AI is no longer trained in isolation. Modern development relies heavily on third-party and open-source models, fine-tuned through transfer learning on custom datasets. While this improves speed and efficiency, it introduces hidden and often untraceable vulnerabilities into the AI supply chain.
This session examines how adversarial threats such as backdoors, poisoning attacks, and evasion techniques can persist and propagate across generations of models. These risks affect both generative and non-generative AI systems, and are particularly dangerous because they may not originate in the model an organization trains, but in the one it inherits.
We will break down the AI model supply chain, showing how models are reused, fine-tuned, and distributed with limited visibility into their history. Drawing on academic research and practical examples, we will explain how a single poisoned base model can compromise many fine-tuned variants through:
• Latent backdoors, which lie dormant and become active only after transfer learning
• Persistent evasion attacks, where adversarial inputs continue to succeed after the model is adapted
• Dataset poisoning, where small amounts of malicious data corrupt future outputs without detection
• Model artifact tampering, including direct injection of malicious code or logic into pretrained checkpoints
This session will explore known attack demonstrations against public and open-source models such as BadNets, BAGM, and deceptive language model training techniques. We will also examine the growing reliance on platforms like Hugging Face, where thousands of models are published, modified, and redistributed with minimal transparency into their training origins or security guarantees.
To help mitigate these risks, we will provide a clear framework for understanding and assessing model lineage, including:
• How to evaluate model provenance, including checkpoint and dataset origins
• How to test for common signs of poisoning or backdoors in reused models
• What kinds of transfer learning workflows are more or less susceptible to inherited attacks
By the end of the session, participants will understand how transferable threats undermine AI reliability, why conventional model testing is often insufficient, and how to defend AI systems by securing their upstream dependencies.
