Submitted:
30 April 2026
Posted:
01 May 2026
You are already at the latest version
Abstract

Keywords:
1. Introduction
2. Background and Related Work
2.1. AI Supply Chain Risks
2.2. Cryptographic Foundations of AI Assurance
2.3. Post-Quantum Cryptography Transition Requirements
2.4. Gaps in Existing Frameworks
3. Materials and Methods
3.1. Research Design and Contribution Type
3.2. Analytical Propositions
3.3. Search Strategy
3.4. Eligibility Criteria
3.5. Screening and Selection
3.6. Data Extraction and Coding
3.7. Evidence Confidence Tiers
3.8. Requirements-to-Architecture Traceability
4. Synthesis of Threats and Derived Requirements
4.1. AI Supply Chain Attack Surface
4.1.1. Training-Time Threats
4.1.2. Ingestion-Time Threats
4.1.3. Deployment-Time Threats
4.2. Cryptographic Dependencies in AI Pipelines
4.2.1. Model Signing and Verification
4.2.2. Dataset Integrity and Lineage
4.2.3. Secure Training and Deployment Pipelines
4.2.4. Federated Learning and Distributed Training
4.3. Lifecycle Vulnerabilities Across AI Supply Chains
4.3.1. Pre-Training
4.3.2. Fine-Tuning
4.3.3. Packaging and Distribution
4.3.4. Deployment and Continuous Learning
4.4. Requirements Derived from Threats and Dependencies
4.4.1. Provenance Requirements
4.4.2. Integrity Requirements
4.4.3. Lifecycle Requirements
4.4.4. Supply Chain Transparency Requirements
5. MBOM-PQC: Proposed Provenance Schema
5.1. Design Principles
5.1.1. Completeness
5.1.2. Verifiability
5.1.3. Cryptographic Durability
5.1.4. Supply Chain Transparency
5.2. Schema Overview and Core Components
5.2.1. Component 1: Model Metadata
5.2.2. Component 2: Pre-Training Dataset Lineage
5.2.3. Component 3: Pre-Trained Model Dependencies
5.2.4. Component 4: Fine-Tuning Artifacts
5.2.5. Component 5: Training Environment and Pipeline
5.2.6. Component 6: Deployment Packaging
5.2.7. Component 7: Cryptographic Integrity Fields
5.3. PQC-Safe Extensions
5.3.1. Hybrid Signature Bundles
5.3.2. PQC-Safe Certificate Chains
5.3.3. Long-Term Integrity Anchors
5.4. Requirements-to-Schema Traceability
6. PQC-Safe Signing and Attestation: Proposed Pipeline
6.1. Pipeline Overview
6.1.1. Stage 1—Ingestion
6.1.2. Stage 2—Verification
6.1.3. Stage 3—Signing
6.1.4. Stage 4—Attestation
6.1.5. Stage 5—Deployment
6.2. PQC-Safe Signing Flow
6.2.1. Hybrid Mode Signing
6.2.2. FIPS 204 (ML-DSA) Signing for Standard Artifacts
6.2.3. FIPS 205 (SLH-DSA) for Long-Term Artifacts
6.2.4. PQC-Safe Key Management
6.2.5. Worked Example: 110M-Parameter Transformer Checkpoint
6.3. Attestation Architecture
6.3.1. Hardware Root of Trust
6.3.2. PQC-Safe Certificate Chains
6.3.3. Remote Attestation
6.4. Integration with Zero Trust Architecture and AI RMF
6.4.1. Zero Trust Architecture Integration
6.4.2. AI RMF Integration
6.5. Continuous-Learning Pipeline Modes
7. SCAMM: Proposed Maturity Model
7.1. SCAMM Overview
7.2. Maturity Level Definitions
7.3. SCAMM Indicators and Metrics
7.3.1. Provenance Completeness
7.3.2. Cryptographic Integrity
7.3.3. Pipeline Attestation
7.3.4. Lifecycle Governance
7.3.5. Scoring Methodology
7.4. Requirements-to-Maturity Mapping
8. Discussion
8.1. Implications for AI Governance and Risk Management
8.2. Integration with Zero Trust Architecture and Enterprise Security
8.3. Implementation Challenges
8.3.1. Performance and Storage Overhead
8.3.2. Legacy System Compatibility
8.3.3. Provenance Completeness
8.3.4. Organizational Maturity and Skill Gaps
8.3.5. Performance Overhead Across Model Scales
8.3.6. Hardware Root-of-Trust Migration
8.4. Limitations of the Proposed Framework
8.4.1. Evolving PQC Standards
8.4.2. Dependency on Upstream Transparency
8.4.3. Continuous-Learning Open Questions
8.4.4. Empirical Validation Roadmap
8.5. Critical Considerations and Boundary Conditions
8.5.1. Where MBOM-PQC May Be Over-Engineered
8.5.2. Ecosystem Conditions That May Not Materialize
8.5.3. Illustrative Scenarios
8.6. Opportunities for Future Research
9. Conclusions
Supplementary Materials
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
Abbreviations
| AI | Artificial Intelligence |
| AP | Analytical Proposition |
| ATO | Authorization to Operate |
| AVX2 | Advanced Vector Extensions 2 |
| CNSA | Commercial National Security Algorithm Suite |
| CSF | Cybersecurity Framework |
| CVE | Common Vulnerabilities and Exposures |
| ECDSA | Elliptic Curve Digital Signature Algorithm |
| FIPS | Federal Information Processing Standards |
| HNDL | Harvest-Now, Decrypt-Later |
| HNFL | Harvest-Now, Forge-Later |
| HRoT | Hardware Root of Trust |
| HSM | Hardware Security Module |
| IETF | Internet Engineering Task Force |
| ISO/IEC | International Organization for Standardization / International Electrotechnical Commission |
| MBOM | Model Bill of Materials |
| ML-DSA | Module-Lattice-Based Digital Signature Algorithm |
| ML-KEM | Module-Lattice-Based Key-Encapsulation Mechanism |
| NIST | National Institute of Standards and Technology |
| NSA | National Security Agency |
| NSS | National Security System |
| OMB | Office of Management and Budget |
| PQC | Post-Quantum Cryptography |
| PRISMA | Preferred Reporting Items for Systematic reviews and Meta-Analyses |
| SBOM | Software Bill of Materials |
| SCAMM | Supply Chain Assurance Maturity Model |
| SLH-DSA | Stateless Hash-Based Digital Signature Algorithm |
| SSDF | Secure Software Development Framework |
| TPM | Trusted Platform Module |
| ZTA | Zero Trust Architecture |
References
- NIST. Artificial Intelligence Risk Management Framework (AI RMF 1.0); National Institute of Standards and Technology: Gaithersburg, MD, USA, 2023. [Google Scholar]
- NIST. ML-DSA: Module-Lattice-Based Digital Signature Algorithm; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024. [Google Scholar]
- NIST. SLH-DSA: Stateless Hash-Based Digital Signature Algorithm; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024. [Google Scholar]
- ReversingLabs. Malicious Machine Learning Packages Targeting ML Developers in PyPI; ReversingLabs Threat Research: Boston, MA, USA, 2023. [Google Scholar]
- CISA. Software Supply Chain Attacks: Threat Landscape and Mitigations; Cybersecurity and Infrastructure Security Agency: Washington, DC, USA, 2023. [Google Scholar]
- MITRE. ATLAS: Adversarial Threat Landscape for Artificial-Intelligence Systems; The MITRE Corporation: McLean, VA, USA, 2024; Available online: https://atlas.mitre.org (accessed on 30 April 2026).
- OWASP. Machine Learning Security Top 10: ML06 — AI Supply Chain Attacks; OWASP Foundation, 2023. Available online: https://owasp.org/www-project-machine-learning-security-top-10/ (accessed on 30 April 2026).
- OWASP. Top 10 for Large Language Model Applications, Version 2025: LLM03 — Supply Chain; OWASP GenAI Security Project, 2025. Available online: https://genai.owasp.org/ (accessed on 30 April 2026).
- ISO/IEC 42001:2023; Information Technology — Artificial Intelligence — Management System. International Organization for Standardization: Geneva, Switzerland, 2023.
- NIST. Secure Software Development Framework (SSDF), Version 1.1; SP 800-218; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2022. [Google Scholar]
- NSA. Commercial National Security Algorithm Suite 2.0 (CNSA 2.0); National Security Agency: Fort Meade, MD, USA, 2022. [Google Scholar]
- OMB. Memorandum M-23-02: Migrating to Post-Quantum Cryptography Implements National Security Memorandum 10 (NSM-10). Office of Management and Budget: Washington, DC, USA, 2022.
- Carlini, N.; Jagielski, M.; Choquette-Choo, C.A.; Paleka, D.; Pearce, W.; Anderson, H.; Terzis, A.; Thomas, K.; Tramèr, F. Poisoning Web-Scale Training Datasets is Practical. In Proceedings of the 2024 IEEE Symposium on Security and Privacy (SP); IEEE: San Francisco, CA, USA, 2024; pp. 407–425. [Google Scholar] [CrossRef]
- Goldblum, M.; Tsipras, D.; Xie, C.; Chen, X.; Schwarzschild, A.; Song, D.; Mądry, A.; Li, B.; Goldstein, T. Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses. IEEE Trans. Pattern Anal. Mach. Intell. 2023, 45, 1563–1580. [Google Scholar] [CrossRef] [PubMed]
- Jiang, W.; Synovic, N.; Hyatt, M.; Schorlemmer, T.R.; Sethi, R.; Lu, Y.-H.; Thiruvathukal, G.K.; Davis, J.C. An Empirical Study of Pre-Trained Model Reuse in the Hugging Face Deep Learning Model Registry. In Proceedings of the 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE); IEEE: Melbourne, Australia, 2023; pp. 2463–2475. [Google Scholar] [CrossRef]
- PyTorch. TorchServe Security Advisory: Server-Side Request Forgery and Model Loading Vulnerabilities (CVE-2023-43654); PyTorch Foundation: San Francisco, CA, USA, 2023; Available online: https://github.com/pytorch/serve/security/advisories/GHSA-8fxr-qfr9-p34w (accessed on 30 April 2026).
- Ladisa, P.; Plate, H.; Martinez, M.; Barais, O. SoK: Taxonomy of Attacks on Open-Source Software Supply Chains. In Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP); IEEE: San Francisco, CA, USA, 2023; pp. 1509–1526. [Google Scholar] [CrossRef]
- Li, Y.; Wang, H.; Barni, M. A Survey of Deep Neural Network Watermarking Techniques. Neurocomputing 2021, 461, 171–193. [Google Scholar] [CrossRef]
- Zhao, J.; Wang, S.; Zhao, Y.; Hou, X.; Wang, K.; Gao, P.; Zhang, Y.; Wei, C.; Wang, H. Models Are Codes: Towards Measuring Malicious Code Poisoning Attacks on Pre-trained Model Hubs. In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering (ASE 2024); ACM: Sacramento, CA, USA, 2024. [Google Scholar] [CrossRef]
- Rieger, P.; Krauß, T.; Miettinen, M.; Dmitrienko, A.; Sadeghi, A.-R. CrowdGuard: Federated Backdoor Detection in Federated Learning. In Proceedings of the Network and Distributed System Security Symposium (NDSS 2024); Internet Society: San Diego, CA, USA, 2024. [Google Scholar] [CrossRef]
- Bai, S.; Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schwabe, P.; Seiler, G.; Stehlé, D. CRYSTALS-Dilithium Algorithm Specifications and Supporting Documentation (Version 3.1); NIST Post-Quantum Cryptography Standardization Round 3 Submission. 8 February 2021. Available online: https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf (accessed on 26 April 2026).
- NIST. ML-KEM: Module-Lattice-Based Key-Encapsulation Mechanism; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024. [Google Scholar]
- NIST. SP 800-161r1; Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2022 (updated 2024. [CrossRef]
- NIST. The NIST Cybersecurity Framework (CSF) 2.0; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024. [Google Scholar]
- NIST. SP 800-204D: Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024. [Google Scholar]
- CDAO, DoD. Responsible Artificial Intelligence (RAI) Toolkit; Chief Digital and Artificial Intelligence Office: Arlington, VA, USA, 2023; Available online: https://www.ai.mil/Latest/Blog/Article-Display/Article/3940314/responsible-ai-toolkit/ (accessed on 30 April 2026).
- Cooper, D.; Apon, D.; Dang, Q.; Davidson, M.; Dworkin, M.; Miller, C. Recommendation for Stateful Hash-Based Signature Schemes; NIST Special Publication (SP) 800-208; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. [Google Scholar] [CrossRef]
- Hevner, A.R.; March, S.T.; Park, J.; Ram, S. Design Science in Information Systems Research. MIS Q. 2004, 28, 75–105. [Google Scholar] [CrossRef]
- Peffers, K.; Tuunanen, T.; Rothenberger, M.A.; Chatterjee, S. A Design Science Research Methodology for Information Systems Research. J. Manag. Inf. Syst. 2007, 24, 45–77. [Google Scholar] [CrossRef]
- Page, M.J.; McKenzie, J.E.; Bossuyt, P.M.; et al. The PRISMA 2020 statement: an updated guideline for reporting systematic reviews. BMJ 2021, 372, n71. [Google Scholar] [CrossRef] [PubMed]
- IETF. Hybrid Key Exchange in TLS 1.3; Internet-Draft draft-ietf-tls-hybrid-design-16; Internet Engineering Task Force, 2026. (Work in Progress.). Available online: https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/ (accessed on 30 April 2026).
- IETF. Post-quantum Hybrid ECDHE-MLKEM Key Agreement for TLSv1.3; Internet-Draft draft-ietf-tls-ecdhe-mlkem-04; Internet Engineering Task Force, 2026. (Work in Progress.). Available online: https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/ (accessed on 30 April 2026).
- NIST. Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile; SP 800-218A. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024. Available online: https://csrc.nist.gov/pubs/sp/800/218/a/final (accessed on 30 April 2026).
- NIST. AI 600-1; Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024.
- NIST. Security and Privacy Controls for Information Systems and Organizations; SP 800-53, Rev. 5; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. [Google Scholar] [CrossRef]
- ISO/IEC 23894:2023; Information Technology — Artificial Intelligence — Guidance on Risk Management. International Organization for Standardization: Geneva, Switzerland, 2023.
- CISA. Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default; Cybersecurity and Infrastructure Security Agency: Washington, DC, USA, April 2023; Available online: https://www.cisa.gov/securebydesign (accessed on 30 April 2026).
- DoD. Data, Analytics, and Artificial Intelligence Adoption Strategy; Department of Defense: Washington, DC, USA, 2023. [Google Scholar]
- Ecma TC54; OWASP Foundation. CycloneDX Bill of Materials Standard (ECMA-424). 2023. Available online: https://cyclonedx.org/specification/overview/ (accessed on 30 April 2026).
- Li, Y.; Lyu, X.; Koren, N.; Lyu, L.; Li, B.; Ma, X. Anti-Backdoor Learning: Training Clean Models on Poisoned Data. In Proceedings of the 35th Conference on Neural Information Processing Systems (NeurIPS 2021); Curran Associates: Red Hook, NY, USA, 2021; pp. 14900–14912. [Google Scholar]
- Trusted Computing Group. PC Client Platform TPM Profile (PTP) Specification, Family 2.0; Level 00, 2025 draft revision; Trusted Computing Group: Beaverton, OR, USA, 2025; Available online: https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/ (accessed on 26 April 2026).
- GSA. Post-Quantum Cryptography Buyer's Guide. U.S. General Services Administration: Washington, DC, USA, 2025. Available online: https://buy.gsa.gov/api/system/files/documents/final-508c-pqc_buyer-s_guide_2025.pdf (accessed on 26 April 2026).
- CISA. Product Categories for Technologies That Use Post-Quantum Cryptography Standards. Cybersecurity and Infrastructure Security Agency: Washington, DC, USA; published per Executive Order 14306, 23 January 2026; Available online: https://www.cisa.gov/resources-tools/resources/product-categories-technologies-use-post-quantum-cryptography-standards (accessed on 26 April 2026).
- Machado, G.R.; Silva, E.; Goldschmidt, R.R. Adversarial Machine Learning in Image Classification: A Survey Toward the Defender’s Perspective. ACM Comput. Surv. 2023, 55, 1–38. [Google Scholar] [CrossRef]
- Gu, T.; Dolan-Gavitt, B.; Garg, S. BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. IEEE Access 2019, 7, 47230–47244. [Google Scholar] [CrossRef]
- Wu, B.; Chen, H.; Zhang, M.; Zhu, Z.; Wei, S.; Yuan, D.; Shen, C. BackdoorBench: A Comprehensive Benchmark of Backdoor Learning. In Proceedings of the 36th Conference on Neural Information Processing Systems (NeurIPS 2022) Datasets and Benchmarks Track; Curran Associates: Red Hook, NY, USA, 2022. [Google Scholar]
- Ohm, M.; Plate, H.; Sykosch, A.; Meier, M. Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks. In Proceedings of the Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2020); Lecture Notes in Computer Science 12223; Maurice, C., Bilge, L., Stringhini, G., Neves, N., Eds.; Springer: Cham, Switzerland, 2020; pp. 23–43. [Google Scholar] [CrossRef]
- PyTorch Foundation. Compromised PyTorch-nightly Dependency Chain Between December 25th and December 30th, 2022. PyTorch Blog. December 2022. Available online: https://pytorch.org/blog/compromised-nightly-dependency/ (accessed on 30 April 2026).
- Ultralytics. GitHub Issue #18027: Published Wheel 8.3.41 Contained Code Not Present in GitHub and Appeared to Invoke an XMRig Miner. December 2024. Available online: https://github.com/ultralytics/ultralytics/issues/18027 (accessed on 30 April 2026).
- Open Container Initiative. Image Format Specification, Version 1.1.0; OCI Working Group. 2024. Available online: https://github.com/opencontainers/image-spec (accessed on 30 April 2026).
- NIST. SP 800-207; Zero Trust Architecture. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020.
- Face, Hugging. Hub Security Documentation: Pickle Scanning, Malware Scanning, and Repository Trust Controls. 2024. Available online: https://huggingface.co/docs/hub/en/security (accessed on 30 April 2026).
- Hat, Red. Strengthen Security in Your Software Supply Chain; Red Hat: Raleigh, NC, USA, 2024; Available online: https://www.redhat.com/en/solutions/trusted-software-supply-chain (accessed on 30 April 2026).
- NIST. SP 800-207A; A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Cloud Environments. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2023.
- CISA; NSA. Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems. National Security Agency and Cybersecurity and Infrastructure Security Agency, 2024. Available online: https://media.defense.gov/2024/Apr/15/2003439257/-1/-1/0/CSI-DEPLOYING-AI-SYSTEMS-SECURELY.PDF (accessed on 30 April 2026).
- IETF. Composite ML-DSA for Use in X.509 Public Key Infrastructure; Internet-Draft, current IETF LAMPS working-group draft. (Work in Progress.). Available online: https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-sigs/ (accessed on 30 April 2026).
- Massimo, J.; Kampanakis, P.; Turner, S.; Westerbaan, B.E. Internet X.509 Public Key Infrastructure — Algorithm Identifiers for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA); RFC 9881; Internet Engineering Task Force, October 2025; Available online: https://www.rfc-editor.org/rfc/rfc9881 (accessed on 30 April 2026). [CrossRef]
- The White House. Executive Order 14110: Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence; Washington, DC, USA, 30 October 2023. [Google Scholar]
- Google. Secure AI Framework (SAIF); Google LLC: Mountain View, CA, USA, 2023; Available online: https://safety.google/cybersecurity-advancements/saif/ (accessed on 30 April 2026).
- Microsoft. AI Security Research Program; Microsoft Corporation: Redmond, WA, USA, 2024; Available online: https://www.microsoft.com/en-us/security/business/solutions/security-for-ai (accessed on 30 April 2026).









| Dimension | SPDX 3.0 | CycloneDX 1.6 | NIST SSDF | NIST AI RMF | NIST CSF 2.0 | OWASP ML | OWASP GenAI | MBOM-PQC |
|---|---|---|---|---|---|---|---|---|
| Model metadata (architecture, version) | ◐ | ◐ | ○ | ○ | ○ | ○ | ◐ | ● |
| Pre-training dataset lineage | ○ | ○ | ○ | ◐ | ○ | ◐ | ◐ | ● |
| Fine-tuning artifacts | ○ | ○ | ○ | ◐ | ○ | ◐ | ◐ | ● |
| Pre-trained model dependencies (CVE links) | ◐ | ● | ● | ○ | ◐ | ◐ | ◐ | ● |
| Training environment attestation | ○ | ○ | ◐ | ○ | ◐ | ○ | ○ | ● |
| Deployment packaging dependency graph | ● | ● | ◐ | ○ | ◐ | ○ | ◐ | ● |
| Cryptographic integrity fields | ◐ | ◐ | ◐ | ○ | ◐ | ○ | ○ | ● |
| PQC-safe signing (FIPS 204/205) | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ● |
| Hybrid signature mode support | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ● |
| Lifecycle stage attestation | ○ | ○ | ◐ | ○ | ◐ | ○ | ○ | ● |
| Organizational maturity model | ○ | ○ | ○ | ◐ | ● | ○ | ○ | ● |
| Governance/policy mapping | ○ | ○ | ◐ | ● | ● | ◐ | ◐ | ● |
| Database | Query string | Date executed | Hits | After dedup |
|---|---|---|---|---|
| IEEE Xplore | ("AI supply chain" OR "machine learning supply chain") AND ("provenance" OR "attestation" OR "signing") | 14 Jan 2025; rerun 12 Mar 2026 | 47 | 40 |
| ACM Digital Library | ("model signing" OR "model provenance") AND ("integrity" OR "adversarial") | 14 Jan 2025; rerun 12 Mar 2026 | 31 | 24 |
| IACR ePrint | "post-quantum" AND ("signature size" OR "hybrid signature" OR "ML-DSA" OR "SLH-DSA") | 16 Jan 2025; rerun 12 Mar 2026 | 22 | 19 |
| NIST CSRC | "AI" OR "post-quantum" filtered to FIPS, SP 800 series, AI 600 series | 16 Jan 2025; rerun 12 Mar 2026 | 14 | 14 |
| NSA.gov | "CNSA 2.0" OR "quantum-resistant" filtered to advisory and CSI publications | 17 Jan 2025; rerun 13 Mar 2026 | 6 | 6 |
| CISA.gov | "AI" AND ("supply chain" OR "secure by design") | 17 Jan 2025; rerun 13 Mar 2026 | 11 | 9 |
| Curated incident repositories (PyTorch advisories, ReversingLabs, Hugging Face Hub, Ultralytics tracker) | manual curation by date filter 2020–2026 | 18–20 Jan 2025; rerun 14 Mar 2026 | 11 | 11 |
| Total before screening | 142 | 123 |
| Threat Source | Requirement | MBOM-PQC Schema Component |
|---|---|---|
| Training-time attacks (§4.1.1) | Dataset poisoning detection | C2: Pre-Training Dataset Lineage |
| Ingestion-time attacks (§4.1.2) | Model swap prevention | C3: Pre-Trained Model Dependencies |
| Training-time and ingestion-time threats (§4.1.1, §4.1.2) | Fine-tuning tampering detection | C4: Fine-Tuning Artifacts |
| Pipeline compromise (§4.2.3) | Pipeline integrity | C5: Training Environment & Pipeline |
| Quantum-enabled forgery (§4.2.1) | PQC-safe integrity | C7: Cryptographic Integrity Fields |
| Multi-stage supply chain (§4.3) | Lifecycle transparency | All components (C1–C7) |
| Profile | Operational signing | Long-term archival | Hash | Use context |
|---|---|---|---|---|
| Constrained / Internal | ML-DSA-44 (NIST L2) | — | SHA-3-256 or SHAKE-256 | Internal-only artifacts; short-lived non-regulated commercial settings |
| Civilian / Commercial (default) | ML-DSA-65 (NIST L3) | SLH-DSA-192s (NIST L3) | SHA-3-256 or SHAKE-256 | Federal non-NSS; regulated industries (healthcare, finance) and critical infrastructure with multi-decade retention requirements; SLH-DSA-128s (NIST L1) may be applied as a documented profile exception for shorter-horizon (single-digit-year), non-regulated commercial archival per §6.2.3 |
| High-Assurance / non-NSS | ML-DSA-87 (NIST L5) | SLH-DSA-256s (NIST L5) | SHA-3-512 or SHAKE-256 | Highest-assurance non-NSS deployments; regulated industries and critical infrastructure requiring NIST Level 5 strength; SLH-DSA-256s suitable for long-term archival where hash-based forward security is desirable |
| NSS / CNSA 2.0 | ML-DSA-87 (NIST L5) | ML-DSA-87 (NIST L5) | SHA-3-512 or SHAKE-256 | National Security Systems; classified workloads; CNSA 2.0–mandated procurement (ML-DSA-87 / Category 5 [11]); FIPS 205 / SLH-DSA is not approved for NSS, so ML-DSA-87 covers both operational signing and archival integrity (re-signed at policy cadence) |
| Dimension | Sub-indicator | Default weight |
|---|---|---|
| D_prov (Provenance Completeness) | Model metadata coverage | 0.20 |
| Pre-training dataset lineage coverage | 0.30 | |
| Pre-trained model dependency coverage | 0.20 | |
| Fine-tuning artifact coverage | 0.20 | |
| Deployment packaging dependency coverage | 0.10 | |
| D_crypto (Cryptographic Integrity) | Proportion of artifacts with PQC-safe signatures | 0.40 |
| Proportion with hybrid signature bundles | 0.20 | |
| Certificate-chain validity rate | 0.20 | |
| Cryptographic agility readiness score | 0.20 | |
| D_attest (Pipeline Attestation) | Build attestation coverage | 0.40 |
| Training pipeline attestation coverage | 0.30 | |
| Deployment and runtime attestation cadence | 0.30 | |
| D_gov (Lifecycle Governance) | ZTA trust scoring integration | 0.30 |
| Continuous-learning update verification | 0.20 | |
| Third-party model ingestion policy enforcement | 0.20 | |
| Automated provenance drift detection | 0.30 |
| Level | τ_prov | τ_crypto | τ_attest | τ_gov |
| L1 (Ad Hoc) | 0.00 | 0.00 | 0.00 | 0.00 |
| L2 (Documented) | 0.50 | 0.40 | 0.30 | 0.50 |
| L3 (Cryptographically Verified) | 0.70 | 0.65 | 0.55 | 0.70 |
| L4 (PQC-Safe) | 0.85 | 0.85 | 0.85 | 0.85 |
| L5 (Continuously Attested) | 0.95 | 0.95 | 0.95 | 0.95 |
| # | Requirement | Threat / dependency | Evidence (Tier) | Operationalization | SCAMM indicator |
| 1 | Pre-training dataset lineage capture | Training-time data poisoning (§4.1.1) | [13] T3, [14] T3 | Schema C2 | i_{prov,2} |
| 2 | Pre-trained model dependency tracking | Ingestion-time tampering (§4.1.2) | [4] T4, [16] T4, [19] T3 | Schema C3 | i_{prov,3} |
| 3 | Fine-tuning artifact provenance | Fine-tuning tampering (§4.3.2) | [14] T3, [44] T3 | Schema C4 | i_{prov,4} |
| 4 | Training environment attestation | Pipeline compromise (§4.2.3) | [51] T1, [55] T2 | Schema C5; Pipeline Stage 4 | i_{attest,2} |
| 5 | Deployment packaging integrity | Deployment-time tampering (§4.1.3) | [10] T1, [55] T2 | Schema C6; Pipeline Stage 5 | i_{prov,5} |
| 6 | PQC-safe signing of artifacts | Quantum-enabled forgery, HNFL (§§1, 4.2.1) | [2] T1, [11] T2 | Schema C7; Pipeline Stage 3 | i_{crypto,1} |
| 7 | Hybrid signature support during transition | Backward verifier compatibility (§5.3.1) | [56] T5 (primary); [31] T5, [32] T5 (transition context) | Schema C7; Pipeline Stage 3 | i_{crypto,2} |
| 8 | Certificate-chain PQC-safe validation | Long-term chain integrity (§5.3.2) | [57] T1 | Schema C7; Pipeline Stage 2 | i_{crypto,3} |
| 9 | Lifecycle attestation cadence | Multi-stage compromise (§4.3) | [51] T1, [55] T2 | Pipeline Stages 1–5 | i_{attest,3} |
| 10 | Continuous verification | Continuous-learning integrity (§§4.3.4, 6.5) | [51] T1 | Pipeline Stage 5; §6.5 | i_{attest,3} |
| 11 | ZTA trust scoring integration | Governance gap (§4.4.4) | [1] T2, [23] T1, [58] T2 | §6.4 | i_{gov,1} |
| 12 | Continuous-learning update verification and third-party model ingestion control | Operational risk drift (§4.3.4) | [23] T1, [24] T2 | Discussion §8 | i_{gov,2,3} |
| 13 | Automated provenance drift detection | Trust scoring (§§6.4, 8.2) | [51] T1, [54] T2 | §6.4 | i_{gov,4} |
| Model class | Artifact size | Bundle overhead | Relative overhead | SHA-3-256 hash time (sw / hw) | ML-DSA-65 verify [21] | Cryptographic-core verify (sw / hw) |
| Small Transformer (BERT-base) | 50 MB | 11.8 KB | 0.023% | 100 ms / 10 ms | 54 μs | ≈ 100 ms / ≈ 10 ms |
| Mid-tier classifier | 500 MB | 11.8 KB | 0.0023% | 1.0 s / 100 ms | 54 μs | ≈ 1.0 s / ≈ 100 ms |
| 7B-parameter LLM (FP16) | 14 GB | 11.8 KB | 8.0 × 10⁻⁵ % | 28 s / 2.8 s | 54 μs | ≈ 28 s / ≈ 2.8 s |
| 70B-parameter LLM (FP16) | 140 GB | 11.8 KB | 8.0 × 10⁻⁶ % | 280 s / 28 s | 54 μs | ≈ 280 s / ≈ 28 s |
| Frontier checkpoint (FP16) | 350 GB | 11.8 KB | 3.2 × 10⁻⁶ % | 700 s / 70 s | 54 μs | ≈ 700 s / ≈ 70 s |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.