In plain English
This page explains where an AI behavior can live. It may be in a model, but it may also be in a prompt, memory record, adapter, dataset, tool setting, evaluator rule, or human workflow.
- Why this matters: AI risk can come from the whole arrangement, not one obvious model.
- What to look for: data, memory, routes, adapters, tools, evaluators, updates, and rollback paths.
- Technical version below: the expert terminology remains available and is linked through the glossary.
The Supply Chain Between the Weights
Weights are only one artifact. Adapters, datasets, prompts, routers, validators, quantizers, package registries, and release aliases all sit between model identity and runtime behavior.
What to record
Record the component owner, source, version, hash or identifier, permissions, load conditions, compatibility assumptions, and known failure modes. For memory and datasets, record retention, jurisdiction, provenanceA record of where a component or behavior came from. Open glossary definition, consent, and retirement procedures.
Persistence question
Ask whether the component can carry a pattern forward after the apparent original artifact is removed. If yes, it belongs inside the behavioral extinctionEvidence that a behavior is no longer expressible across active artifacts, descendants, memory, routes, compositions, and retained training material. Deleting one model is not sufficient evidence. Open glossary definition review.
Counterargument
A component can be benign and useful. The existence of a host does not imply harmful behavior. It only means the host belongs within the ecology-level safety boundary.
<!-- expanded-release-content -->
The supply chain is not only the base model
Modern AI deployments often import adapters, prompts, datasets, evaluation suites, tools, vector indexes, merge recipes, quantization settings, and deployment wrappers from different sources. Each item can shape behavior. A signed base model does not authenticate every component that later modifies or conditions it.
Integrity and behavior
Source integrity is necessary but incomplete. A hash can tell whether the artifact changed. It cannot tell whether a signed adapter creates a dangerous interaction with a specific base, whether a prompt package conflicts with a safety adapter, or whether a dataset carries behavioral residueInformation or tendencies left in memory, synthetic data, traces, evaluator preferences, or subsequent training material after a component is retired. Open glossary definition. Integrity records must therefore be paired with composition-aware evaluation.
Controls
The supply-chain review should record supplier identity, license, provenance, hash, signature, review status, dependency graph, permitted bases, permitted load orders, known incompatibilities, and rollbackReturning a system to an earlier known state. Open glossary definition instructions. Components should be least-privilege by default. Unknown components should not be allowed to write memory, alter routing, or influence evaluators without explicit review.