Secure AI Supply Chains with PQC Attestation and MBOM

AI systems rarely start life on a clean bench. Enterprises stitch together pre-trained models, third-party datasets, open-source libraries and automated training jobs. That makes the supply chain both the factory and the battlefield. The paper at hand treats integrity as the core risk: if an attacker poisons a model, slips a tainted dependency into the build, or manipulates provenance records, you can lose the game long before deployment.

How attacks land

Supply chain compromise thrives on quiet swaps and unverifiable history. Replace a pre-trained model with a poisoned near-duplicate and most pipelines will pass it through if signatures look fine. Tamper with a dataset shard so a specific class learns a backdoor trigger and the resulting Large Language Model (LLM) or classifier will behave until the trigger appears. Subvert an automated step in a training pipeline and the build produces a “clean” artefact with the attacker’s code baked in. All of this becomes nastier in a post-quantum world. Post-Quantum Cryptography (PQC) matters because today’s classical digital signatures that underpin model lineage, dataset integrity and pipeline attestation will not hold their strength forever. If an adversary can later forge those signatures, they can retroactively rewrite the past: falsify who trained what, swap out datasets in the record, or re-sign a poisoned model to make it look canonical.

What the paper proposes

The authors propose a Model Bill of Materials extended for post-quantum safety (MBOM-PQC). Think SBOM, but for models and their data: it records components, lineage and build context, then binds that record with PQC-safe signatures. The second piece is a unified signing and attestation pipeline that uses a post-quantum digital signature (ML-DSA) and hybrid signature modes so organisations can straddle the migration period without losing verifiable history. The design covers training, evaluation and deployment, with operational guidance for continuous-learning pipelines where fresh data and retraining create constant insertion points for attackers.

A five-level Supply Chain Assurance Maturity Model (SCAMM) rounds it out. It gives teams a repeatable way to score where they are and what to harden next, plus a view of hardware root-of-trust migration costs when moving from classical to PQC-capable modules. None of this is glitter; it is plumbing intended to survive cryptographic upheaval.

Policy frameworks like NIST’s AI Risk Management Framework and its Secure Software Development Framework already flag supply-chain risk, but they stop short of mandating verifiable, long-lived provenance. This work tries to close that gap with concrete artefacts you can sign, audit and carry across cryptographic eras. The open questions are operational: who anchors the root of trust across vendors, how revocation works for long-lived artefacts, and how quickly enterprises can retrofit pipelines without breaking delivery. Getting those answers right is dull in the best way: it keeps attackers from quietly rewriting your AI’s history.