Model weights are the crown jewels — and the cryptography protecting them is scattered across KMS configs, storage policies, serving endpoints, and IAM grants. CipherM inventories all of it and hands you a Model-Weight Protection Attestation: the artifact an enterprise customer asks for before they trust your platform with their data.
How model artifacts are encrypted in object storage — provider-managed keys vs. customer-controlled KMS, public ACLs, and whether the key-wrap is quantum-vulnerable RSA/ECC.
mTLS on serving and training endpoints — Triton, KServe, vLLM, TF-Serving. We flag plaintext gRPC channels and TLS that handles long-lived inference data.
Who can decrypt the crown jewels. Every kms:Decrypt grant on the model store, surfaced for least-privilege review and over-broad wildcard detection.
Leaked Hugging Face tokens, and torch.load checkpoints that deserialize pickle — the model-supply-chain code-execution path. Integrity of the weights, not just confidentiality.
Same CycloneDX CBOM engine behind our PCI cryptographic inventories — pointed at the AI data-protection layer instead of the cardholder-data environment.
A stolen credit card is worthless in a year. An exfiltrated encrypted weights file is still worth decrypting when a cryptographically-relevant quantum computer arrives — because the model is still valuable years later. That makes post-quantum migration of weight-protection crypto genuinely more urgent for an AI lab than for a generic enterprise.
CipherM scores every weight-protection asset for harvest-now-decrypt-later exposure — sensitivity × volume × years-of-confidentiality × quantum proximity — and flags the classical key-wraps to migrate to ML-KEM first.
Every key, cipher, protocol, and storage policy protecting your weights, training data, and inference pipelines — as a CycloneDX 1.6 CBOM that outlives any one vendor.
Each asset ranked by harvest-now-decrypt-later risk, with the quantum-vulnerable key-wraps prioritized for ML-KEM migration.
The artifact you hand an enterprise customer, partner, or regulator in a security review — proof your model store is encrypted with customer-controlled, audit-ready, PQC-aware crypto.
Cross-referenced to the AI-security expectations now showing up in vendor reviews and emerging standards (NIST AI RMF, ISO/IEC 42001), alongside the post-quantum migration timeline.
Open weights are free to download — so the risk isn't access, it's custody: how your org stores, serves, and fine-tunes them. And because a model stays valuable for years, harvest-now-decrypt-later exposure is acute. Here are the most-deployed open models and the weight-protection posture CipherM scores for each deployment.
| Model | Params | Steward | HNDL exposure | CipherM checks |
|---|---|---|---|---|
| Llama 3.1 | 405B | Meta | High | 8 / 8 |
| DeepSeek-V3 | 671B MoE | DeepSeek | High | 8 / 8 |
| DeepSeek-R1 | 671B MoE | DeepSeek | High | 8 / 8 |
| Qwen2.5 | 72B | Alibaba | High | 8 / 8 |
| Mixtral 8x22B | 141B MoE | Mistral | High | 8 / 8 |
| Llama 3.3 | 70B | Meta | High | 8 / 8 |
| Command R+ | 104B | Cohere | High | 8 / 8 |
| Gemma 2 | 27B | Medium | 8 / 8 | |
| Falcon | 180B | TII | Medium | 8 / 8 |
| Phi-4 | 14B | Microsoft | Medium | 8 / 8 |
Illustrative. “HNDL exposure” reflects the inherent value and longevity of the weights, not any organization's security posture. CipherM runs the same 8 weight-protection checks against your deployment — HF-token leak, plaintext-weights HTTP, SSE-S3-only, classical KMS-wrap, public ACL, kms:Decrypt custody, insecure gRPC serving, and torch.load pickle.
A fixed-scope, two-week Rapid Assessment: we scan your infrastructure, configs, and serving stack, review by hand, and hand you a CycloneDX CBOM plus a Model-Weight Protection Attestation you can put in front of a customer.