Blog
Supply Chain Security for On-Premises AI Models
How to verify model integrity, build AI-specific software bills of materials, and prevent tampered weights from reaching your on-premises inference infrastructure.
Why AI Model Supply Chains Are a Distinct Threat Surface
Traditional software supply chain security focuses on source code, build pipelines, and package registries. AI model supply chains introduce an entirely different category of risk. A model file is not human-readable code — it is a serialized computational graph with millions or billions of learned parameters. You cannot diff a model weight file the way you diff a pull request. A single bit-flip in a weight tensor can subtly alter model behavior without any visible change to its metadata or checksums computed before the modification.
This opacity creates opportunities for attacks that have no analogue in conventional software. An adversary who gains access to your model registry can replace a production model with a poisoned variant that behaves normally on standard benchmarks but produces subtly biased or incorrect outputs on specific input patterns. A compromised training pipeline can inject backdoors during fine-tuning that persist through quantization and deployment. Even well-intentioned model downloads from public repositories carry risk if the hosting infrastructure lacks integrity verification.
On-premises deployments face these risks acutely because they often involve downloading open-source foundation models from external sources and then fine-tuning them on proprietary data. Every step in this chain — download, verification, storage, fine-tuning, quantization, deployment — is a potential point of compromise that requires explicit security controls.
Building an AI-Specific Software Bill of Materials
A Software Bill of Materials (SBOM) for traditional applications lists dependencies, versions, and known vulnerabilities. An AI Bill of Materials (AI-BOM) must capture a fundamentally richer set of provenance information because the "ingredients" of a model extend far beyond code dependencies.
A comprehensive AI-BOM should include the base model identity — the exact version and source of the foundation model, including its original training data composition if disclosed. It should record every fine-tuning run with the dataset identifier, hyperparameters, training duration, and the identity of the engineer or pipeline that executed it. Quantization and optimization steps (GPTQ, AWQ, GGUF conversion) must be logged with the exact tool versions and parameters used, since different quantization approaches can alter model behavior in measurable ways.
The AI-BOM should also capture evaluation results at each stage — accuracy metrics, safety benchmarks, and behavioral tests that establish a baseline for the model's expected outputs. When a deployed model's behavior drifts from these baselines, the AI-BOM provides the provenance chain needed to identify which step introduced the change.
Tooling for AI-BOM generation is maturing. The CycloneDX specification now includes machine learning model support, and the ML Supply Chain Levels for Software Artifacts (ML-SLSA) framework extends Google's SLSA framework to cover model-specific build integrity. Integrating these into your CI/CD pipeline is the most practical first step toward model supply chain security.
Cryptographic Signing and Verification of Model Artifacts
Every model artifact that enters your on-premises infrastructure should be cryptographically signed at its point of origin and verified before it is loaded for inference. This is the single most effective control against model tampering.
The signing workflow mirrors established code-signing practices. When a training or fine-tuning pipeline produces a model, it computes a cryptographic hash (SHA-256 at minimum) of the complete model artifact — including weights, configuration, tokenizer files, and metadata. This hash is then signed using a private key held in your on-premises key management system (HashiCorp Vault, AWS CloudHSM in on-prem mode, or a hardware security module). The signature and the signing certificate are stored alongside the model in your registry.
Sigstore's cosign tooling, originally built for container image signing, has been adapted for model artifact signing and provides a practical implementation path. It supports keyless signing using workload identity, which eliminates the operational burden of managing long-lived signing keys for automated pipelines.
Verification must happen at two critical points: when a model is pulled from your registry into a serving environment, and when the serving framework loads it into memory. The first check prevents a compromised registry from serving tampered artifacts. The second check prevents on-disk tampering between pull and load. Configure your inference framework to reject any model whose signature verification fails, with no manual override available in production environments.
Securing the Model Download and Ingestion Pipeline
Most on-premises AI deployments begin with downloading a foundation model from an external source — Hugging Face Hub, a vendor's model repository, or a partner organization. This initial download is the point of highest supply chain risk because you are importing an executable artifact from outside your trust boundary.
Establish a quarantine zone — a network-isolated environment where downloaded models are held before they enter your production infrastructure. In this zone, run automated verification steps: check the model's published checksums against the downloaded artifact, scan for known malicious patterns in serialized model formats (the picklescan tool detects code execution payloads in Python pickle-serialized models), and run your standard evaluation suite to establish behavioral baselines.
Never allow direct downloads from external sources into production environments. Instead, implement a model proxy that mirrors approved models into your internal registry after they pass quarantine checks. This is analogous to how organizations use Artifactory or Nexus to proxy package registries — your model proxy serves the same function for AI artifacts.
For models received from partners or vendors, require that they provide signed artifacts and publish their AI-BOMs. Include model provenance requirements in your vendor contracts the same way you include data processing agreements. If a vendor cannot provide cryptographic proof of their model's integrity, that is a procurement-level red flag, not a technical inconvenience.
Runtime Integrity Monitoring
Supply chain security does not end at deployment. Models running in production must be continuously monitored for behavioral anomalies that could indicate post-deployment tampering or a supply chain compromise that evaded pre-deployment checks.
Implement behavioral fingerprinting by running a fixed set of canonical inputs through each model at regular intervals and comparing the outputs against known-good baselines from your AI-BOM. Any statistically significant deviation in outputs — even if the model file's checksum has not changed — warrants investigation. This catches attacks that operate at the inference framework level rather than the model file level.
Monitor the file integrity of model artifacts on disk using tools like AIDE or OSSEC, configured to alert on any modification to model weight files, configuration files, or tokenizer vocabularies. In containerized deployments, use read-only file systems for model storage and verify container image digests before each deployment.
Establish incident response procedures specific to model supply chain compromise. These differ from traditional incident response because the remediation is not simply "patch and redeploy." A compromised model may have produced incorrect outputs for an unknown period before detection, which means you need to identify all decisions or actions taken based on that model's outputs and assess their impact. Your AI-BOM and inference logging provide the data needed for this assessment.
Organizational Practices That Strengthen Model Supply Chains
Technical controls are necessary but insufficient. The organizational practices around model procurement, storage, and deployment determine whether your technical controls are consistently applied or routinely bypassed.
Maintain an approved model registry — a curated list of models that have passed your security review process, with clear ownership assignments for each model family. When a team wants to use a new model, they submit it through a review process that evaluates the model's provenance, the trustworthiness of its source, and the completeness of its documentation. This prevents the proliferation of unvetted models across your infrastructure.
Train your ML engineers on supply chain risks specific to AI. Most engineers are aware of software dependency risks but do not think about model files as attack vectors. Practical training exercises — such as demonstrating a backdoor injection in a fine-tuned model — build the security intuition needed for day-to-day decisions about model sourcing and handling.
Finally, integrate model supply chain security into your existing risk management framework. Models that make high-stakes decisions (credit scoring, medical triage, safety systems) require stricter provenance controls than models used for low-risk internal tooling. A tiered approach ensures that security controls are proportional to the potential impact of a compromise, keeping the system practical and sustainable for your teams.