Cisco released the Model Provenance Kit (MPK) — an open-source Python CLI for tracking the lineage of AI models, with a fingerprint database hosted on Hugging Face. The kit generates model fingerprints from metadata, tokenizer similarity, and weight-level identity signals (embedding geometry, normalization layer characteristics, energy profiles, direct weight comparisons). Two operating modes: Compare takes two models and tells you whether they share ancestry; Scan takes one model and finds the closest known lineage matches in Cisco's database. The threat model addresses poisoned models, regulatory compliance for AI provenance, supply chain integrity, and incident response — specifically, organizations using models pulled from public repositories often can't verify what they actually got versus what was advertised, and when something goes wrong they can't trace it back to its origin.

The architectural choice that distinguishes MPK from alternatives is what it doesn't do. Sigstore, SLSA, and cryptographically-signed software bills of materials (SBOMs) all require attestation at build time — the model author has to sign the artifact when they release it, and downstream consumers verify the signature. That works going forward, but it doesn't help with the existing universe of unsigned models, fine-tunes published without attribution, or models that have been quietly modified between upload and download. MPK's fingerprinting approach is post-hoc: feed it a model, get a structural identity, compare against known fingerprints. The trade-off is that fingerprinting can be defeated by sufficiently determined adversaries (rewrite the weights enough and the fingerprint shifts), while cryptographic signing cannot be defeated without breaking the underlying math. MPK and Sigstore aren't substitutes — they cover different parts of the supply chain problem.

Why this matters for anyone using AI. The current state of model distribution is roughly the state of software distribution in 2005: you download something from a repository (Hugging Face, GitHub, vendor site), trust that the bits are what they claim to be, and have no way to verify if someone swapped the file or fine-tuned it with a backdoor between release and your download. Hugging Face has had documented incidents of malicious models uploaded with stolen names; the broader Python supply chain has had years of typosquatting and dependency confusion attacks. AI model provenance is the same problem, with the added complexity that "the model" is a 70-billion-parameter weight tensor rather than a tractable codebase you can read. Fingerprinting via weight-level identity signals is what makes verification scalable — you don't need to read the model, you need to confirm it matches what you expect. For companies deploying AI internally, MPK is the kind of tool that fits into a security pipeline alongside vulnerability scanners; for individual developers pulling models for hobby projects, it's a sanity check that the file you downloaded is what you thought it was.

Practical move. The kit is open-source on GitHub and the fingerprint database is on Hugging Face, so trying it costs nothing. For organizations: add MPK Scan to your model intake process the same way you'd add a malware scanner to your software download workflow — flag unknown lineage for review before deployment. For builders fine-tuning and re-releasing models: contribute your fingerprints back to the database so downstream users can verify what they got. For broader AI ecosystem: model provenance is becoming a compliance requirement under the EU AI Act's transparency provisions, and tools like MPK plus standards like Sigstore are going to converge into a shared infrastructure layer over the next two years. The honest takeaway is that AI security has been ahead of AI provenance until now; this Cisco release is one of the first serious attempts to close that gap, and it's the right shape — open source, retroactive, fingerprint-based — even if it's just the first generation of what will eventually become a layered defense alongside cryptographic attestation.