Trained model files are valuable intellectual property and a potential attack vector. Model artefacts are stored in encrypted, access-controlled repositories with immutable versioning. The engineering team implements cryptographic signing of model artefacts, enabling the inference infrastructure to verify that the model loaded for production serving matches the model that passed the validation gates.

Any model artefact that fails signature verification is rejected by the pipeline, and the event triggers a security alert. Docker Content Trust and Sigstore cosign provide the signing and verification infrastructure. The signing key is managed through the key management service with restricted access.

Model artefact security also covers the model in transit: from the registry to the serving infrastructure, model files are transferred over encrypted channels (TLS 1.3 or mTLS). Backup copies of model artefacts are encrypted and stored with the same access controls as the primary copies. The model artefact security controls are documented in Module 9.

Key outputs

• Encrypted, access-controlled model artefact storage
• Cryptographic signing with verification at load time
• Rejection and alerting on signature verification failure
• Module 9 AISDP documentation