According to the JFrog 2026 Software Supply Chain Security State of the Union, 97% of organisations claim some form of AI model governance, while 53% self-host models sourced from public registries where 495 malicious AI models were identified. Self-hosting without scanning, vetting, or provenance tracking is the gap attackers exploit. AI model provenance, the documented lineage of a model, is being skipped entirely. Serialised model files can carry embedded malicious payloads; approximately 95% of malicious models identified on Hugging Face used PyTorch's pickle serialisation. Safer alternatives like safetensors significantly reduce this attack surface. OWASP's Top 10 for LLM Applications identifies this under LLM03:2025 — Supply Chain. For fine-tuning, data poisoning attacks inject malicious samples into training data before or during fine-tuning, with scraped datasets, third-party vendors, and public repositories as potential entry points. The minimum mitigation bar includes a hash-verified, version-controlled dataset registry, anomaly detection across training batches, and red-team evaluations designed to surface trigger-based behaviours.