Then you've already lost.
The BMC needs to be ideally on a physically isolated network, or at least a separate one that has no route from the outside nor on the machine itself.
How do you track the chain of custody of your servers? Do you sample them at random to ensure they aren't compromised?
Bloomberg never backed away from their story about Chinese implants in Supermicro servers. Perhaps this is why?