Attesting LLM Pipelines: Enforcing Verifiable Training and Release Claims
For organizations building LLM pipelines, this work addresses supply-chain risks by enabling verifiable enforcement of artifact provenance and security claims.
The paper identifies a gap in cryptographically binding training and release claims to LLM artifacts, proposing an attestation-aware promotion gate that verifies claim evidence and enforces policies before artifact admission. It provides a claims-to-controls mapping and evaluation blueprint for supply-chain scenarios.
Modern Large Language Model (LLM) systems are assembled from third-party artifacts such as pre-trained weights, fine-tuning adapters, datasets, dependency packages, and container images, fetched through automated pipelines. This speed comes with supply-chain risks, including compromised dependencies, malicious hub artifacts, unsafe deserialization, forged provenance, and backdoored models. A core gap is that training and release claims (e.g., data and code lineage, build environment, and security scanning results) are rarely cryptographically bound to the artifacts they describe, making enforcement inconsistent across teams and stages. We propose an attestation-aware promotion gate: before an artifact is admitted into trusted environments (training, fine-tuning, deployment), the gate verifies claim evidence, enforces safe loading and static scanning policies, and applies secure-by-default deployment constraints. When organizations operate runtime security tooling, the same gate can optionally ingest standardized dynamic signals via plugins to reduce uncertainty for high-risk artifacts. We outline a practical claims-to-controls mapping and an evaluation blueprint using representative supply-chain scenarios and operational metrics (coverage and decisions), charting a path toward a full research paper.