A signed model is an AI model or weights package whose integrity and provenance are protected with cryptographic signatures. In autonomous systems, signing proves the runtime artefact has not been altered or replaced before the agent executes it.
Expanded Definition
A signed model is more than a file that happens to include a signature. In NHI and agentic AI environments, it is a model artefact whose integrity, provenance, and expected publisher can be verified before deployment or execution. That usually covers model weights, packaged checkpoints, metadata, and sometimes related manifests or attestations. The practical goal is to ensure the runtime artefact is the one that was approved, not a tampered replacement or an unvetted update. This aligns with broader software supply chain practices described in NIST SP 800-53 Rev 5 Security and Privacy Controls, especially integrity, provenance, and controlled software acquisition.
Definitions vary across vendors on whether “signed model” means the model weights alone, the full artifact bundle, or a provenance statement plus signature. In NHI governance, the safest interpretation is the one that can be verified at enforcement time by the agent runtime, CI/CD pipeline, or model registry. The most common misapplication is treating a signature on a repository release page as sufficient, which occurs when the deployed weights or container image are not independently verified at load time.
Examples and Use Cases
Implementing signed models rigorously often introduces release friction, requiring organisations to balance faster deployment of agent capabilities against stronger controls on what code and weights are allowed to run.
- A model registry only promotes checkpoints into production after signature verification and hash matching, preventing silent replacement of a trained model.
- An autonomous agent loads a signed model at startup and refuses to execute if the signature cannot be validated against the expected publisher key.
- A CI/CD pipeline signs both the model package and its manifest, so downstream systems can confirm provenance even if the storage layer is compromised.
- Security teams compare the signed model approach with broader identity and secret controls described in the Ultimate Guide to NHIs, because model integrity failures often co-occur with weak service account governance.
- Teams using model federation or external distribution channels require signature checks at ingestion, aligning the verification step with NIST SP 800-53 Rev 5 Security and Privacy Controls rather than trusting transport alone.
Why It Matters in NHI Security
Signed models matter because an autonomous system can become a high-trust execution path the moment a model is loaded. If an attacker swaps a model, injects malicious weights, or alters a supposedly approved artifact, the agent may inherit manipulated behavior without any visible change to the application layer. That creates a supply-chain style control problem for NHI governance: the model itself becomes part of the attack surface, not just the API keys or service accounts that invoke it. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts, and that same visibility gap often extends to model provenance and artifact handling.
Practitioners should connect signed-model controls to change management, registry trust, and runtime enforcement, not just to a build step. This is especially important when agents can call tools, act on behalf of users, or make decisions based on model outputs. Organisations typically encounter the operational cost of unsigned or unverified models only after a compromised artifact has already been promoted, at which point signed model validation becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | AGENT-04 | Agentic systems need trusted model artifacts before execution. |
| OWASP Non-Human Identity Top 10 | NHI-06 | Protects integrity of non-human execution assets and their supply chain. |
| NIST CSF 2.0 | PR.DS-6 | Integrity mechanisms are required to detect unauthorized data and artifact changes. |
| NIST Zero Trust (SP 800-207) | SC | Zero Trust requires continuous verification of resources before access. |
| NIST AI RMF | AI risk management includes provenance and integrity of model artifacts. |
Verify model signatures before agent startup and block unsigned artifacts from tool-using runtimes.