Introducing Sovereign Frontier: securing the AI supply chain

The AI supply chain runs on trust it hasn't earned. You download a model from a hub, read a number off a leaderboard, pull weights into a pipeline — and at every step you are trusting a claim that nobody signed and nobody can check. Where did these weights come from? Are they the bytes the publisher released? Did anyone actually run the benchmark, or reproduce it? For software we solved this years ago with signatures, SBOMs, and transparency logs. For the artifacts that now make decisions in clinics, courts, and weapons systems, we mostly shrug.

Sovereign Frontier is the platform for securing the AI supply chain. It is a cryptographically attested commons for dual-use open AI: every artifact is signed, every receipt is independently verifiable, and every number is meant to be reproducible. Today it tracks 639 artifacts across eight categories — models, datasets, architectures, optimizers, processors, protocols, systems, and tools — each one carrying a signature you can check yourself.

Three states, no blind trust

Every artifact moves through three honest states:

• Quarantine — catalogued, with signed provenance, but not yet independently verified by us. The default. Honest about what we don't know.
• Hardened — we downloaded the weights, computed their SHA-256 ourselves, and matched them against the publisher's declared hashes, plus a supply-chain scan. Signed by our own key.
• Sealed — domain attestation by external bodies (NIST, FDA, MITRE…) signing with their keys.

That last state is retired until real reviewers actually sign — because the one rule we don't break is this: nothing claims attestation until it has the receipts to prove it. We would rather show you an honest "unverified" than a comfortable lie. A model with no receipt says so, out loud.

How weight attestation works

For a Hardened receipt we don't take the publisher's word for it. We stream the weight files, hash them with SHA-256 as they pass through — never storing the whole file — and compare against the git-LFS object IDs the publisher declared. Match, sign, delete. For gated or oversized weights we publish the publisher's own declared hashes as an explicit advisory manifest, clearly labeled as exactly that. 25 models are Hardened today, each with a receipt that re-verifies on demand.

Every attestation is an Ed25519 signature over the artifact's content hash, written to a Rekor-style transparency log — now past 24,000 entries — with Merkle inclusion proofs. The /verify endpoint re-checks every signature and re-computes every inclusion proof live. You don't trust our dashboard; you check the math.

Mapped to the frameworks that matter

Each Hardened model carries a supply-chain security scan mapped to NIST AI RMF 1.0, the NIST COSAIS SP 800-53 control overlays (SI-7, SR-4, SA-12), and the CAISI agentic-AI security RFI. Where a control requires runtime or behavioral evidence we don't have, the scan says not-performed — never a fabricated "clean."

Built to be checked anywhere

Stand up a local mirror, load the air-gap bundle, and verify the full attestation chain with no call-home and no single point of trust. Verification works fully offline, which is the whole point: a receipt you can only check by asking us is not a receipt.

Try it

Browse the registry, pull a model, and verify its attestation yourself at sovereignfrontier.ai. Every claim on the platform is backed by a signature you can independently check. No blind trust required.