AI Artifact Certification · Model Artifacts

Model Artifact Certification

Tamper-evident proof for AI model weights, checkpoints, and versions. A model artifact certificate proves what was deployed, when it was certified, and that the weights have not changed since.

Model provenance is not just about lineage — it is about accountability. When a model produces a harmful output, the first question is: what version was deployed, and what data trained it? Model artifact certification makes both answers independently verifiable.

What model artifacts can be certified

Model weights

The serialized parameter files produced after training — .pt, .bin, .safetensors, or equivalent. The fingerprint proves the exact weight state at publication time.

Checkpoints

Intermediate weight snapshots captured during training. Certification proves which checkpoint was selected for deployment, and that it has not changed since that selection.

ONNX exports

Cross-framework model exports. Certification of the ONNX file proves the exported version is identical to the certified source weights.

Model cards

Model documentation files. Certifying the model card alongside the weights proves that the documented limitations and capabilities were accurate at publication time.

Quantized models

Compressed or quantized versions of a model. The certificate distinguishes the quantized version from the full-precision original — different files, different certificates.

Adapter layers

LoRA adapters, PEFT modules, and fine-tuning additions. Certifying adapters separately from the base model creates a clear provenance chain from base model to fine-tuned variant.

Model version certificate chain

The parent_certificate_id and training_data_certificate_id fields create an auditable chain from base model through fine-tuned variants back to the certified training data.

{
  "base_model": {
    "certificate_id": "cert_base_01j9k...",
    "model_id": "internal-credit-model",
    "version": "1.0.0",
    "weights_hash": "sha256:a3f9b2e1..."
  },
  "fine_tuned_variant": {
    "certificate_id": "cert_ft_01j9k...",
    "model_id": "internal-credit-model",
    "version": "1.2.3",
    "weights_hash": "sha256:d4e8c7f2...",
    "parent_certificate_id": "cert_base_01j9k...",
    "training_data_certificate_id": "cert_td_01j9k...",
    "signature": "ed25519:MEYCIQDx..."
  }
}

Any auditor can start at the deployed version's certificate and follow the chain: fine-tuned weights → base model → training dataset. Each link is independently verifiable.

Certification process for model artifacts

Compute SHA-256 hash locally

For large model files, compute the SHA-256 hash of the weights file in your environment. CertifiedData never needs to receive the full model — only the hash and metadata.

Submit hash and metadata to /certify

POST the hash, model name, version, and any parent or training-data certificate IDs. The API accepts this without requiring the full file upload for large artifacts.

Certificate issued and signed

CertifiedData creates a structured certificate containing your metadata and the hash, signs it with Ed25519, and assigns a certificate_id.

Store certificate_id in your model registry

Record the certificate_id alongside the model artifact in your registry or deployment system. This creates the verifiable link between the certificate and the deployed model.

Verify at any point in the future

Any party can verify: recompute the SHA-256 hash of the weights file, compare to the certificate, validate the Ed25519 signature. Weights match → model unchanged since certification.

Regulatory compliance mapping

EU AI Act — Article 9 (Risk Management)

Requirement: Providers must implement a risk management system that covers the entire lifecycle of the AI system, including the model components.

How certification satisfies it: A model artifact certificate creates a verifiable checkpoint in the lifecycle. Compliance evidence includes the certificate_id, the timestamp, and the link to the training data certificate — making the model state auditable at any future point.

EU AI Act — Article 11 (Technical Documentation)

Requirement: Providers of high-risk AI systems must draw up technical documentation before placing the system on the market. This must include a description of the technical means used.

How certification satisfies it: The model artifact certificate is machine-verifiable technical documentation. It proves the model version, the weights state, and the certified training data that produced it — all in a format that any regulator can independently verify.

EU AI Act — Article 17 (Quality Management)

Requirement: Quality management systems must address the design, development, and deployment of AI systems, including documentation of model versions.

How certification satisfies it: Certifying model artifacts at each version creates an immutable version history. The certificate_id in each release can be referenced by CI/CD pipelines and deployment manifests — creating a verifiable model release ledger.

Frequently asked questions

What is a model artifact certificate?

A model artifact certificate is a signed, structured record proving the exact state of a model file at a specific point in time. It contains a SHA-256 fingerprint of the model file bytes, an Ed25519 signature, and metadata including model name, version, and a reference to the certified training dataset if applicable.

Can I certify a model that was not trained on CertifiedData synthetic data?

Yes. The /certify endpoint accepts any file — including model weights from external training runs. The certificate proves the model file's state at the time of certification, not the origin of the training data. If the training data was also certified, you can include the training_data_certificate_id in the model artifact certificate to create a provenance chain.

How does model artifact certification support a CI/CD pipeline?

You can call the CertifiedData API from your model release pipeline after training completes. The certificate_id returned can be stored in your model registry alongside the artifact. Any deployment that references the certificate_id can verify the weights have not changed since the CI/CD run completed.

Can I certify multiple versions of the same model?

Yes. Each version produces a separate certificate with a unique certificate_id. The parent_certificate_id field allows you to chain versions together — creating an auditable version history where each version is independently verifiable.

How large a model file can be certified?

The certification process hashes the file, not uploads it to CertifiedData's servers in its entirety. For large model files (multi-GB), you compute the SHA-256 hash locally and submit the hash along with metadata. The certificate is issued against your locally computed hash — CertifiedData never needs to receive the full model file.

Dataset Certification · Tamper-evident provenance

Your dataset, cryptographically certified.

CertifiedData issues SHA-256 fingerprints and Ed25519-signed certificates that prove your dataset's synthetic origin, generation method, and integrity. Anyone can verify — no account, no vendor contact.

1
Upload or point to your dataset
Drag-and-drop or API. Supports CSV, JSON, Parquet.
2
Receive a signed certificate
SHA-256 hash + Ed25519 signature. Immutable record.
3
Share a verifiable proof link
Anyone can verify at /verify — no account required.

Certify a dataset →Verify a certificate Browse the marketplace

AI artifact certification →Training data certification →AI output certification →Certify an artifact →Verify a certificate →How CertifiedData works →