On a Reddit thread that drew thousands of upvotes in seventy-two hours, the framing was unusually clear. One sentence from the original post has stayed with me through every customer call since: 'Most AI agent ecosystems today heavily depend on open-source packages, GitHub Actions, CI/CD pipelines, cloud credentials, shared deployment tooling, agent orchestration frameworks. One compromised dependency can impact the entire chain.'
The LiteLLM compromise that surfaced in April 2026 was not, at heart, a story about a vulnerable library. It was a story about a control plane nobody had drawn on a diagram. The supply chain for an AI agent is wider than the supply chain for an HTTP service, because the agent depends not only on the library that wraps the model but on the model provider, the prompt repository, the tool registry, the credentials service, the orchestration runner, and — increasingly — the MCP server that fronts a piece of internal data. When one of those snaps, you find out which other ones were quietly entangled.
Why static lists do not catch this
The first reaction I see in customer conversations after a breach like LiteLLM is to ask: do we use it? Then: which teams use it? Then: which agents use it? The first question is easy. The second is harder. The third is, in most organizations I have walked through, unanswerable from a static asset list.
The reason is structural. AI agents move faster than the inventory tools designed for SaaS or container fleets. They are created by individual engineers, embedded into internal workflows, and connected to MCP servers or skill packs that change weekly. The CMDB does not see them. The CSPM tool sees the compute they run on but not the dependency graph above it. The procurement system never bought them. The only authoritative list of what is running is the one you build by inspecting the boundary they cross.
What "agent type" actually means
In Hikma's data model, every agent is one of four types, and the type determines the rest of the question.
- API agents — call hosted model providers and orchestrate tool calls programmatically. Dependency surface: the SDK, the orchestration framework (LiteLLM, LangChain, LangGraph, custom), the secrets store.
- Web-automation agents — drive a browser or a UI surface. Dependency surface: the headless runtime, the selector logic, the credentials it uses to log in.
- MCP agents — connect to one or more MCP servers exposing tools or data. Dependency surface: each MCP server, the transport (STDIO, HTTP, SSE), and the permission grant on the other end.
- Skill agents — install and run a packaged skill from a directory or repository. Dependency surface: the skill source, the version, the manifest, the runtime that executes it.
When LiteLLM was the question, the agents that mattered were the API agents that imported it, and the orchestration runners that wrapped it. When the next library is the question — and there will be a next library — the answer will be a different slice of the same inventory. You cannot run the query if you have not built the index.
Dependency audit, not vibe-based attestation
An attestation that a system is secure is not the same as a record of what it depends on. The post-breach question is always retrospective: was this in our path? The only way to answer in minutes instead of weeks is to have already captured the dependency graph for each agent before the breach landed.
This is the work most organizations defer until a CVE arrives. Then it becomes the work everybody does at the same time, badly, on a Sunday. The cost of doing it ahead of time is small. The cost of doing it retroactively is the executive call that night.
Where the audit log earns its keep
Inventory is half of the answer. The other half is what the agent actually did when it was running. The structured audit log — what we send to SIEM, what we sign, what we make exportable — is the place a security team replays the moments that matter. Did the agent call the affected endpoint between the compromise window and the patch? Which records did it touch? Which user did it impersonate to do it?
If the log can answer those questions in a search bar, you have spent your hour on remediation instead of forensics. If it cannot, the next breach will be more expensive than the last one in exactly the way the LiteLLM thread predicted.
What I would do this week if I ran a security team
Step 01
Produce a single list of every AI agent in production, tagged by type. If the list takes more than a day, the list is already the finding.
Step 02
For each agent, write down the three things it depends on that, if compromised, would compromise it. Most agents have more than three; start with three.
Step 03
For each dependency, identify who would notify you if it was breached, and whether that notification path lands in your inbox before the public Reddit thread.
Step 04
Decide which audit log is the source of truth for what each agent did last week. If it is more than one, that is the next project.
None of those four steps requires Hikma. They require a few hours and a willingness to write down what is true today. The reason to do them is not the next library. It is the audit conversation that follows the next library, and the question that will be asked in it: did you know?
The LiteLLM breach made one thing operational. The supply chain for an AI agent is wider than most security teams have drawn on a diagram. The inventory is the first control. Everything above it depends on it being honest.
Written by
Mauro Medda
Co-Founder & CTO, HikmaAI
