Supply chain

This issue brief is part of the GeoTech Center’s “Atlantic Council Commission on Artificial Intelligence: US leadership in the age of AI” report, which offers an action-oriented roadmap for strengthening US domestic AI capacity, aligning with allies, and sustaining global leadership.

The coordination of chips, data, infrastructure, code, and human ingenuity produces AI systems. The AI supply chain consists of the physical and virtual resources required to develop and deploy AI models, including raw materials, specialized technology, and manufacturing capacity. Defining the scope of the AI supply chain is a pressing challenge for policymakers, as overly broad definitions risk diluting prioritization efforts and overly limited definitions fail to anticipate relevant risks. Certain critical components—such as advanced semiconductors, networking infrastructure, software and computing resources, data, and models—form the core of the AI supply chain, but each component retains external dependencies. This complex chain faces growing threats of disruption, coercion, and strategic dependency, which threaten the security, reliability, and availability of AI systems.

As AI and machine learning have transitioned from niche academic topics to strategic national interests, the AI supply chain has become both a focus of policy debates and a multifaceted geopolitical competition. Export control debates have fixated on the semiconductors used to develop and deploy AI models, while other deliberations focus on the copyright implications of training data and the security and sustainability of data center buildouts. Meanwhile, the Trump administration’s AI Action Plan calls for the expansion of US AI infrastructure and semiconductor manufacturing capability, as well as an acceleration of AI innovation through measures such as removal of regulations and development of datasets. Governance frameworks such as the European Union (EU) AI Act impose controls on AI applications, while voluntary commitments from AI labs have led to pre-release model evaluations by governments and nonprofits. The recent US National Cyber Strategy also identified securing the AI stack as a priority, recognizing the importance to US leadership of data, infrastructure, and models. Initiatives from the US Department of State such as Pax Silica, which frame allied coordination on semiconductor and critical mineral supply chains as crucial components of AI competitiveness, reflect the growing reality that securing the AI supply chain is inseparable from broader industrial and geopolitical strategy.

As the global consensus converges on the status of AI as a technology of critical national importance, strengthening and securing the nation’s AI supply chain in the face of nation-state and non-state threats will continue to be a pressing challenge. Disruptions affecting key US cybersecurity institutions compound these challenges. The dissolution of the Cyber Safety Review Board (CSRB), as well as the backlog and funding challenges affecting the US Cyber and Infrastructure Security Agency (CISA) and NIST’s National Vulnerability Database (NVD), have all reduced the US government capacity to address emerging and existing risks to the AI supply chain, even as the cyber capabilities of frontier AI models grow. Policymakers and companies will need to establish and verify the trustworthiness of the entire supply chain, rather than individual components. Concerns regarding espionage, sabotage, and the exfiltration or proliferation of advanced capabilities will continue to captivate policy and industry audiences. But without meaningful consensus on evaluation criteria for trusted AI infrastructure and supply chains, policy initiatives will languish in the implementation phase.

Supply chain and manufacturing sovereignty

In response to the strategic vulnerability of US reliance on overseas manufacturing, successive US administrations and Congress have encouraged the establishment and expansion of domestic manufacturing facilities for advanced semiconductors. Concentration in the chip industry has resulted in a handful of companies, particularly Taiwan Semiconductor Manufacturing Company, holding outsize importance to the manufacturing of chips essential to the AI supply chain. Governments must ensure visibility into the potential strategic risks of concentration, dependence, and delegated control across the AI supply chain. International debates about digital sovereignty will overlap with AI-specific concerns about compute access, leading to proposed geographic restrictions on access to AI infrastructure and manufacturing capabilities. The escalating costs of AI development will drive competition and create strategic dependencies, forcing countries and enterprises to make difficult choices between leveraging the advantages and redundancies of global capabilities or maintaining domestic control and visibility.

Software and compute insecurity

Managing the software used to develop, test, and deploy AI models will be a critical challenge. Third-party packages and infrastructure, including open-source software, are an essential feature of most enterprise AI use cases, and establishing best practices for security and reliability will be a prerequisite for robust use. AI models increasingly possess advanced cybersecurity capabilities, including for vulnerability detection and exploitation, which will test the ability of organizations to respond at speed and scale to secure their software. Computing providers will need to manage ever-evolving hardware, including specialized chips, memory, and networking infrastructure. Providers must balance availability, resilience, and security considerations, particularly as they configure their global infrastructure footprint. Governments will need to weigh the benefits of incentivizing robust security practices with the risks of imposing prohibitive costs on enterprises.

Model openness

After the release of the Chinese DeepSeek-R1model, debates burst into the public sphere about the practice of “open-sourcing” AI models making their weights public to allow convenient, self-hosted, and largely unrestricted use. US companies, including frontier labs, continue to strategically release open-source models in addition to their flagship proprietary models, and the Trump administration’s AI Action Plan included a provision emphasizing the strategic importance of US leadership in open models to become global standards. Organizations will continue to seek information on the sources, training data, and safeguards used in both open- and closed-source model development. The tension between demonstrating capabilities and limiting adversary misuse of models will continue, and companies and policymakers should continue to assess whether open-source models create meaningfully distinct risks and should be assessed differently than closed-source models.

Data access

The sheer amount of content used to train flagship AI models has resulted in both a litany of court cases over the limitations of copyright and alarms about a plateau in model quality without continued increases in access to quality training data. Governments, consumers, and enterprises have expressed concerns about advantages in data access that specific countries, including China, could derive from their centralized prioritizations of data gathering and permissive regulatory environments for data use. As AI adoption continues, these same stakeholders will continue to seek clarity about the data captured, accessed, and transformed by AI tools as well as verify the fidelity of data from both adversarial influence and injection. Ensuring data access while managing data protection needs will require both amplifying existing protections, such as encryption, and developing new techniques to prevent novel threats, such as model distillation and training data leakage. One size will not fit all, and policymakers should continue to evaluate which sensitive data components deserve enhanced scrutiny and protection, and which data elements should be fully utilized in model training and tuning.

Export controls have slowed, but not handicapped, China’s AI ambitions

As a dominant player in global AI markets, the United States has used export controls on advanced AI chips, semiconductor manufacturing tools, and related personnel support to shape international AI access. The effectiveness of these controls in limiting China’s AI capabilities depends on enforcement, the pace of Chinese domestic alternatives, and the willingness of allied jurisdictions to align on parallel restrictions. These measures have been reinforced by congressional proposals, such as the SAFE Chips Act and the Comprehensive Outbound Investment Security Act, to tighten controls on semiconductor exports and outbound investment to China. In early 2026, the US government approved licensed exports of Nvidia H200 AI chips to China under conditions intended to balance national security with commercial interests—a move that sparked substantial debate in Washington. At the same time, smuggling, enforcement challenges, and China’s push for domestic alternatives underscore persistent limitations in how comprehensively these controls can curb Chinese AI capabilities, as evidenced by the growth of Chinese companies such as DeepSeek, Alibaba, and Moonshot.

Finding: Developing a standard definition and conception of the AI supply chain will lend coherence and connectivity to policy initiatives. Policy efforts to surge capacity and resources for emerging technology require defined scopes and clear prioritization. Before the US government can establish lines of effort and workstreams to effectively collaborate with allied and partner governments and industry partners, action is needed.

• Recommendation: Drive alignment around a definition of the AI supply chain. The government should delineate which components of the AI supply chain are in focus for each of the US government’s AI initiatives. Without this clarity, the interconnected nature of the AI supply chain will lead to redundant efforts and insufficient resources to meet overarching challenges.

Finding: Semiconductor manufacturing and critical mineral supply chains require sustained, long-term commitments. The concentration of advanced chip manufacturing in a small number of companies and geographies is a risk that initial policy actions are far from resolving. The supply chain challenge extends beyond the production of cutting-edge chips and must address advanced packaging, other semiconductors, advanced manufacturing equipment such as extreme ultraviolet (EUV) and deep ultraviolet lithography equipment, and critical mineral supplies. Policy attention has focused disproportionately on leading-edge graphics processing units (GPUs), while other categories of chips, such as field-programmable gate arrays (FPGAs), which face distinct competitive dynamics and vulnerabilities, have been largely overlooked. Without sustained efforts across the full manufacturing value chain, early investments risk being stranded.

• Recommendation: Align export control and industrial policy objectives. Export controls on advanced semiconductors and related technologies are critical to maintaining US advantages in computing, but they must be calibrated to effectively constrain adversary capabilities without undermining the commercial viability of US companies or alienating allied nations. Enforcement challenges and China’s investments in domestic alternatives demonstrate why export and import controls should be calibrated as one element of a broader industrial policy strategy. Export controls must also take into consideration the tertiary impact on capital available, especially among hyperscalers, to invest in domestic energy and other infrastructure.
• Recommendation: Sustain and expand incentives for domestic semiconductor manufacturing, assembly, testing, and packaging. Congress should extend incentives for advanced packaging, testing, and assembly operations. Advanced packaging is increasingly recognized as a bottleneck to domestic capabilities, and federal incentives should explicitly target the buildout of domestic capacity in this area.
• Recommendation: Address the distinct vulnerabilities of specialized semiconductors, including FPGAs. Current semiconductor policy has assumed that the vulnerabilities and strengths in leading-edge chip markets apply uniformly to specialized silicon. FPGAs, which are critical for defense systems, telecommunications, and AI inference, depend on lagging-edge manufacturing nodes in which China has built massive state-backed capacity. Incentives for allied assembly, testing, and packaging capacity should be part of supply chain diversification efforts for these segments, in which China already holds a significant downstream advantage.

Finding: The security of AI software and compute infrastructure requires both applying existing cybersecurity best practices and developing AI-specific mitigations. AI systems inherit the security challenges of the software and cloud ecosystems in which they are built and operated, but they also introduce novel risks that existing frameworks do not adequately address. Meanwhile, the institutional infrastructure for cybersecurity in the United States has been weakened at precisely the moment AI is raising the stakes. These institutions are the foundation on which any AI-specific security effort must be built. Creating new AI security mechanisms without repairing the underlying infrastructure will retread old obstacles and prevent rapid advancements.

• Recommendation: Restore and strengthen federal cybersecurity institutions for the AI era. Congress should permanently reauthorize the Cybersecurity Information Sharing Act of 2015, adequately fund the NVD, and ensure CISA has the workforce and authorities it needs to support AI supply chain security. The dissolution of the CSRB left the United States without a critical investigative mechanism for analyzing major cyber incidents; a successor capability should be established. Without these foundational institutions operating at full capacity, AI-specific security initiatives will lack the operational infrastructure they need to succeed.
• Recommendation: Map AI supply chain components to existing cybersecurity best practices and identify gaps. Developers, deployers, and policymakers should avoid reinventing the wheel. They should systemically map existing cybersecurity controls and best practices to components of the AI supply chain. Where existing best practices fall short for AI-specific risks, standards bodies such as NIST and AI-focused entities such as the Center for AI Standards and Innovation should develop guidelines for targeted mitigations. This approach of assigning general cybersecurity responsibilities to established bodies, while directing AI specific analysis to focused organizations, avoids burdening AI safety-focused organizations with responsibility for the security of the entire software and data ecosystem while ensuring AI-specific gaps receive dedicated attention.
• Recommendation: Secure the open-source software ecosystem. Nearly every AI system, including commercial frontier models, depends on third-party open-source libraries and packages. For AI infrastructure components for which reliability and security are paramount, the US government should incentivize migration to memory-safe programming languages like Rust, which prevent developers from introducing a class of vulnerabilities into programs, and fund tooling that makes this transition practical. Targeted federal investment in independent security audits of critical open-source packages would improve ecosystem-wide resilience and could serve as a blueprint for the prioritization of neglected resources that are both increasingly critical to AI development and increasingly at risk due to the rapidly advancing cybersecurity capabilities of frontier models.
• Recommendation: Establish structured communication mechanisms between industry and government for AI supply chain threat intelligence. The US government should work with industry to develop standardized reporting frameworks, including common taxonomies for threat classification, vulnerability disclosure, and standard protocols. Government bodies should share actionable intelligence with industry where possible, deepening trust and collaboration between critical entities in the AI supply chain. Establishing and resourcing an AI Information Sharing and Analysis Center (AI-ISAC), modeled on existing ISACs as recommended in the Trump administration’s AI Action Plan, would be one pathway to the partnership and collaboration the government must establish with the private sector.

Finding: Model openness is emerging as an arena of strategic competition that demands a coherent US approach. Chinese open-source models provide users performance close to that of the leading proprietary models at a fraction of the cost and without restrictions on use that accompany many US open-source models. In 2025, the volume of downloads of models from Chinese providers on the platform Hugging Face surpassed that of US counterparts. According to leadership at Andreessen Horowitz, about 80 percent of the start-ups it sees leveraging open-source stacks are using Chinese models. US companies such as Airbnb, Pinterest, and Notion have all built open Chinese models into their AI offerings. The rapid global adoption of Chinese open-source AI models has implications that extend beyond the innovation landscape into the supply chain domain, creating dependencies on Chinese-origin technical ecosystems that could prove difficult to reverse. The United States must compete more effectively in the open-source space while developing frameworks to manage associated risks.

• Recommendation: Close the gap in open-source model disparities. US government and industry should come together to spur more robust open-source offerings from the US AI ecosystem. This includes providing adequate compute to academic and nonprofit developers of open-source models, supporting the development of open-source consortia to pool resources, reducing regulatory and legal hurdles to the open publication of model parameters and training data, and facilitating diffusion of open models. The US federal government should also carry out evaluations of Chinese open-source models, as articulated in the AI Action Plan.
• Recommendation: Develop risk assessment frameworks for open-source AI models. Open-source models can be modified in ways that closed models cannot, enabling new vectors for experimentation and for risk. Companies and policymakers should assess whether open-source models create meaningfully distinct supply chain risks and should be treated differently than closed-source models. Risk frameworks for both open- and closed-source models should account for the full lifecycle of model use, including fine-tuning, deployment, and ongoing maintenance, rather than focusing narrowly on the moment of model release.
• Recommendation: Treat model ecosystem influence as a supply chain question. Policymakers should integrate model openness into broader supply chain and industrial policy thinking. The question of which nation’s models are embedded in global AI applications carries strategic weight analogous to which nation’s telecommunications equipment is embedded in global and domestic networks. Broader conversations about supply chain security should reflect this reality, and federal procurement guidance should address model-origin considerations for AI systems used in sensitive government applications.

Finding: Fragmented approaches to data governance have left the United States without a coherent framework for securing and ensuring the integrity of the entire set of data in the AI supply chain. Policymakers have repeatedly shifted focus from one data component to the next, from training data to model weights to inference outputs, without building a comprehensive framework for securing the full spectrum of data in the AI supply chain. This pattern produces policy that is reactive, incomplete, and vulnerable to the emergence of new threat vectors that fall outside the scope of which component happens to be in focus. Overconfidence about which data element will most drive AI development can lead policymakers to skip past important questions, wrongly treating them as resolved. A more systematic approach is needed.

• Recommendation: Develop tailored data governance approaches that balance access and protection. The United States should pursue data governance approaches that enable access to high-quality data for AI R&D while providing meaningful protections against novel threats to the integrity, availability, and confidentiality of essential systems, such as through model distillation, training data extraction, and inference attacks. This includes investing in privacy-enhancing technologies, establishing clear frameworks for access to federal datasets, and engaging with industry on standards for model robustness to adversarial attacks. The United States should also explore the feasibility of establishing a platform for exchanging data between government and commercial sources for the purpose of AI development.
• Recommendation: Address the competitive implications of asymmetric data access. The advantages in data access that countries like China derive from centralized data gathering and permissive regulatory environments represent a structural challenge that the United States cannot and should not replicate. Instead, the government should pursue policy strategies that leverage the strengths of the US model, including the depth of the private-sector data ecosystem, the quality of federally curated datasets, and the trust that robust privacy protections engender in international partners, while ensuring that regulatory uncertainty does not unnecessarily constrain US competitiveness.

Sara Ann Brackett is an associate director at the Atlantic Council’s Cyber Statecraft Initiative.

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more