Attesting LLM Pipelines: Enforcing Verifiable Training and Release Claims

TL;DR

This paper introduces a verification system for LLM supply chains that cryptographically binds training and release claims to artifacts, enhancing security and trustworthiness.

Contribution

It proposes an attestation-aware promotion gate that enforces claim verification and security policies before artifacts are trusted in LLM pipelines.

Findings

The gate verifies cryptographic claims before artifact deployment.

It enforces safe loading and static scanning policies.

The approach improves supply-chain security for LLM systems.

Abstract

Modern Large Language Model (LLM) systems are assembled from third-party artifacts such as pre-trained weights, fine-tuning adapters, datasets, dependency packages, and container images, fetched through automated pipelines. This speed comes with supply-chain risks, including compromised dependencies, malicious hub artifacts, unsafe deserialization, forged provenance, and backdoored models. A core gap is that training and release claims (e.g., data and code lineage, build environment, and security scanning results) are rarely cryptographically bound to the artifacts they describe, making enforcement inconsistent across teams and stages. We propose an attestation-aware promotion gate: before an artifact is admitted into trusted environments (training, fine-tuning, deployment), the gate verifies claim evidence, enforces safe loading and static scanning policies, and applies secure-by-default deployment constraints. When organizations operate runtime security tooling, the same gate can optionally ingest standardized dynamic signals via plugins to reduce uncertainty for high-risk artifacts. We outline a practical claims-to-controls mapping and an evaluation blueprint using representative supply-chain scenarios and operational metrics (coverage and decisions), charting a path toward a full research paper.