The AI risk hiding inside your suppliers
The discovery took one developer, one evening, and a piece of free software.
In March this year, a developer known online as Fynn got curious about Composer 2, the new AI coding model from Cursor, one of the most popular development tools in the world. Cursor had launched it with confident language about "frontier-level coding intelligence", the implication being that Cursor had built it from scratch. Fynn routed the tool's traffic through a debug proxy, a standard piece of kit that shows you what an application is saying to its servers.
There, in plain text, was the name of the model actually doing the work: kimi-k2p5-rl-0317-s515-fast.
Kimi K2.5 is not a Cursor model. It belongs to Moonshot AI, a Beijing-based startup backed by Alibaba and Tencent. Cursor's flagship product, used inside thousands of companies, was running on a Chinese foundation model, and nobody had mentioned it. Cursor confirmed the finding within hours. Its co-founder conceded that staying quiet had been a mistake.
Note what it took to find out. Not a regulator, not a disclosure rule, not an audit. One curious person with a proxy server. Every business whose code passed through the tool simply didn't know.
If your company has signed up to AI-powered software this year, and by now that is most companies, the same question applies to you. Whose model, trained where, governed by which country's laws, is processing your data?
The thirty-to-one problem
One number explains why this question is coming to every business. DeepSeek, the Chinese lab that upended the AI market in January 2025, lists its fastest current model at roughly fourteen cents per million tokens. The leading American models cost around five dollars. That is a price gap of more than thirty to one, on models that independent testing places close together in capability. The US government's own evaluation lab concluded in May that DeepSeek's latest model sits about eight months behind the American frontier while costing a fraction as much to run.
Economics like that do not stay theoretical. Around two thirds of the new AI models released last year were built on Chinese foundations. In February, Chinese models overtook American ones in weekly traffic on OpenRouter, a marketplace that routes AI requests for thousands of applications. Software vendors face the same margin pressures as everyone else, and a model that performs nearly as well for a thirtieth of the cost is a business case, not a hypothetical.
So Chinese models are flowing into the plumbing of ordinary software: the bid-writing assistant your estimators use, the document summariser in your case management system, the chatbot on your patient portal. Sometimes disclosed. Often, as Cursor showed, not. And you cannot simply ask the model. DeepSeek's V3, asked what it was, called itself ChatGPT in five out of eight tests. Short of intercepting the traffic, a customer has no way of knowing.
What actually goes wrong
The risks are real, but they are not the ones in the scariest headlines, and they depend entirely on how the model is used.
Start with the hosted services, where your data travels to the vendor's servers. This is where the documented problems live. DeepSeek's own privacy policy states that user data is collected, processed and stored in the People's Republic of China, and used to train its models. In January 2025, researchers at the security firm Wiz found a DeepSeek database sitting open on the internet, no password, holding more than a million log entries including users' conversations in readable plaintext. They found it within minutes of looking. Three months later, South Korea's privacy regulator established that DeepSeek had been transferring the content of users' prompts to a ByteDance-affiliated company without consent.
Behind all of this sits Chinese law. The National Intelligence Law of 2017 obliges every Chinese organisation to "support, assist and cooperate with national intelligence efforts". Scholars debate how far that duty stretches. What nobody disputes is that a company served with such a demand has no independent court to appeal to, and is forbidden from telling you it happened.
For a UK business the conclusion has already been written into our own law. There is no UK adequacy decision for China, and the transfer risk assessment that data protection law demands is, in most practitioners' view, impossible to pass for a China-hosted AI service. Add confidentiality, legal privilege and trade-secret duties, and the position is blunt: client data, personal data, anything you would mind reading in someone else's hands, cannot defensibly go into a Chinese-hosted AI service. The UK has banned nothing. It has not needed to.
The other side matters just as much. The same model, downloaded and run on infrastructure you or a Western cloud provider controls, sends nothing to China at all. A model file is inert data; it cannot phone home. Microsoft and Amazon both host DeepSeek's models in their own datacentres on exactly this basis. What travels with the model is behaviour rather than data. The political censorship that Chinese regulation builds into these models stays in them wherever they run. That matters if you ask the model about suppliers, markets or geopolitics. It matters much less if it is refactoring your invoicing code.
As for the "sleeper agent" stories, models booby-trapped to misbehave on a hidden trigger: the research is real and unsettling, and it is worth being precise about where the trap actually lives. It is planted during training, baked into the model file itself, before the model is ever published. Anthropic showed in 2024 that such backdoors survive the safety training meant to remove them. A follow-up with the UK's AI Security Institute found that 250 poisoned documents slipped into training data can compromise a model of any size, without the lab that trained it ever knowing. And one researcher demonstrated the direct route: he took a legitimate Chinese coding model, trained a backdoor into it in half an hour on a single graphics card, and published the result. It looked identical to the original. There is no inspection, no scan, no audit that can find what has been trained into a model's weights. You are staring at billions of numbers.
That is what makes the open model libraries a supply chain question rather than a technical one. Hugging Face, the site where models are shared, hosts millions of them, most uploaded not by the original labs but by third parties who have fine-tuned someone else's work and republished it under a new name. Anyone can do this. So when a software supplier says their product is "powered by AI", the practical question is which file, from whom, and on what evidence of its history. For a chatbot that drafts marketing copy, an unprovenanced model is a quality risk. For anything security-adjacent, a tool that writes or tests code, or an agent given the keys to other systems, it is a different order of exposure entirely, because a model in those seats does not just answer questions. It acts.
The balancing fact, stated plainly: no such backdoor has ever been found in a real, shipped model. Anyone's. Every one documented so far was built by researchers to prove the point. It is a risk to design for, not a crisis in progress. But it is a risk you design for by knowing exactly which models your suppliers run and where they got them.
One more event from this year belongs in the picture. In June, the only forced withdrawal of a frontier AI model that has ever happened took place, and the United States did it. The Commerce Department ordered Anthropic to suspend worldwide access to its newest models days after launch, citing national security. Access returned two weeks later after negotiations. France's president remarked that Europe would not buy models that could be switched off overnight. The lesson is not that America is the villain. It is that switch-off risk attaches to every hosted model from every country, and the one deployment nobody can withdraw remotely is the model running on your own hardware.
An old discipline, a new layer
A supplier under cost pressure quietly changes what sits underneath the service you buy. The change is invisible from outside. The risk lands on you.
Construction firms have managed this in their subcontractor chains for decades. Finance has a regulatory apparatus for it. Healthcare procurement interrogates it in every framework agreement. It is supply chain due diligence, and AI has now added another layer to it. Knowing who your software vendors are is no longer enough. You need to know what they run underneath, and you need them contractually obliged to tell you when it changes. Cursor proved that nobody volunteers this information.
Four questions belong in every supplier assessment:
Which AI models, by name and version, power each feature, and will you notify us when that changes?
Where does the processing happen, and under which country's laws?
Is our data used to train anything, by you or anyone upstream?
If a government withdraws the model tomorrow, what happens to the service we depend on?
Most vendors will not have ready answers. That is not a reason to stop asking. It is the thing you needed to find out.
Where we can help
This is work Cool Waters Cyber does every day. Our managed supply chain due diligence service puts these questions to your suppliers, weighs the answers against evidence rather than marketing, and gives you a documented, defensible picture of where your data goes. The Cyber Swift supply chain portal then keeps that picture current, showing the assurance status of your whole supplier base in one place as vendors change what sits under the bonnet. They will.
The businesses that handle this well will not be the ones that banned the foreign models and moved on. They will be the ones that could answer calmly, with paperwork, when a client, regulator or insurer asked: do you know whose model is processing your data?
If the honest answer today is no, let's talk, or start with a look at how we secure supply chains.