Many actors are involved in the supply chain processes needed to produce an integrated circuit. Any one of these individuals or groups could make illicit copies of semiconductor IP during their work. In addition, chips could be intentionally compromised during the design process, before they are even manufactured. If placed into the design with sufficient skill, these built-in vulnerabilities would be extremely difficult to detect during testing. Moreover, they could lay dormant, only to be triggered months or years later to disrupt or exfiltrate data from a system containing the compromised chip. This paper primarily reviews the risks posed by design tampering, looks at threat actors and their possible activities, threat models for these activities, and possible mitigations. It assesses the impacts of security composability theory on risk management and practical design, and tries to identify the greatest threat. Our proposal is to contrast Trojan insertion risks at the two ends of the spectrum in early design phase: first at the highest abstraction level, the RTL description, and second at the layout level, in GDSII. A key question for the future is how to develop security architectures that are Trojan tolerant, meaning that other layers of protective controls exist to protect the overall system from malfunctioning at a level commensurate with the risk tolerance of the system. The views expressed do not reflect the official policy or position of the National Intelligence University, the Department of Defense, the U.S. Intelligence Community, or the U.S. Government.