How do I verify model provenance and sign model artifacts to defend against OWASP LLM03 supply chain attacks?

To defend against OWASP LLM03 supply chain attacks, verify model provenance and sign model artifacts by maintaining detailed records of model and dataset origins, and implementing signed artifacts and reproducible builds.

Concrete controls include:

• Maintain an inventory of AI/agent systems: Keep a current inventory of all AI/agent systems, including models, agents, tools, and data flows, as you cannot govern what is not inventoried. This aligns with NIST-MAP-1.5.
• Track provenance, licensing, and model-update risk: Policies should address risks from third-party models, datasets, and tools, including tracking their provenance, licensing, and model-update risks. This directly addresses NIST-GOVERN-6.1 and cross-maps to OWASP LLM03.
• Implement signed artifacts and reproducible builds: Utilize signed artifacts, reproducible builds, and deployment gate reviews to ensure the integrity of the pipeline.
• Use an SBOM for the AI stack: Maintain a Software Bill of Materials (SBOM) for the entire AI stack to identify and manage components of unknown provenance.
• Vet plugins and Managed Cloud Provider (MCP) tools: Thoroughly vet all plugins and MCP tools used within the AI system.
• Pin versions: Use pinned versions for all components to prevent unexpected changes and ensure consistency.
• Vet data sources and perform integrity checks: For training, fine-tuning, or RAG-corpus data, vet data sources and perform integrity checks to prevent data poisoning. This also includes anomaly detection on training data and provenance tracking.