T13-AT-006CRITICAL
Checkpoint Poisoning
T13 · AI Supply Chain & Artifact Trust →Risk score250
RatingCritical
Procedures10
Severity
Mechanism
Checkpoints are the persistent artifacts of training: saved model weights, optimizer state, learning rate schedulers, and training metadata. They are stored in cloud storage (S3, GCS), shared filesystems, or model registries, and are loaded during training resumption, evaluation, and deployment. Checkpoint poisoning targets this storage and loading infrastructure.
Detection
- Out-of-band checkpoint hash storage (separate from checkpoint storage)
- Checkpoint weight comparison: statistical comparison of loaded weights against training trajectory expectations
- Optimizer state validation: verify optimizer state consistency with training history
- Storage access auditing: log all reads and writes to checkpoint storage
Mitigation
SafeTensors for checkpoint storageHIGH
Hardware-rooted checkpoint signing (TPM/HSM)HIGH
Immutable checkpoint storage with access loggingMEDIUM
Checkpoint weight statistical validationLOW
Chaining
Open in the technique browser →Checkpoint poisoning chains to T6-AT-008 (Model Update Hijacking) as the storage-layer variant of model compromise. Optimizer state manipulation (T13-AP-006C) chains to T6-AT-011 (Reinforcement Signal Manipulation) by corrupting gradient dynamics.