LLM03:2025Supply Chain
Slide 4 of 29
Part 1 · What Is It?Slide 4
Slide 4 · Your Supply Chain
“I don't train models. I just call an API. This isn't my problem.”
It is. Here's the part almost everyone gets wrong.
The Trap

Teams assume supply chain risk only applies to people who build models. So if you just call OpenAI or Anthropic through a library, you feel safe. But look at what sits between your code and that API.

❌ What you think your stack is
Your code → the model API. Two parties. Clean.
✅ What it actually is
Your code → an SDK → a proxy/gateway library → its dependencies → a hosted model → that host's infrastructure. Many parties, mostly strangers.
Concrete Example

Lots of teams route every LLM call through an open-source proxy or gateway (to manage keys, costs, and fallbacks). That proxy is a third-party package you install and trust completely — it sees every prompt and every key. If it is compromised, your “I just call an API” architecture leaks everything. The gateway is your supply chain.

One Line to Remember

If you didn't write it and your AI app depends on it, it's in your supply chain — API-only or not.

← BackNext → So what's actually in the chain?
📄 View sources for this lesson