Quantum-era risks force rethink of AI model provenance and attestation

Artificial intelligence (AI) systems are becoming harder to trust as companies and public agencies rely on pre-trained models, third-party datasets, open-source software, automated training systems and external deployment pipelines, researcher Robert Campbell points out in a new study that frames AI security as a supply chain problem as much as a model-performance challenge.

The study, titled “AI Supply Chain Security: MBOM-PQC Provenance, PQC Attestation, and a Maturity Model for Quantum-Resistant Assurance,” was published in Systems. It argues that today’s AI governance frameworks recognize supply chain risk but do not provide a full structure for verifying model lineage, dataset integrity or long-term cryptographic trust as post-quantum cryptography reshapes digital security.

AI’s supply chain problem is bigger than model theft

Modern AI systems are assembled from foundation models, fine-tuning datasets, public code libraries, cloud training environments, build tools and deployment infrastructure. Each layer can become an attack point before the final AI system reaches users.

The author identifies training-time compromise as one of the most damaging risks. Poisoned datasets can steer model behavior at the earliest stage. Tampered model weights can travel downstream through reuse. Malicious libraries can alter training logic or expose sensitive data. Manipulated provenance records can make a compromised model appear legitimate. The danger is not limited to one part of the workflow. It extends from pre-training and fine-tuning to packaging, deployment and continuous learning, where models keep changing after release.

AI artifacts are harder to inspect than traditional software, the study notes. Source code can often be reviewed line by line, but model weights, training datasets and hyperparameter settings are more opaque. That makes cryptographic verification and detailed provenance records central to AI assurance. Without them, organizations may not know whether a model came from a trusted source, whether its training data was modified, or whether its deployment package was switched before use.

Existing frameworks, including the NIST AI Risk Management Framework and secure software development guidance, are described as useful but incomplete for this problem. They support governance, accountability and software supply chain discipline, but they do not create a standard AI-specific record for model lineage or define post-quantum-safe signing requirements for AI artifacts. That gap becomes more serious because many AI systems used in defense, healthcare, transportation and critical infrastructure may remain in operation for years.

The author introduces the idea of harvest-now, forge-later for AI signatures. The concept extends the better-known risk that encrypted information collected today may be decrypted later by quantum-capable attackers. In the AI context, the concern is that adversaries could collect classically signed model artifacts today and forge signatures later, undermining trust in the model, dataset or pipeline record after quantum capabilities mature.

MBOM-PQC aims to make model lineage verifiable

The key proposal is a Model Bill of Materials with post-quantum-safe extensions, called MBOM-PQC. It is designed as an AI-specific provenance structure that records what a model is, where it came from, what data and dependencies shaped it, how it was trained, how it was packaged and how its integrity was verified.

The schema has seven main components. It records model metadata, pre-training dataset lineage, pre-trained model dependencies, fine-tuning artifacts, training environment and pipeline details, deployment packaging, and cryptographic integrity fields. This structure is intended to move AI assurance beyond general claims of trust and toward machine-readable records that can be checked across the full model lifecycle.

Dataset lineage is treated as foundational because compromised data can shape all later model behavior. The framework calls for dataset identifiers, versions, sources, licensing information, integrity checks and signatures. For pre-trained model dependencies, it would record upstream model identifiers, source repositories, security issues and signed provenance where available. Fine-tuning records would cover domain-specific data, scripts, settings and configuration files, closing a major gap where organizations often modify models without a durable integrity trail.

The cryptographic component is crucial. The paper proposes using FIPS 204, also known as ML-DSA, for operational AI artifacts and FIPS 205, also known as SLH-DSA, for long-term non-national-security archival records. During the transition from classical cryptography, the framework supports hybrid signature bundles, pairing classical signatures with post-quantum signatures so legacy systems can still verify artifacts while organizations build quantum-resistant assurance.

The study also proposes a five-stage signing and attestation pipeline. AI artifacts first enter through ingestion, where models, datasets and dependencies are catalogued and checked. Verification then validates existing signatures and provenance. Signing applies the appropriate cryptographic mode based on the artifact’s lifetime and sensitivity. Attestation binds the signed artifact to the hardware and software environment that processed it. Deployment then checks the record before allowing the model into use.

For continuous-learning systems, where models update after deployment, the paper adds three operating modes. Full re-signing applies the complete process to major or security-sensitive updates. Delta-signing signs the change from a prior trusted checkpoint. Batched checkpointing signs cumulative states at scheduled intervals when updates happen too frequently for every change to be signed independently. The approach treats every meaningful model update as a new supply chain event, not a routine internal adjustment.

Maturity model gives organizations a roadmap

The study introduces the Supply Chain Assurance Maturity Model, or SCAMM, that gives organizations a way to assess how prepared they are to secure AI supply chains during the post-quantum transition.

The model has five levels:

• Level 1: Controls are ad hoc, with little or no formal provenance, signing or attestation.
• Level 2: It introduces basic documentation of datasets, model versions and dependencies.
• Level 3 adds consistent classical cryptographic verification and fuller provenance records.
• Level 4 brings in post-quantum-safe mechanisms, hybrid signatures, certificate-chain readiness and stronger attestation.
• Level 5 represents continuously attested AI supply chains tied to Zero Trust enforcement, automated monitoring and ongoing verification.

The assessment is based on four dimensions: provenance completeness, cryptographic integrity, pipeline attestation and lifecycle governance. Strong documentation alone is not enough if signatures are weak, and strong signatures are not enough if deployment systems ignore them. The model uses a weakest-link principle, meaning an organization cannot claim a high maturity level if one core assurance dimension remains weak.

The author connects the framework to Zero Trust Architecture. In that setting, AI models are not trusted simply because they come from an internal network or an approved team. Their provenance, signatures, attestation records and dependency checks become inputs into deployment decisions. A model with missing provenance or failed attestation could be blocked even if the user or system requesting it is otherwise authorized.

The paper also discusses implementation barriers. Post-quantum signatures are larger than classical signatures, which can affect storage, bandwidth and verification workflows. Legacy systems may not support new signing tools or certificate formats. Upstream providers may not disclose enough information to populate full provenance records. Organizations may also lack teams that understand both AI pipelines and cryptographic migration.

The proposed next steps include proof-of-concept implementation, performance testing, expert evaluation, automated provenance extraction, post-quantum-safe model registries and stronger certificate profiles for AI artifacts.