Gorkem Ercan explores the critical gap in ML supply chain security, showing how production ML systems deploy unverified models from Hugging Face with zero attestation. Learn practical approaches to implementing signing, verification, and provenance tracking for ML artifacts using existing tools like OCI registries, Sigstore, and admission controllers.
Production ML systems run models from Hugging Face with zero verification. No signatures. No attestations. No provenance. Just curl, train, deploy. This is normal.
Containers went through this. 2014-2018, everyone pulled FROM ubuntu:latest and hoped for the best. Supply chain attacks forced signing and verification. It took years and breaches.
We don't have to repeat it. OCI registries handle model artifacts. Sigstore signs them. Admission controllers enforce policies. The tools exist.
The workflow: package models as ModelKits, sign with Cosign, store attestations, enforce verification with admission controllers. We'll vibe the code and the YAML.
The friction is real. Teams experiment without signing checkpoints. Fine-tuned model provenance is messy. 40GB artifacts have performance costs. I'll show when to require signatures, how to handle Hugging Face upstream, and policies that don't kill velocity.
Container security took ten years. We know the patterns. Here's how to apply them.
Event Details:
Conference: DevOpsCon Amsterdam
Date: April 20-24, 2026
Session: Wednesday, April 22, 2026, 09:30-10:15
Location: Van der Valk Hotel Amsterdam - Amstel, Amsterdam
Track: Platform Engineering Summit
Speaker: Gorkem Ercan, CTO at Jozu