AI in the supply chain

Artificial intelligence (AI) is increasingly being integrated into supply chain operations, from procurement and forecasting to logistics and vendor management.12  AI models are often trained on vast datasets, which may include personal information, to function effectively. Global supply chain leaders such as Amazon, Nestle and Unilever[1]  are already experimenting with AI in their internal business processes, although large-scale deployment is still limited.[2] 

While the benefits in terms of operational efficiencies  gained from AI are clear, the associated risks are equally stark. Regulators have warned that supply chain partners may represent the ’weakest link in data protection[3], stressing that organisations must ’pass on their obligations… in any contract with third parties’.[4]   Smaller suppliers are increasingly becoming prime targets for threat actors, serving as an entry point into larger organisations.[5]  Recent incidents have demonstrated that a breach at a vendor, even one not central to an organisation’s supply chain, or AI provider can quickly escalate to expose sensitive customer or employee data on a much larger scale.[6]

This concern is underscored by ASIC’s Cyber Pulse Survey 2023, which found that 44% of small organisations do not conduct risk assessments on their third-party vendors.[7]  For larger corporates who rely heavily on third-party vendors, this creates a double vulnerability. They face direct cyber threats and may also be exposed through supply chain partners that fail to meet even baseline risk management practices.[8]  In an environment where threat actors deliberately target the weakest link, vulnerabilities in a third-party vendor’s controls can become an entry point for breaches that ultimately compromise the data of much larger organisations.[9] 

Legal obligations and accountability

Australian privacy laws make it clear that an organisation cannot outsource its privacy obligations. Under the Privacy Act 1988 (Cth) (Privacy Act) entities remain responsible for protecting personal information, even if that information is held or handled by a supplier.

In practice, if an Australian company engages an AI analytics provider and shares personal information with it, the company is still deemed to ‘hold’ that information where it retains possession or control over that information and must take reasonable steps to protect the information from misuse, interference and loss. Therefore, a company may be in breach of Australian Privacy Principles even where the unauthorised access or disclosure of information is due to the third-party supplier’s failure.

The Office of the Australian Information Commissioner (OAIC) has reinforced this position stating after a series of multi-party breaches that outsourcing data processing ’does not negate an organisation’s privacy and notification obligations.’[10]  If personal information is compromised, the original organisation is still required to notify affected individuals and the OAIC under the Notifiable Data Breaches scheme, regardless of where the incident occurred.[11]

These obligations extend beyond Australia’s borders. AI vendors are frequently located overseas meaning Australian companies often disclose data internationally. Under APP 8, before disclosing personal information offshore, organisations must take reasonable steps to ensure the recipient will handle the information consistently with the APPs. Limited exceptions apply where informed consent is obtained from the individual or if the data is disclosed to a recipient in a jurisdiction with substantially similar privacy protections.[12] 

Practical steps for organisations

Given the heightened risks associated with the use of AI, organisations should prioritise governance around AI in the supply chain. Practical measures include:

1. Enhanced due diligence. Ask suppliers whether they (and potentially other third parties in their extended supply chain) use AI in providing their services, where data is stored, how it is handled, and whether personal information is retained or used to train AI models. Conduct privacy impact assessments before engaging high-risk AI vendors.  Continue to monitor vendors on an ongoing basis to identify material changes. 
2. AI-specific clauses. Require suppliers to disclose AI use, restrict the use of personal information from being used for training without consent, and require prompt notification of data breaches. Contracts should also provide audit rights, address retention and destruction of data and allow termination for unauthorised AI use.
3. Cross-border safeguards. Confirm where AI vendors store and how they handle personal information. If disclosure offshore is involved, ensure contracts require compliance with the APPs or that the vendor is bound by substantially similar privacy standards.
4. Data minimisation. Share only the personal information necessary for the service and prefer anonymised or de-identified data where possible. Sensitive information should not be entered into public AI tools.
5. Ongoing monitoring. Build AI vendor oversight into risk management frameworks. Require periodic security reports, review certifications and test incident response plans involving key suppliers.

Conclusion

As businesses increasingly adopt AI across their supply chains, privacy obligations do not diminish, they intensify. Smaller vendors and overseas AI providers can quickly become the entry point for major breaches. Australian Regulators have made it clear that organisations remain accountable for how their suppliers handle data, meaning that boards can no longer ignore third-party and AI-specific risks. By identifying AI in the supply chain as a potential weak link and strengthening contractual governance and due diligence practices accordingly, organisations can better protect personal information.

[1]  Oracle, Benefits of AI in Supply Chain (Web Page, Oracle, 11 January 2024) 

[2]    Cem Dilmegani and Sıla Ermut, Top 13 Supply Chain AI Use Cases with Examples in 2025 (Web Page, AIMultiple, 12 June 2025) 

[3]  The Hackett Group, Supply Chain AI Adoption Rising Amid Economic Pressures (Media Release, 4 April 2025) 

[4]  The Guardian, “Third-Party Providers a Customer Data Weak Spot, Australian Privacy Commissioner Says” (6 May 2024) 

[5]  Ibid.

[6]  Nick Martindale, “The Risks of Supply Chain Cyberattacks on Your Organisation” (Information Age, 3 February 2025) 

[7]  Cyber Management Alliance, Snowflake, Ticketmaster & Santander Breaches: A Live Timeline (Cybersecurity Blog, 5 June 2024) 

[8]  Australian Securities and Investments Commission, “Report 776: Spotlight on Cyber – Findings and Insights from the Cyber Pulse Survey 2023” (13 November 2023) 6 

[9]  Aon, AI-Driven Cyber Attacks and Supply Chain Vulnerabilities Escalate Risk Landscape in Australia (Web Page, Aon, 31 July 2025) 

[10]  evo, Supply Chain Attacks: Infiltrating Organizations Through the Backdoor (Blog Post, 28 August 2024) 

[11]  Office of the Australian Information Commissioner, Guide to Securing Personal Information (5 June 2018) 

[12] Ibid.

[13]  Privacy Act 1988 (Cth) s 16C.