Public technical memo · Version 1.0 · 7 May 2026

Combinational Activation

A public technical memo on emergent triggers across software and AI supply chains.

When trusted components become unsafe together. The risk is not always the individual artifact. Sometimes the risk is the live composition that becomes executable at the boundary.

Full PDF: gpt-oss.fi/whitepaper.pdf

Executive summary

Software and AI supply chains are no longer simple chains of packages. They are runtime systems made of packages, model artifacts, build scripts, CI/CD workflows, agents, plugins, credentials, prompts, policies, environment variables and external APIs.

A single component can look acceptable in isolation while becoming unsafe when another component, context or runtime authority completes the chain.

Combinational Activation is a proposed threat-analysis model for this gap. It describes cases where two or more individually benign-looking components produce a harmful composite behavior only when they interact in a specific environment or sequence.

The practical recommendation is not to replace SBOM, SCA, signing or secure development frameworks. The recommendation is to add a cross-component runtime control layer: observe component behavior, correlate shared state, evaluate authority at the execution boundary, gate consequential side effects and preserve an audit trace.

Definition

Combinational Activation is a condition where separate components, artifacts or services contain behavior that is not clearly harmful in isolation, but becomes unsafe when combined through shared state, runtime authority, temporal ordering or orchestration.

Component

A package, model artifact, serialized model file, extension, CI configuration, prompt template, agent skill, MCP server, API connector, shell command wrapper, policy rule or deployment script.

Trigger

A file path, environment variable, model loader behavior, GitHub Actions workflow, token, commit metadata, network event, prompt-state transition, tool invocation or timing relationship.

Minimal conditions

ConditionMeaningWhy it matters
C1: independent plausibilityEach component can appear routine or explainable on its own.Single-artifact review may miss the actual risk.
C2: coupling mediumComponents communicate through files, variables, credentials, config, API state, memory, prompts or timing.The trigger lives in the gap between artifacts.
C3: context-dependent activationThe harmful path requires a specific runtime context or sequence.Static scanning can under-detect environment-dependent behavior.
C4: side-effect boundaryThe composite behavior reaches build, deploy, execute, send, modify, exfiltrate or delete.Risk becomes real at the boundary where action binds.
C5: audit ambiguityThe incident may look like normal behavior from multiple trusted tools.Forensics need cross-component evidence, not isolated logs only.

Detection model

Detecting combinational activation requires correlation. The target is not only a malicious string, hash or package name. The target is an unsafe relationship between state, authority and side effect.

  • File writes into shared temporary, cache, workspace, plugin, model or CI directories that are later read by another process.
  • Environment-variable mutation or secret discovery followed by network, build, deploy or shell activity.
  • Package install, model load, plugin activation or project open events that generate executable configuration.
  • Tool chains that move from fetch/read to write/execute/send without a human or policy gate.
  • Agent state transitions where a natural-language instruction becomes a side-effecting action.
  • Cross-boundary routing where data moves from local/private context into cloud or external API execution.

Control model

Public-safe control loop:

  1. Observe components and runtime behavior.
  2. Correlate cross-component state and timing.
  3. Evaluate authority at the execution boundary.
  4. Gate consequential side effects with ALLOW / VERIFY / STOP / ESCALATE.
  5. Preserve an audit trace of the boundary decision.
Boundary question: is this live composition still admissible now, before consequence binds?

Control states

ALLOW

The chain is observable, authorized and within expected policy.

VERIFY

The action may be legitimate, but authority or context must be re-established now.

STOP

The chain is not admissible at the current boundary.

ESCALATE

The action needs human review, a safer tool path or isolated execution lane.

Relation to existing frameworks

Combinational Activation should be treated as a connective model layered on top of existing guidance, not a replacement for it.

  • CISA/NIST supply-chain guidance: risk identification, mitigation and resilience.
  • NIST SSDF: secure development practices across the software lifecycle.
  • MITRE supply-chain attack framework: attack patterns across acquisition and lifecycle phases.
  • NCSC secure AI development: secure AI lifecycle and supply-chain monitoring.
  • SLSA / OpenSSF: provenance, build integrity and artifact trust.
  • OWASP AI/agentic guidance: supply-chain vulnerabilities, excessive agency, tool misuse and unexpected code execution.

Non-goals

  • Not a replacement for SBOM, SCA, vulnerability management, signing, sandboxing or secure development.
  • Not a claim that every multi-stage incident is Combinational Activation.
  • Not a claim that static scanning is useless; rather, static scanning is incomplete without correlation and boundary control.
  • Not a product proof claim. This is a public technical memo defining a defensive model and research direction.

Compact raw public memo block

The risk is not always the component. Sometimes the risk is the combination that becomes executable at the boundary.

Combinational Activation describes a condition where individually acceptable software or AI components become unsafe only when they interact through shared state, runtime authority, timing, or orchestration.

The defensive problem is not only detecting a malicious package or model artifact. The defensive problem is detecting the moment when packages, model loaders, CI workflows, agent tools, credentials, prompt state, and external APIs compose into an action path.

Public-safe control model: observe runtime behavior, correlate cross-component state, evaluate authority at the execution boundary, gate consequential side effects, and preserve an audit trace.

References

  1. CISA and NIST. Defending Against Software Supply Chain Attacks. 2021.
  2. NIST. SP 800-218, Secure Software Development Framework (SSDF) Version 1.1. 2022.
  3. MITRE. Supply Chain Attack Framework and Attack Patterns. 2014.
  4. NCSC. Guidelines for secure AI system development. 2023.
  5. OpenSSF. Supply-chain Levels for Software Artifacts specification and project material.
  6. OWASP. A03:2025 Software Supply Chain Failures. 2025.
  7. OWASP GenAI Security Project. Top 10 for Agentic Applications. 2025.
  8. Sood, A. K. and Zeadally, S. Malicious AI Models Undermine Software Supply-Chain Security. Communications of the ACM. 2025.
  9. Hugging Face. Pickle Scanning and model security guidance.