stakeholders. The lessons from the Korean Air incident underscore the potential systemic impacts of failing to govern AI supply chains effectively—an oversight that can yield significant operational vulnerabilities.
The Imperative for Resilience
The vulnerabilities intrinsic to data pipelines pose the most substantial risk within an AI supply chain. AI systems rely on diverse data sources for training and learning, yet many organizations still treat this data as a static asset. These data pipelines, which connect various internal and external systems, introduce risks related to security, privacy, and trust, ultimately affecting decision outcomes and undermining confidence in automated processes.
Given that AI intersects with infrastructure, data management, and applications, CIOs must ascertain the state of their organization’s supply chain resilience. The Korean Air incident serves as a critical reminder that risk can emerge from unexpected sources, thereby challenging existing perceptions of where vulnerabilities lie. As AI’s role in business expands, so too does the necessity for robust governance structures to ensure both preparedness and accountability.
