Model Provenance & Deployment-Risk Auditing

Know exactly what you’re deploying

Watchman audits an AI model on two layers. It verifies the model is what it claims to be and detects weight modifications hidden inside third-party and compressed releases. And it measures how the model behaves once you wire it to your data, including hostile data, before any of it reaches production.

The Problem

You deploy models you didn’t train

Vendor checkpoints. Open-weight bases. Community fine-tunes. Quantized repacks. Every one of them is tens of gigabytes of opaque numbers, and regulators on three continents now expect you to prove what is inside before it reaches production.

A file hash only tells you the bytes changed, and under compression the bytes always change. That leaves you unable to say whether a release was actually modified or just repacked. Watchman answers the question the hash cannot: were the weights modified beyond their declared compression, how much, where in the network, and what kind of change was it.

What You Get

Four things out of every audit

One run produces the same set of artifacts every time. Each one answers a question your security, compliance, and engineering teams already have.

01

Detect & Classify

Watchman finds weight changes that go beyond a model's declared quantization, and names the kind of change: instruction tuning, alignment modification, or domain specialization. It works from the weight files and nothing else. No training data, no prompts, no inference access, no cooperation from the publisher.

02

Regulatory Evidence

Every audit produces an evidence-grade report and a CycloneDX-style AI-BOM attestation your security team, your compliance team, and your regulator can hold. It carries a SHA-256 chain of custody for every model file, the decision thresholds in force, and the stated limitations, all in one document.

03

Localize the Change

When Watchman flags a modification, it shows where the change concentrates, by component and by network depth. You learn what was touched, rather than only that something happened. Each modification type leaves its own signature in the report.

04

CI-Native Gate

Deterministic exit codes drop straight into your pipeline: 0 clean, 2 modification detected, 1 indeterminate. Gate your model registry on it, run it on-prem or air-gapped, and schedule re-audits for the continuous record federal frameworks now expect. Nothing leaves your environment.

Deployment-Risk Auditing

A clean model can still be a liability

Provenance tells you the model is what it claims. It does not tell you how the model behaves the moment you connect it to a retrieval system and hand it a document that is relevant but imperfect, or hostile. Watchman now measures that too.

A model can top every capability leaderboard and still get worse when you give it your own documents. One 31B model we audited lost 13 accuracy points from relevant retrieved context. One 120B model was talked into answering by a hostile instruction hidden in a retrieved document 87% of the time. Neither weakness shows up on a leaderboard, and both are deployment-layer risk.

Axis 01

Context contamination

Does giving the model retrieved documents make it worse than answering from memory? We measure the net effect, and how often a correct answer gets overridden by the context.

Axis 02

Injection resistance

Can a hostile instruction hidden in a retrieved document hijack the model? We measure the hijack rate undefended, and what actually drives it down.

Axis 03

Abstention discipline

When the documents cannot answer the question, does the model admit it or invent an answer? We measure the guess rate on unanswerable questions.

Axis 04

Retrieval uplift

When the answer is in the documents, does the model actually use it? We measure the accuracy gain on knowledge-heavy questions.

Axis 05

Governance cost

Does a strict governance instruction quietly make the model dumber on questions it should answer? We measure the accuracy it retains under governance.

Axis 06

Quantization robustness

Does the compressed variant you actually deploy still behave like its full-precision parent? We grade the variant you ship, not the one on the card.

Each axis returns a number with a sample size and a confidence interval, mapped to the NIST AI RMF, ISO/IEC 42001, and the EU AI Act accuracy and adversarial-testing requirements. Early scores are provisional and marked as such while sample sizes grow. Every open-weight model we score on these axes is published on our live public index. See the Deployment Risk Index at hell.ai.
Compliance Mapping

One report, every framework

Governments and supervisors are converging on one demand: prove what your model is, where it came from, and that nobody changed it on the way in. Here is how a Watchman audit maps to each.

Framework What it asks for What Watchman hands you
EU AI Act
Reg (EU) 2024/1689 · from 2 Aug 2026
Article 11 technical documentation that accounts for a model's identity, the bases it was built on, and its known limitations. An audit report with a hash-pinned identity for the model and its base, the classification of any modification, and the limitations, filed in your technical documentation.
NDAA / DFARS
FY2026 NDAA → DFARS / CMMC
Verified model registries and integrity checks before deployment, covering model weights across the lifecycle. A deterministic pre-deployment gate with exit codes and per-file SHA-256 weight identifiers your registry can pin.
OMB M-26-04
Federal continuous accountability
A move from one-time documentation to continuous accountability, including for supply-chain modifications. Scheduled re-audits that produce a dated, comparable series of reports, the continuous-accountability record on file.
CycloneDX AI-BOM
Procurement provenance
A model entry whose lineage and provenance can be verified, rather than self-declared by the supplier. A CycloneDX-style attestation fragment with the per-file weights identifier, a verified edge to the claimed base, and the verdict, ready to merge into your bill of materials.
Banking MRM
Interagency guidance · Apr 2026
Independent validation of third-party and vendor models, developed and monitored over time. Reproducible validation evidence for the model-weights layer, what changed from the base, where, and of what kind, for the third-party validation file.
Watchman produces the audit evidence these obligations call for. It does not by itself make you compliant. Compliance is a function of your whole program. What Watchman gives you is the defensible, machine-verifiable artifact each framework expects for the model-weights layer of that program.
Validated, Stated Plainly

Every report states its own limits

We validated Watchman across five model families and publish the numbers as they came out. It is most reliable on the 7B-and-up open-weight models enterprises actually deploy.

18/20

Held-Out Detection

Real modifications caught under leave-one-out validation.

92%

Classified Right

Of detected modifications, put in the correct class. Alignment and domain-specialization classes were perfect.

5

Model Families

In the validation library. Detection generalizes across families, validated held-out by family.

3B+

Full Detection

Every tested modification on models this size and up was detected. Borderline sub-2B cases route to review.

Every Watchman report states its limitations next to its verdict: the exact decision thresholds in force, the validation record behind them, and the one miss mode we know about, which is very broad, low-intensity tuning of very small models. The reference library grows with every labelled audit, and accuracy compounds with it. We publish what the tool can and cannot tell you, because an audit you cannot interrogate is not evidence.

Verify before you deploy

Tell us which framework you are preparing for, and we will audit a model of your choosing, walk through the evidence, and scope a deployment inside your environment.

Request an Audit