Poison one weight. We name it.
Models get pulled from public hubs, fine-tuned, and passed between teams. A single altered weight can backdoor a model — and a checksum on the whole file only tells you something changed. AT-1 fingerprints every weight tensor, so it names the exact one.
Live: one poisoned weight in a 66-million-parameter model
$ at1 model-zoo scan sealed.at1zoo suspect.safetensors
scan: is 'suspect.safetensors' the sealed 'distilbert-base-uncased'?
✗ NOT THE CERTIFIED MODEL — 1 tensor altered, 0 missing, 0 added.
TAMPERED weight: distilbert.transformer.layer.3.attention.q_lin.weight
$ at1 model-zoo scan sealed.at1zoo original.safetensors
✓ CERTIFIED — all 105 weight tensors byte-exact to the sealed original.We flipped a single floating-point number inside one attention matrix. The scan named the exact tensor — layer 3 · attention · q_lin — and confirmed the untouched original is byte-for-byte the certified model (all 105 tensors).
When you store a model in AT-1, every weight tensor gets its own fingerprint, alongside a whole-model integrity seal.
Point scan at a suspect model. It compares each tensor's fingerprint to the sealed original and reports the exact differences.
The certified model isn't just checked — it's stored byte-exact and addressable, so you can reconstruct and run it with proof it's untouched.
Provenance you can prove, not just hope for
The same sealing that catches tampering also stores a base model once and every fine-tune or checkpoint as a verified, addressable delta — so an entire model history is auditable, reproducible, and tamper-evident in one place. The integrity check is the supply-chain story; the storage is the model-zoo story.