AICM AtlasCSA AI Controls Matrix
MDS · Model Security
MDS-09Cloud & AI Related

Model Signing/Ownership Verification

Specification

Sign models cryptographically and verify signatures to ensure model provenance and ownership, any time the model changes hands or is loaded from storage.

Threat coverage

Model manipulation
Data poisoning
Sensitive data disclosure
Model theft
Model/Service Failure
Insecure supply chain
Insecure apps/plugins
Denial of Service
Loss of governance

Architectural relevance

Physical infrastructure
Network
Compute
Storage
Application
Data

Lifecycle

Preparation

Team and expertise

Development

Training

Evaluation

Validation/Red Teaming

Deployment

AI Services supply chain, Orchestration, AI applications

Delivery

Operations, Maintenance

Retirement

Model disposal

Ownership / SSRM

PI

Owned by the Cloud Service Provider (CSP)

The Cloud Service Provider (CSP) is responsible for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with cloud computing (processing, storage, and networking) technologies in the context of the services or products they develop and offer. The CSP is responsible and accountable for implementing the control within its own infrastructure/environment. The CSP is responsible for enabling the customer and/or upstream partner to implement/configure the control within their risk management approach. The CSP is accountable for ensuring that its providers upstream implement the control related to the service/product developed and offered by the CSP.

Model

Owned by the Model Provider (MP)

The model provider (MP) designs, develops, and implements the control as part of their services or products to mitigate security, privacy, or compliance risks associated with the Large Language Model (LLM). Model Providers are entities that develop, train, and distribute foundational and fine-tuned AI models for various applications. They create the underlying AI capabilities that other actors build upon. Model Providers are responsible for model architecture, training methodologies, performance characteristics, and documentation of capabilities and limitations. They operate at the foundation layer of the AI stack and may provide direct API access to their models. Examples: OpenAI (GPT, DALL-E, Whisper), Anthropic(Claude), Google(Gemini), Meta(Llama), as well as any customized model.

Orchestrated

Shared Model Provider-Orchestrated Service Provider (Shared MP-OSP)

The MP and OSP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.

Application

Shared Orchestrated Service Provider-Application Provider (Shared OSP-AP)

The OSP and AP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.

Implementation guidelines

[Shared Responsibilities (MP, OSP, AP, CSP)]
1.  Model signatures should be verified whenever the model is changing hands or being moved between locations.

2. Signing keys or identities should be clearly associated with the code producers, ensuring an unambiguous link to the corresponding code as the owning entity. Public registries should be used wherever possible to support this association.

3. Only verified models and model files from trusted sources should be loaded or used in applications.

4. Enforce automated signature verification at model loading time to prevent unauthorized or tampered models from being used.

5. Maintain a model signing and verification audit log, documenting all signature validations, transfers, and ownership changes for traceability.

Auditing guidelines

1. Review the mechanisms the CSP provides to support customer's model signing and ownership verification. If the CSP offers key management services, assess the security controls for managing cryptographic keys. 

2. Evaluate how the CSP verifies the validity of digital signatures on models being hosted. 

3. Confirm that the CSP's documentation details how customers can verify the provenance and ownership of their models.

Standards mappings

ISO 42001Partial Gap
No Mapping for ISO 42001
ISO 27002: 8.26 Application security requirements
Addendum

ISO 42001 does not cover MDS-09 topic of signing models cryptographically and verify signatures.

EU AI ActNo Gap
Article 15 (1)
Article 15 (5)
Addendum

N/A

NIST AI 600-1No Gap
MS-2.7-005
Addendum

N/A

BSI AIC4Partial Gap
C4 DM-03
C4 DM-04
Addendum

No C4 control speaks to MDS-09 topic of encryption for when models changes hands, only speaks to 'in storage', and loosely of ownership.

AI-CAIQ questions (1)

MDS-09.1

Are models signed cryptographically and are signatures verified to ensure model provenance and ownership any time the model changes hands or is loaded from storage?