A model whose parameters can be downloaded and run locally by the operator. In practice, that means safety behaviour can be altered outside the provider’s environment, so governance has to focus on the runtime, the operator, and the abuse path, not only the model brand.
Expanded Definition
An open-weight model is a model whose learned parameters are distributed so an operator can download and run it locally, often with flexibility to fine-tune, wrap, or integrate it into internal workflows. In NHI governance, that matters because control shifts from the provider to the operator once the weights are in hand. The model may still carry usage restrictions, but the security boundary is no longer just the vendor API; it becomes the runtime, the hosting environment, the toolchain, and the downstream abuse path. Definitions vary across vendors and communities, so “open-weight” should not be confused with fully open source or with a provider’s managed inference service. For governance context, the NIST Cybersecurity Framework 2.0 is useful because it emphasizes asset management, access control, and resilience across environments the operator owns.
The most common misapplication is treating downloadable weights as if provider-side safety controls still apply, which occurs when teams inherit the model without redoing runtime, access, and abuse-path review.
Examples and Use Cases
Implementing open-weight models rigorously often introduces operational and governance overhead, requiring organisations to weigh deployment flexibility against the cost of securing a self-managed model stack.
- A security team runs an open-weight model on an internal cluster so prompts, outputs, and embedded data never leave the environment, but it must harden inference hosts and audit all tool calls.
- A product team fine-tunes an open-weight model for a domain workflow, then discovers that model distribution inside the company creates a new control plane for access, versioning, and rollback.
- A red team evaluates whether an employee can modify safety behavior locally and republish the model, using the Ultimate Guide to NHIs as a reminder that unmanaged runtime access often leads to broader identity and secrets exposure.
- An operator connects an open-weight model to internal APIs and secrets-backed tools, then applies the same least-privilege review used for service accounts because the model now has execution influence.
- A compliance team allows limited local hosting for data residency reasons while restricting network egress, model export, and unsanctioned fine-tuning to reduce misuse.
Why It Matters in NHI Security
Open-weight models become an NHI issue when they are embedded in systems that can act, call tools, or influence workflow outcomes. The risk is not only model misuse; it is identity sprawl around the model lifecycle, including who can download it, who can modify it, what credentials it can reach, and how outputs are operationalised. NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is why open-weight deployments should be governed like high-impact software identities rather than treated as mere files. The same pattern appears with secrets exposure and misconfigured vaults, where model hosting often shares infrastructure with tokens, certificates, and CI/CD access. Those control failures are directly relevant to Ultimate Guide to NHIs, especially when runtime permissions are broader than the model’s actual task. If the model can be copied, altered, or embedded in another system, then its trustworthiness depends on the operator’s controls, not the logo on the original release. Organisatons typically encounter the security impact only after a model is repackaged, misused, or connected to a sensitive toolchain, at which point open-weight governance becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | N/A | Open-weight models affect agent behavior, tool use, and runtime guardrails in agentic systems. |
| NIST CSF 2.0 | PR.AC-4 | Local model hosting requires least-privilege access to runtimes, weights, and attached tools. |
| NIST AI RMF | GOVERN | Open-weight deployment shifts AI governance obligations to the operator and integrator. |
| NIST Zero Trust (SP 800-207) | JIT access | Self-hosted model runtimes should be treated as protected resources under zero trust. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Open-weight deployments often expand secret, credential, and service account exposure. |
Inventory the model stack for secrets, API keys, and non-human identities that need strict control.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org