Risk Ledger Explains The Hidden Risks Inside Modern AI Supply Chains

[00:00:00] If you are listening and you're responsible for security or IT, you will know the reality of most of your list comes at a fascinating moment in cyber security. That gap is exactly what our increasingly pushing with its new business browser. So instead of bolting security on the ground is becoming far messier. It builds it directly into the browser itself. This means you can control, access, monitor, scrambling after the massive cyber attack that reduce shadow IT.

[00:00:29] And its parent company, Instructor. And during finals week, students suddenly lost access to their coursework, exam, headaches or complex onboarding. You get things like browser-based, shiny hunters, prevention, SaaS access control and zero tools browsing. But delivered in a way that your team can actually use it. So if you've been trying to simplify your stack while improving visibility, And I think this incident has really not had one of the biggest debates in cyber security right now.

[00:00:59] Governments want organisations to stop funding cyber criminals. But when hospitals, universities, infrastructure providers, entire supply chains face operational collapse, many leaders still make decisions based on immediate survival rather than long-term policy objectives. And that leads perfectly into today's conversation.

[00:01:21] Because as organisations race to adopt AI, plug into cloud ecosystems and connect increasingly complex digital supply chains, every new vendor, every API and every integration creates another potential point of failure. And here's the thing. Attackers know this. And increasingly, they're now starting to target smaller suppliers and overlook third parties

[00:01:47] to use it as a way of leapfrogging and gaining access to the much larger organisation, the real target. So today, I want to explore why supply chain security has become one of the most significant national security gaps that is facing governments and enterprises worldwide. And also understand how AI is accelerating systemic risk across interconnected ecosystems.

[00:02:11] And what organisations need to know now before disruption itself becomes the business model. And joining me today on this is returning guest, Hayden Brooks, CEO and founder of Risk Ledger. Really looking forward to getting him back on the podcast today. But enough from me. Let me introduce you to him once again right now. So a massive warm welcome back to the show. For anyone that missed our last conversation,

[00:02:41] can you remind everyone listening with a little about who you are and what you do? Of course. Nice to speak to you again, Neil. So my name's Hayden Brooks. I'm the CEO and founder of a company called Risk Ledger. We're a supply chain security company that helps clients understand and mitigate security incidents within their supply chain. And so much has changed since we last spoke. I think it was in 2024, especially the conversation around AI and cyber security, which has accelerated dramatically. But from your perspective at Risk Ledger,

[00:03:10] how has that risk profile of the modern supply chain, how has that changed over the last, what, 12 to 18 months? Yeah, massively. And I say in a number of kind of different ways. So first and foremost, I think the whole security industry is grappling with what AI is doing to the threat landscape in general. So whether that's people introducing AI tools internally and what that is doing to the way we have to govern our security internally to make sure that it stays resilient to attacks,

[00:03:36] or whether that's threat actors starting to use AI-enabled tools themselves to launch attacks against companies. And probably the biggest bit of news recently was using LLMs to find new vulnerabilities in software, and the pace at which you can find those vulnerabilities rapidly increasing, which is leading to many more vulnerabilities being found and potentially exploited a lot quicker. But the other aspect that I've been kind of thinking quite deeply about is a lot of technology companies are quite rightly going all in on AI.

[00:04:04] And in doing so, they're integrating their technologies into the larger AI model companies like Anthropic and OpenAI. And in doing so, creating a bit of a concentration risk where an incident at one of these larger companies could potentially cause a lot of technology to stop working, depending on how they have built it. So yeah, a lot of change and a lot of discussion around kind of what that change will mean for security teams around the world,

[00:04:29] and what they can be doing to try and understand and reduce the risks that AI has brought to them. Before you join me again on the show today, I was reading how you described supply chain security in particular as one of the biggest national security gaps facing governments today. So I've got to ask, it feels like we've been talking about this for so long. Why are supply chains still such an exposed tax service, despite years of warnings and increasingly public breaches?

[00:04:58] And then we've got global conflict at the moment. Why has it remained such a big gap? I think it's just such a big problem to deal with. So we've had kind of 30, 40 years of globalization. Supply chains have grown massively, both in terms of size and complexity. And I think the model that regulators and governments always followed were, if we can ensure the security and the resilience of entities that are important to our national security, like water companies, like energy companies, then we're doing our job.

[00:05:29] But recently they're starting to realize that a lot of these companies are supported by very complex ecosystems of suppliers, and that's just a huge blind spot at the minute. So instead of looking after a critical national infrastructure company, you end up having to look after the CNI company and all of the critical suppliers that support it. So it basically takes that already difficult problem and then just blows it up by a thousand in terms of the complexity and scale. And yeah, and then like to date, a lot of that is focused around policy and regulation.

[00:05:58] So it's basically trying to put in place the rules that critical national infrastructure companies have to follow to maintain and ensure their security and resilience. But it's very hard then to force that regulation down into the supply chain because they are not regulated entities. So I think the model that governments and regulators have been able to follow hasn't necessarily caused supply chains to improve when it comes to their own security posture or resilience.

[00:06:23] And I think one of the most worrying trends is attackers are now targeting smaller suppliers in the hope that they will then be able to gain access to larger organizations or critical infrastructure. So why are smaller vendors so attractive to adversaries? And what blind spots do enterprises still have in this area? I'm sure you see a lot here too, right? Yeah, so I think the most of the attacks we see in the supply chain historically have been quite random. So it's essentially where you have random attacks happening and then some sort of threat actor realizes

[00:06:52] that they have broken into a supplier and that that supplier is important for another company. And then oftentimes they'll actually sell that hack or that access on to somebody else to do what they want to do to impact that end target. I think with the recent kind of shift in geopolitics, a lot more wars happening. We are seeing more and more targeted attacks now. And that's where nation states in particular are targeting kind of supply chains to critical infrastructure

[00:07:18] to cause damage and try and gain leverage or control over other nation states. And when it comes to kind of choosing what suppliers to attack, oftentimes we talk about them finding kind of the weakest link. So it's essentially that they are looking for companies where their security is not necessarily as mature as others. And naturally, as you start moving down towards the more smaller suppliers, a lot of these smaller suppliers in the last 10, 20 years have become very tech enabled, but don't necessarily

[00:07:48] have the resources or the internal manpower expertise to be able to secure the tech that they now rely upon. And so we tend to find that the larger a company is, the more kind of security expertise and budget they will have to improve their resilience. But the smaller companies are kind of being left a little bit behind because they don't necessarily have the expertise or the ability to put in place good security controls.

[00:08:13] And with AI ecosystems also becoming deeply interconnected now, especially with shared data, APIs, we've got cloud providers, third-party models, all linked together. Do you think we're unintentionally creating a level of systemic risk that many organizations still don't fully understand? We saw it many years ago with the APIs, et cetera. It's like that on another level now, right? Definitely. And I would say it also comes down to just the way AI is being implemented.

[00:08:43] So oftentimes now you'll have engineers just going to kind of plug AI tools within an existing tech stack. So as a large enterprise, I might be using many different tools. And it's very hard for me to understand as those tools are evolving over time, which ones are starting to integrate AI capabilities within them. And so it's a lot easier for me to say, well, from this point on, all of the new suppliers that we look at need to have these controls in place around the AI that they use. But it's a lot harder for me to be able to monitor that historically and make sure that

[00:09:12] the other tech tools that I might have bought a year, two years, five years ago are also abiding by the same controls. And yet we're seeing kind of that risk absolutely grow. And that concentration risk, we are seeing kind of those two or three large kind of model providers being the main tools that are used by tech stacks to essentially provide that AI capability. And depending on the way that they've integrated, for example, OpenAI or Anthropic into the platform,

[00:09:40] it might be that an incident at OpenAI or Anthropic will cause that tool to no longer work. So suddenly one attack at one company might take offline a number of tools that are being used by an enterprise or public sector body. And when a breach or an outage happens through a third party, I think accountability often becomes very unclear very quickly, almost turning to the Spider-Man meme with lots of people pointing at each other. But do current accountability models still work in a world where organizations

[00:10:08] depend on hundreds or in some cases, even thousands of suppliers? I think the accountability model itself isn't necessarily the problem. I think it's the ability to actually enforce that accountability model. So it's the lack of visibility or transparency into the supplier ecosystem underneath you. We've had kind of contracts in place with suppliers ever since we've had suppliers. And those contracts typically do outline kind of accountability and liabilities in a way that

[00:10:35] does work. But then it's making sure that you understand who the suppliers are that you're working with, who the suppliers are that support them, where attacks may happen, where attacks do happen, and then being able to pinpoint actually what the knock-on effects of those attacks are. So I don't think it's necessarily a problem with the actual accountability model itself, but the way we use that accountability model without necessarily the data or the transparency across the supply chain to be able to enforce it well.

[00:11:01] And when looking across the industry, I think collaboration, information sharing, these things are always often presented as the ideal solution. But many businesses still understandably hesitate to share threat intelligence so openly. So what cultural or maybe commercial barriers are stopping the industry from working together more effectively? Yeah, this is definitely a shift I've seen in the last kind of five to six years. So if we go back

[00:11:28] kind of, let's say, five, 10 years ago, it was very rare for companies to share anything with each other. I think they saw security as a kind of a competitive moat in a way. The more secure I am, the more incidents that my competitors are having, the better I can outperform them and beat them within the market. And we've definitely seen that shift. So I think security teams today are very acutely aware that security isn't a zero sum game and that the more they share with each other,

[00:11:56] the more they will receive back and the better everybody's security becomes. And because of that, we've seen information sharing groups, community groups spin up where security teams are much more open about sharing this information with each other to benefit everybody within that community or that group. And that's been a trend that I think will continue for the foreseeable future. And I think the key thing here is that the groups themselves are learning to do it in a way that

[00:12:22] still has some sort of control in place. So it's not very much I'm sharing everything openly. It might be that a group of security teams get together and actually share information anonymously with each other. And there are ways that you can do it to basically get the best of both worlds where you're minimizing that risk of sharing anything that's competitive or that may end up harming you. But you're able to share that in a way that still brings you the benefit of receiving information that can help bolster your own defenses as well. And that's definitely been probably,

[00:12:51] I'd say, one of the biggest changes we've seen over the last 10 years within security. And we often hear leaders talk about resilience. It's almost become a buzzword in some circles. But what does real resilience actually look like in practice, especially when it comes to supply chain security and protecting critical national infrastructure that is increasingly under attack? Yes, I think resilience is all about basically being able to maintain your business and keep

[00:13:19] pushing the business forward, even under times of huge stress or catastrophic incidents. And it's less about kind of preventing these incidents and more about assuming that these incidents will happen. How do we make sure that the market infrastructure is able to keep kind of moving and working? And yeah, resilience is all about basically kind of three or four different things. It's all about

[00:13:43] identifying where we think risk is, being able to then do things to lower that risk. But I think where we've been weak in the supply chain is the second and third part, which is when something does go wrong, identifying what's gone wrong, where it's gone wrong, who else is going to be impacted by it, and then doing things to minimize that impact. So I think in supply chain, historically, we've assumed, okay, well, the best we can do is actually understand where the risk is, and then try and do things to lower it. But we've been hit by breaches kind of every week for the last kind of 20 years.

[00:14:13] And what we have failed to do is understand, okay, is there a capability we can bring in, which enables us to understand what the incident is, where it's happened, what the actual impact is going to be on us, and that allows us to basically reduce that understanding time, and be able to put in place things that mean we can lower the impact on us and lower the impact on the business we work for. A big thank you to Donodo for helping me make more than 60 monthly interviews possible across

[00:14:42] the Tech Talks network. And as businesses move from Gen AI to Agentic AI, trusted data becomes everything. Everything from Gen AI to Agentic AI, Donodo is helping organizations build intelligent, secure, and scalable AI solutions with data access, governance, and explainable results. So build AI that you can trust, and do it with Donodo. And you can learn more by simply visiting

[00:15:12] donodo.com. And it does feel rather a pivotal moment at the moment. We're plugging more and more things into AI. We've got the AI agents, and there's hundreds, even thousands of them going out there that are also plugged into things and going out there and sharing information, etc. If you look at how this will continue to evolve, do you have any concerns about the direction of AI-driven supply chains or what needs to happen now to stop some of those small contractors or overlooked vendors becoming the

[00:15:41] starting point for a much larger geopolitical or even economic crisis? I don't want to be too alarmist or dramatic there, but you do have to take this stuff responsibly, don't you? Yeah, so I think it's now, if you haven't invested within some sort of supply chain security or third party risk management capability, now would be the time to do it. Businesses are evolving very, very quickly. And as they're evolving, they're bringing in new tools day by day. And in doing so,

[00:16:09] this kind of drive to innovate and make sure you're at the forefront of this new wave of AI technologies is introducing a lot of risk into businesses that they need to be able to understand. I always say it's fine taking risks as long as you understand the risk and that you understand when something does go wrong, you know what to do essentially to minimize that impact. Yeah, that trend I think is going to continue. In terms of what security teams and companies can do,

[00:16:34] it's essentially revisiting what that supply chain security process looks like and making sure that you are doing it as well as you can. So understanding who your suppliers are, what they do for your business, keeping that data up to date, and then understanding what controls you can put in place to minimize the impacts of attacks across these suppliers on your own entity. And for yourselves, Riskledge, I know you've been busy. I seem to remember reading a few weeks ago, you've announced a new location in Maryland. Is that right? What's been happening there?

[00:17:05] So yeah, business is doing really well and growing really nicely in the UK. We're doing particularly well across UK government and critical national infrastructure, starting to do really well as well across financial services and insurance. And then, yeah, we have decided to launch into the US. So we have come on to the soft landing program in the state of Maryland. And the state of Maryland is

[00:17:30] also a hub for cyber. Obviously, you've got the NSA there. You've got a lot of kind of cyber talents and capability that's come out of US government. And it's kind of a hub for cybersecurity across the US. So we've got our first couple of staff members over there. We're growing quite rapidly. So if anybody's interested in hearing more about that or applying for roles, please do reach out. But yeah, exciting times. Indeed. I think it's also got the biggest data center in the world over that way as well,

[00:17:58] if I remember rightly. But for anyone listening that are interested in working for you or just want to find out more information about anything we talked about today, or even keeping up to speed with some of the inevitable big announcements that will be coming out throughout the year, where would you like me to point everyone listening? They can take a look at our website, recession.com. Alternatively, you can find me on LinkedIn. Always happy to chat to people who are interested in cybersecurity more generally, or specifically supply chain. So yeah, either or really.

[00:18:28] Awesome. Well, I will add links to everything there. For want, I've loved catching up with you, especially learning more about why supply chain security has come one of the most significant national security gaps facing governments worldwide. Probably why you're such a hit with them at the moment as well in protecting some of these gaps. But more than anything, thank you for catching up. It was great talking to you. I urge everyone listening to go find out more information. And hopefully, we will speak again. And we won't leave it 18 months until we speak again. Lovely to speak to you.

[00:18:58] Thanks again. Cheers, buddy. Cheers. I think there's often a temptation in cybersecurity conversations to focus entirely on prevention. But the reality here is that modern organizations are now operating inside deeply interconnected ecosystems where resilience, visibility, and recovery all matter equally as much as protection. Especially as AI accelerates dependency on shared platforms, shared infrastructure,

[00:19:26] and shared suppliers. And that Canvas ransomware incident that I mentioned at the very beginning in the intro, I think is a reminder that cybersecurity is no longer just a technical issue that sits quietly inside IT departments. A single breach now has the potential to disrupt education, healthcare, transportation, financial services, and the critical infrastructure that we take for granted at a national or even global scale. And when those instances of the

[00:19:56] happen, the pressure organizations face in real time look very different from those idealistic policies that governments create on paper. And I think Hayden also highlighted something many businesses still underestimate. Attackers rarely need to compromise the largest organization directly anymore. Sometimes the fastest route into that major enterprise, government agency, or critical

[00:20:21] infrastructure provider is often just through a smaller supplier that nobody was paying attention to. So if today's conversation sparked a few questions about your own supply chain visibility, resilient strategy, or third-party risk exposure, I recommend checking out Risk Ledger and connecting with Hayden online. And as always, if you enjoyed today's episode, please share it with a colleague or a

[00:20:46] friend that might be working in this area. Because I think these conversations are becoming increasingly important for every industry. And with that, thank you for listening as always, and I'll speak with you all again very soon. Bye for now.