Organisations should combine provenance checks, artifact signing, graph inspection, and adversarial testing before models reach production. If a model is sourced externally or converted between formats, every transition should be treated as a new trust boundary. The aim is to prove what the model is, not just whether it performs acceptably on clean data.
Why This Matters for Security Teams
model supply chain attacks are not just a data science quality problem. They are a trust problem that starts before inference ever happens. A compromised checkpoint, poisoned dependency, tampered conversion step, or malicious adapter can alter model behaviour while leaving ordinary validation tests looking normal. That is why provenance, signing, and inspection matter as much as accuracy metrics.
For security teams, the practical risk is that models often cross several trust boundaries before production: vendor source, internal repackaging, fine-tuning, export to a different format, and deployment into a runtime that has secrets or tool access. Current guidance suggests treating each transition as a fresh verification point, not as a continuation of prior trust. This aligns with the broader lessons in Ultimate Guide to NHIs — Key Challenges and Risks and the external threat patterns documented in OWASP Non-Human Identity Top 10.
In practice, many security teams encounter model tampering only after a deployed system begins leaking data, calling unsafe tools, or behaving inconsistently under pressure, rather than through intentional approval gates.
How It Works in Practice
Reducing risk starts with building a chain of evidence for the model artifact itself. That means recording where the model came from, what training or fine-tuning inputs were used, which transformation tools touched it, and whether each artifact version was signed before promotion. Provenance should be checked at every hop, especially when a model is downloaded, converted, quantized, merged with adapters, or repackaged for a serving stack.
Security review also has to go beyond static file hashes. Graph inspection helps detect hidden or unexpected dependencies between the model, its wrappers, plugins, tokenizers, and downstream orchestration code. If an attacker can smuggle logic into a conversion pipeline or dependency chain, a clean signature on the final file may not be enough. For operational teams, the best practice is evolving toward runtime verification plus offline inspection rather than either one alone.
Useful controls include:
- Require signed artifacts and verify signatures before every promotion.
- Track model lineage across format changes, fine-tunes, and adapter merges.
- Scan dependencies, loaders, and conversion tools as part of the model package.
- Run adversarial tests to look for hidden behaviours, prompt injection sensitivity, and unsafe tool use.
- Quarantine externally sourced models until inspection and benchmark testing complete.
NHIMG research on the DeepSeek breach shows how quickly exposure can cascade when trust assumptions are broken, and the same pattern appears in broader software compromise cases such as the Reviewdog GitHub Action supply chain attack. For threat context, MITRE ATLAS adversarial AI threat matrix is useful when mapping attack paths that involve model tampering, poisoning, or downstream abuse. These controls tend to break down when teams treat third-party models as static binaries and skip inspection for conversion tools, adapters, or post-training wrappers because those layers often carry the real risk.
Common Variations and Edge Cases
Tighter model approval gates often increase delivery time and operational overhead, so organisations have to balance security assurance against release velocity. That tradeoff becomes sharper when models are updated frequently or when multiple teams reuse the same base model across different business units.
There is no universal standard for this yet, especially for open-weight models and internal fine-tunes. Current guidance suggests using stronger controls for models that can access secrets, make decisions, or call external tools, and lighter review for low-risk offline workloads. The highest-risk edge case is a model that looks harmless in isolation but becomes dangerous once connected to retrieval systems, agents, or privileged APIs.
Two practical exceptions deserve attention. First, a model that passes accuracy tests can still be compromised if the malicious payload only triggers on rare prompts or specific context. Second, converting between frameworks can strip metadata, so a clean artifact may no longer carry the evidence needed to prove origin. That is why security teams increasingly pair model attestations with runtime policy checks and workload-level trust, not just pre-deployment review. The emerging view in 52 NHI Breaches Analysis is that identity and supply chain failures often converge at the point where an AI system is allowed to act. In environments with rapid experimentation, unmanaged open-source imports, or frequent model conversion, these controls lose effectiveness unless they are automated end to end.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | L3 | Covers supply chain and tool abuse risks in AI systems. |
| CSA MAESTRO | S3 | Addresses AI supply chain assurance and artifact integrity. |
| NIST AI RMF | Supports governance for trustworthy AI lifecycle risk management. |
Verify model provenance, signing, and dependencies before any model reaches production.
Related resources from NHI Mgmt Group
- How can organisations reduce the risk of webhook-driven SaaS supply chain attacks?
- How should teams reduce risk from malicious npm package installs?
- How should security teams reduce the risk of secret theft from npm supply chain attacks?
- How should teams reduce identity risk in cloud supply chain attacks?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org