Model Supply-Chain Risk: A Procurement Question, Not a Security One
The provenance problem with open-weight models, the indemnification gap with closed ones, and the seven contract clauses to insist on.
TL;DR
| Risk | Open-weight models | Closed models |
|---|---|---|
| Provenance | Variable; verify chain | Vendor’s responsibility (sort of) |
| Indemnification | Often none | Vendor-dependent; gaps common |
| Stability | Static once chosen | Vendor can change behavior |
| Audit | Self-perform | Vendor SOC reports |
| Supply chain attack surface | Anyone in the open chain | The model provider’s environment |
The fix is contractual: insist on indemnification, behavior-stability commitments, and audit rights for closed models. For open-weight, verify provenance and accept the audit-yourself burden.
The provenance problem with open-weight models, the indemnification gap with closed ones, and the contract clauses to insist on.
Model supply-chain risk is the AI risk most organizations don’t have a procurement frame for yet. It’s not really a security question — it’s a procurement question that the security team is being asked to solve because nobody else has been assigned. This piece is the right framing and the specific procurement clauses to insist on.
Two flavors of risk
Open-weight model risk: you download a model from a public source. You don’t know what was in its training data. You don’t know what behaviors were planted. You don’t have indemnification if the model produces something problematic. You’re responsible for everything.
Closed model risk: a vendor (Anthropic, OpenAI, Google) provides the model. You don’t see the training data or the weights. The vendor’s behavior decisions are imposed on you. The vendor can change behavior between versions in ways you can’t predict.
Different risks; different mitigations. Both real.
The open-weight provenance problem
When you download an open-weight model from Hugging Face or similar, you’re trusting a chain: the model creator, the upload, the platform. Each link can be compromised.
Documented incidents in 2024–2025 included planted backdoors in popular open-weight fine-tunes, dependency-confusion attacks where malicious models were uploaded with names similar to legitimate ones, and supply-chain compromise of fine-tuning datasets. The frequency is low but the impact, when it happens, is severe — your AI system is operating on a model whose behavior includes attacker-influenced patterns.
Mitigations:
- Verify checksums against the original publisher’s signed releases.
- Use trusted sources (the original publisher’s official channel, not random reuploads).
- Test models behaviorally before production deployment.
- Maintain a documented model inventory with provenance for each.
For most enterprise uses, this verification effort isn’t worth the cost saving over closed models. Open-weight makes sense for specific cases (regulatory, data sovereignty, cost at scale); for general-purpose use, closed is usually better.
The closed-model indemnification gap
Closed models look safer until you read the contract carefully. Most provider contracts have:
- Limited liability caps (often capped at fees paid in the last 12 months).
- Carve-outs for “model output” — many provider contracts disclaim liability for what the model produces.
- Ambiguity on data flows — what happens to your data, when, where, isn’t always clear.
- Behavior-change clauses — providers reserve the right to change model behavior without notice.
The result: if a closed model produces output that costs your company money — wrong advice to a customer, defamatory content, copyright-infringing output — your contractual recourse is limited.
Mitigations:
- Negotiate higher liability caps for sensitive-data workloads.
- Insist on explicit indemnification for IP claims (a real and growing risk).
- Negotiate behavior-stability commitments — minimum notice periods for material model changes.
- Require audit rights or third-party assurance reports.
These clauses are negotiable, especially at enterprise scale. Most companies don’t ask.
The contract clauses to insist on
For any AI vendor (closed model provider, AI SaaS, MCP server vendor), seven contract terms matter.
1. Data retention and deletion. No retention by default; specific deletion timelines on contract termination.
2. Training-data opt-out. Explicit written confirmation that your data is not used for training.
3. Indemnification for IP claims. If model output infringes a copyright or patent, the vendor defends you. This was uncommon in 2023; it’s increasingly negotiable in 2026.
4. Behavior stability. Material model behavior changes require notice (30/60/90 days depending on stakes); rollback options for breaking changes.
5. Audit rights or assurance reports. SOC 2 Type II minimum; sectoral certifications where relevant; right to receive bug bounty disclosure.
6. Incident notification. The vendor notifies you of security incidents within a defined timeline (often 72 hours) with sufficient detail for your incident response.
7. Exit assistance. If you terminate, the vendor provides data export in a portable format and reasonable transition assistance.
The list is unromantic. It’s also the difference between a contract that protects you and one that doesn’t.
What to do this quarter
- Inventory your AI model dependencies. Closed models in use (which vendors), open-weight models in use (which sources, what provenance verification).
- Audit existing AI vendor contracts against the seven clauses. Most existing contracts have 1–3 of the seven. Plan for renewal.
- Update your AI vendor procurement template with the seven clauses.
- Set the open-weight model policy. Most organizations should restrict open-weight to specific sanctioned use cases with documented provenance.
FAQ
Are open-weight models actually riskier than closed? Differently risky. Open-weight risk is yours to manage; closed-model risk is partly the vendor’s. Many organizations end up with a mix: open-weight where data sovereignty matters, closed where the vendor’s control is acceptable.
What happens if our closed model provider is acquired? Read the contract. Most have provisions for assignment that may or may not protect you. Negotiate explicit acquisition-termination rights for sensitive workloads.
Should we audit our model vendors directly? At enterprise scale, yes. Most vendors will support audit rights for large customers. The audit doesn’t have to be exhaustive; targeted review of specific control areas is enough.
Will model providers ever offer real indemnification on output? Some are starting to (Microsoft, Google for specific products in 2024–2025). The trend is toward more indemnification as competitive pressure grows. Negotiate at renewal.
How do we handle models that are being deprecated? Build deprecation handling into your contract. Minimum notice (12+ months for production-critical models), migration assistance, and behavioral compatibility for the replacement.
Working with JAIN on AI vendor procurement? We help executive teams negotiate the seven clauses that close the contractual gaps. Book a 30-minute call.
Related reading:
Want to talk through this for your team?
30 minutes, no slides. We'll work the specific call your company is facing.