Cisco releases open-source ‘DNA test for AI models’

Cisco released an open-source tool to trace the origins of AI models and compare model similarities for great visibility into the AI supply chain.

The Model Provenance Kit, announced Thursday, is a Python toolkit and command-line interface (CLI) that looks at signals such as metadata and weights to create a “fingerprint” for AI models that can then be compared to other model fingerprints to determine potential shared origins.

“Think of Model Provenance Kit as a DNA test for AI models,” Cisco researchers wrote. “[…] Much like a DNA test reveals biological origins, the Model Provenance Kit examines both metadata and the actual learned parameters of a model (like a unique genome that comprises a model), to assess whether models share a common origin and identify signs of modification.”

The tool aims to address gaps in visibility into the AI model supply chain. For example, many organizations utilize open-source models from repositories like HuggingFace, where models could potentially be uploaded with incomplete or deceptive documentation.

The Model Provenance Kit provides a way for organizations to verify claims about a model’s origins, such as claims that a model is trained from scratch, when in reality it may be copied from another model, Cisco said. This may put organizations at risk of using models with unknown biases, vulnerabilities or manipulations and make it more difficult to resolve any incidents that arise from these risks.

The toolkit works in two stages and has two different modes: compare and scan. In compare mode, a user can choose two models to compare and receive a breakdown of similarity scores across metrics including metadata, tokenizer structure and weight-level signals as well as a final composite score; if this final score is above a certain threshold, the models are considered to be related.

In scan mode, one model scan be compared against a database of known fingerprints for about 150 different base models across more than 45 families and 20 publishers, including Meta, Google, Alibaba, Microsoft, DeepSeek, NVIDIA and OpenAI.

In the first stage of analysis, the toolkit performs an “architectural screening” based on structural metadata and model configurations, which can quickly determine whether two models share identical architecture. Cisco noted that this stage alone can resolve a “large portion” of cases.

The second stage involves weight-level analysis, looking at five specific signals: embedding anchor similarity (EAS), embedding norm distribution (END), norm layer fingerprint (NLF), layer energy profile (LEP) and weight-value cosine (WVC). These signals can help identify models that have the same architectural template but were trained separately, Cisco said.

Cisco found that the Model Provenance Kit identified standard model derivatives – such as the same base model with different fine-tuning or alignment – 100% of the time, and also had 100% recall for cross-organization derivatives, where a model is fine-tuned and released under a different name by a different organization.

Models that were trained independently but shared the same tokenizer were identified with 100% specificity, and across 111 pairs of models analyzed, only four were misclassified, which Cisco said involved models with “extreme architectural transformations.”

In addition to protecting organizations against deception and unseen model risks in the open-source AI ecosystem, the toolkit can also help organizations avoid regulatory compliance issues stemming an inability to trace a model they use back to its origins, Cisco said.

“As models are continuously fine-tuned, distilled, merged, and repackaged, model files have evolved past static assets. Lineage becomes harder to track and easier to obscure, and answering the question of ‘what are the origins of this model?’ requires more nuanced approaches,” the Cisco researchers concluded.