Papers
Topics
Authors
Recent
Search
2000 character limit reached

Which Models Are Our Models Built On? Auditing Invisible Dependencies in Modern LLMs

Published 10 Jun 2026 in cs.CL | (2606.12385v1)

Abstract: Modern LLM training pipelines increasingly rely on other models to generate data, filter corpora, judge outputs, and guide development decisions. These dependencies are recursive: a model may depend on an upstream artifact whose own dependencies are documented only in separate releases and artifacts. As a result, the full dependency structure is fragmented across heterogeneous public artifacts, with complexity and recursive depth far outpacing humans' ability to trace. We introduce ModSleuth, an agentic system that recursively reconstructs LLM dependency graphs from public artifacts with source-grounded evidence. We find that the primary challenge is no longer information extraction, but defining what constitutes a dependency and reconciling artifact references across inconsistent documentation. We address these challenges through a formalization that distinguishes direct and indirect dependencies, represents heterogeneous pipeline roles through operation-centered relationships, and resolves artifact identities across names, versions, and repositories. Applying ModSleuth to four public-artifact-rich LLM releases, we recover 1,060 source-verified dependencies and construct large-scale dependency graphs of modern LLM development. These graphs reveal multi-hop license obligations, train-evaluation coupling, discrepancies between released and training-time artifacts, and documentation inconsistencies that would otherwise be difficult to uncover. We release ModSleuth and the resulting dependency graphs to support transparent analysis of the increasingly complex ecosystems underlying modern LLMs.

Summary

  • The paper introduces ModSleuth, a novel system that audits LLMs by recursively tracing direct and indirect dependencies from diverse public artifacts.
  • It formalizes dependency relationships using an identity lattice and an operation-centered approach to capture multi-hop interconnections in LLM pipelines.
  • Quantitative evaluation reveals over 1,060 verified dependencies and highlights risks such as license propagation, contamination, and structural biases.

Auditing Invisible Dependencies in Modern LLMs: The ModSleuth System

Introduction and Context

The landscape of LLM development has rapidly evolved from straightforward web-scale pretraining and curated human annotation to intricate, multi-stage pipelines. These pipelines are now characterized by pervasive and recursive utilization of upstream models—not only for weight initialization, but for data generation, rewriting, filtering, evaluation, synthetic supervision, and meta-evaluation tasks. As a result, contemporary LLMs are not built in isolation; rather, they are now deeply embedded in a tangled ecosystem of models, datasets, and iterative processes. This paradigm shift introduces pressing concerns around provenance, license and terms-of-use compliance, contamination, evaluation-leakage, and broader governance challenges.

Despite their prevalence, these dependencies are often obscure, fragmented across varying public artifacts such as model cards, code repositories, technical reports, and dataset cards. Existing documentation and audit mechanisms (e.g., model/datasheets, ecosystem maps, parameter lineage inference) remain insufficiently expressive and often too “flat” to capture the multi-hop, operation-specific, and ambiguous nature of modern dependency relationships.

ModSleuth: Formalizing and Auditing Model Dependencies

Defining Recursive Dependency Tracing

ModSleuth addresses the core challenge of reconstructing LLM dependency graphs grounded in public evidence. At its foundation, it introduces rigorous formalisms to delineate and classify dependencies:

  • Direct dependencies: Upstream artifacts that materially affect a target model’s weights or training data (e.g., through initialization, synthetic data generation, OCR, filtering). These are recursively defined—a direct dependency of a direct dependency is also classified as such.
  • Indirect dependencies: Artifacts that inform development but do not directly impact training, such as evaluation judges, ablation variants, or explicit methodological adoptions.

Crucially, ModSleuth goes beyond the restrictive taxonomies of prior work by introducing operation-centered relationships and an open-vocabulary policy for operation types, preserving the fine-grained and unique character of real-world pipelines.

Artifact identities are managed via an identity lattice data structure, which supports resolution at varying levels of specificity (e.g., model family, checkpoint, stage). This design is essential due to inconsistent references across public sources and the frequent ambiguity of artifact names in code, docs, and cards.

ModSleuth System Architecture and Pipeline

ModSleuth operationalizes its approach via an agentic, staged pipeline leveraging contemporary agent systems (notably Claude Code):

  1. Source Gathering: Collects all official public artifacts relevant to a target model—including technical reports, model/data cards, code repositories, and release blogs—forming the initial evidence set.
  2. Entity Discovery and Resolution: Extracts mentions of upstream artifacts and resolves them into the identity lattice, capturing both specificity and residual ambiguity.
  3. Dependency Construction and Reconciliation: Parses and maps dependencies as evidence-grounded edges, representing structured operations and merging or flagging inconsistent relationships across sources.
  4. Recursive Expansion: Traces newly found upstream artifacts in the same manner, supporting BFS, DFS, or beam expansion modes, thereby recovering transitive multi-hop dependencies and building a unified, entity-resolved dependency graph. Figure 1

    Figure 1: The ModSleuth pipeline extracts, resolves, and recursively traces dependencies from heterogeneous public artifacts to construct a unified, evidence-backed graph.

Quantitative Evaluation and Outcomes

The effectiveness of ModSleuth is evaluated against automated baselines including iterative prompting of GPT-5.4/5.5 Pro, Claude Code (single prompt), and ChatGPT Deep Research. Using four LLM releases with rich public documentation (Olmo 3, Nemotron 3 Super, DR Tulu, SmolLM3), the system’s recovery is assessed in three scopes: direct (depth-1), unbounded recursive, and BFS reachability.

Key findings include:

  • ModSleuth produces markedly more verified dependencies compared to all baselines—over 1,060 verified relationships in unbounded mode, versus a maximum of 314 recovered with any baseline agent (see main text).
  • Depth of recursion: Maximum observed dependency-chain depth reaches eight hops, indicating substantial transitive complexity.
  • Scale: The global graph constructed from four targets includes 2,526 artifacts, 9,112 edges, and over 36,000 supporting evidence anchors.
  • Role Type Breakdown: Direct dependencies (e.g., synthetic data generation, filtering, transformations) account for 72%, whereas indirect dependencies (evaluation, methodology) comprise 28%.
  • Ecosystem Interconnectivity: For each model analyzed, over 75% of dependencies traced to external organizations, underlining the extent of cross-organizational entanglement.

Qualitative Audit Findings

By querying and analyzing the dependency graph, ModSleuth surfaces a range of audit findings that are otherwise inaccessible:

  • Multi-hop hidden dependencies: Upstream models often exert influence via intermediate datasets, teacher models, or filters invisible to manual audit or standard reporting. For instance, DR Tulu’s SFT traces back through ScholarQA to Claude Sonnet 3.7; SmolLM3’s FineMath is indirectly shaped by Llama-licensed artifacts. Figure 2

    Figure 2: Examples of complex multi-hop dependencies ModSleuth uncovers: SFT on DR Tulu depends recursively on Claude Sonnet; SmolLM3’s FineMath data pipeline traces to Llama artifacts; Olmo 3 both trains and evaluates on IFEval-derived data, with Qwen3 32B mediating both generation and evaluation.

  • Structural train/eval coupling: Benchmark datasets feature both as training sources and evaluation targets, raising contamination and circularity concerns. For example, Olmo 3 leverages IFEval as both a data constraint source and benchmark.
  • License pathway risks: Multi-hop synthetic data pipelines can silently propagate restrictive license terms (such as the Llama license prohibiting improvement of non-Meta models), which are not discoverable by inspecting released model licenses alone.
  • Model-mediated data selection: Generator, filter, and judge roles are disproportionately concentrated in a small set of foundation models (notably Qwen, Llama, and GPT), whose synthetic outputs substantially steer the training content and evaluation pipelines of downstream releases.
  • Code-level provenance and documentation: Many dependencies are only visible via config files, data-prep scripts, or YAMLs, revealing non-obvious influences and highlighting limitations in current documentation practices.
  • Compliance and hygiene strategies: Examples identified include deliberate use of more permissive teachers in data generation, explicit filtering to avoid contaminating training data with evaluation benchmarks, and fine-grained decontamination documented in code rather than cards.

Implications and Future Directions

This work implies that programmatic, evidence-grounded auditing is now essential for transparency in LLM provenance. The findings underscore the inadequacy of “flat” documentation schemas and parameter-based ancestry inference for capturing the modern recursion and operational diversity of LLM pipelines.

Practical Implications:

  • Model and dataset licenses, contamination risk, and provenance must be interpreted recursively—moving beyond surface-level inspection to multi-hop, operation-resolved graph tracing.
  • Synthetic data and model-based evaluation are vehicles for structural bias, potential license violations, and unintentional “model collapse,” especially when upstream dependencies become dominant or cyclic.

Theoretical Implications and Future Development:

  • Future governance, dataset curation, and model release processes will require machine-understandable, graph-centric disclosure and audit schemas.
  • Fully tracing “true” (as opposed to reported) dependencies demands new research in behavioral inference, black-box testing, and potential access to internal data previously considered non-public.
  • The ecosystem-level dominance of certain foundation model families in judge and generator roles signals both a consolidation of influence and a potential monoculture risk.

Conclusion

ModSleuth formalizes recursive LLM dependency tracing as a new audit task, providing the first scalable, agentic system capable of constructing evidence-backed, multi-hop dependency graphs from heterogeneous public artifacts. By operationalizing rigorous definitions of direct and indirect dependencies, operation-centered relationship modeling, and identity resolution, ModSleuth enables structured, query-driven audit and surfaces systemic risks hitherto inaccessible to manual or single-artifact methods. The results suggest that auditing and transparency mechanisms must evolve rapidly to keep pace with the accelerating complexity and recursion of the LLM ecosystem, and that explicit graph-centric disclosure will soon be essential for regulatory, scientific, and operational trust in foundation models.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Explain it Like I'm 14

Overview: What this paper is about

This paper is about making “family trees” for modern AI models. Today’s LLMs aren’t built only from raw human-written text. They also rely on other models to create data, clean it, judge answers, and guide decisions. That means one model often depends on many others—sometimes several steps upstream. The problem: these connections are scattered across papers, model cards, code, and dataset pages, and they’re hard for people to trace by hand.

The authors built a tool called ModSleuth that acts like a careful detective. It reads public sources, collects evidence, and builds a map (a dependency graph) showing which models and datasets influenced a target model, and how.

Goals: What the researchers wanted to find out

They set out to answer a few simple questions:

  • What should “dependency” mean for AI models? Is it only when one model’s weights come from another, or also when a model generates training data, filters it, or judges it?
  • How can we describe the many different ways one model affects another (like generating, filtering, evaluating)?
  • How can we match messy, inconsistent names across papers, code, and model hubs to the same real artifact?
  • If we build an automated system to collect and connect all this public information, how much of the true dependency map can we recover, and what useful patterns can we uncover?

Approach: How ModSleuth works (in everyday terms)

Think of ModSleuth as a well-trained research assistant that:

  1. Collects sources It gathers official public materials about a model: technical reports, model cards, dataset cards, code repos, and release notes. It sticks to official sources so it doesn’t spread rumors.
  2. Finds and matches names Different sources might say “Olmo 3 32B,” “Olmo-3-32B-Think,” or a specific repo link. These could be the same thing at different detail levels. ModSleuth uses an “identity ladder” (you can think of this like zooming from “iPhone” to “iPhone 14 Pro, 256GB, purple”) so it can store what it knows—even when the exact version isn’t clear—and refine it when it finds better evidence.
  3. Decides what counts as a dependency
  • Direct dependencies: things that actually shape the model’s training or weights. Examples: a base checkpoint you start from, an OCR tool that turns PDFs into text for training, or a generator model that creates training examples.
  • Indirect dependencies: things that influence choices but don’t go into the weights. Examples: evaluator models used to pick the best method, or ablations that guide design decisions.
  1. Records how each dependency was used Not all dependencies are the same. ModSleuth stores “operations” describing the role: generated_by, filtered_by, rewritten_by, evaluated_by, trained_from, etc., plus a short, plain-language explanation and a link to the source lines as evidence.
  2. Repeats the process upstream It doesn’t stop at one step. If it finds the target model used a dataset created by another model, it follows that model’s and dataset’s sources too—recursively—building a multi-hop map.
  3. Verifies the claims Every edge in the graph must be backed by text/citations from public sources. The team then used another model to help double-check evidence links and count only “verified” dependencies in their results.

Analogy: ModSleuth is like assembling a big puzzle from many instruction manuals, GitHub READMEs, and product labels, carefully labeling each piece, and showing the full chain of “who influenced whom.”

Main findings: What they discovered and why it matters

They applied ModSleuth to four LLM releases with rich public materials (Olmo 3, Nemotron-3 Super, DR Tulu, and SmolLM3).

Key results:

  • Scale: They recovered 1,060 verified dependencies (and 1,654 when counting the broader reachable graph). That’s far more than simpler, one-shot AI baselines could find.
  • Depth and variety: Dependencies aren’t just “we fine-tuned from X.” Many come from upstream models that generated, filtered, or judged data—often several steps back.
  • External reliance: 75–82% of dependencies came from outside the releasing organization, showing how interconnected the ecosystem is.
  • Direct vs. indirect: Most verified edges were direct (affecting weights or training data), but many were indirect (evaluation and method influences) and still important.

Why this matters:

  • Hidden chains: The tool surfaces multi-hop chains that people usually miss. That can uncover licensing obligations, test contamination risks, or evaluation biases.
  • Train–eval coupling: Some benchmarks show up both in training pipelines (in modified forms) and as evaluation targets. Even when not “leakage,” this can blur what scores really mean.
  • License paths: Even if a final dataset has a friendly label, its pipeline may include outputs from models with stricter terms. These details can matter for what’s allowed.
  • Model-mediated selection: Judges, reward models, and filters often steer which data “makes the cut.” That means their preferences heavily shape the final model’s behavior.

Here are a few concrete, simplified examples the system surfaced:

  • DR Tulu’s training data indirectly involved Claude via a dataset (ScholarQA) it relied on. This wasn’t obvious without following multiple links.
  • SmolLM3 used FineMath data filtered by a classifier trained on labels generated by Llama 3. So Llama influenced which math data was kept, even though “Llama” might not appear on SmolLM3’s card as an upstream model.
  • Olmo 3 used a Qwen model as a judge for reinforcement learning data without ground-truth answers, meaning Qwen’s preferences can shape which examples are rewarded.
  • Some benchmarks (like GSM8K, MMLU, IFEval, SWE-bench Verified) show up on both sides: they influence training data in some way and are also used to evaluate final performance, which can complicate fairness and trust in results.

Implications: What this means for the future

  • Better transparency: ModSleuth turns scattered notes into a single, navigable map. That helps users, researchers, and reviewers see what really went into a model.
  • Licensing and compliance: Multi-hop chains matter. Knowing where data and judgments came from can help teams honor licenses and terms-of-use, and avoid “surprise” constraints later.
  • Fairer evaluation: If training and testing are entangled, results can be too optimistic. Tracing dependencies can prompt cleaner evaluation practices and decontamination.
  • Safer development: Seeing which judge models, filters, and generators drive data selection can reveal bias risks and motivate more diverse, robust pipelines.
  • Standards and governance: These graphs could become part of model documentation standards, making audits and policy checks easier.

Limitations and next steps:

  • The tool only traces what’s publicly reported, so its maps are a lower bound—there may be more hidden links.
  • Future work could combine public evidence with new techniques for detecting undeclared links, and push for clearer, unified reporting formats so tracing becomes easier for everyone.

In short, the paper shows that today’s AI models are built on complex, layered influence networks—and provides a practical way to see and reason about them.

Knowledge Gaps

Knowledge gaps, limitations, and open questions

Below is a concise, actionable list of what remains missing, uncertain, or unexplored in the paper’s approach, evaluation, and implications. These items are intended to guide follow-up research and tooling.

  • Declared-only scope: The system intentionally limits itself to officially disclosed artifacts, producing a lower bound on true dependencies; methods to infer undocumented or suppressed dependencies (e.g., via weight/behavioral provenance, watermarking, or content-trace signals) are not integrated.
  • Lack of confidence scoring: Edges are “verified” or not, but there is no calibrated confidence score per edge or operation, nor a principled way to aggregate uncertainty across multi-hop chains.
  • No strength/impact quantification: The framework distinguishes direct vs. indirect dependencies, but does not estimate the strength or material impact of each dependency on downstream weights, behavior, or evaluations.
  • Subjective boundary of “indirect” influence: The criteria for when evaluation, ablations, or “inspiration” materially influence development remain partly subjective; no codebook or inter-annotator agreement is reported.
  • Open-vocabulary operations without ontology: Free-form role descriptions aid flexibility, but hinder comparability and automated analysis; no standardized, extensible ontology (or mapping to an existing one) is provided to normalize operation types.
  • Identity resolution accuracy unmeasured: The identity lattice resolves ambiguous references, but there is no benchmark or error analysis quantifying resolution accuracy, collision rates, or failure modes (e.g., family-level vs. checkpoint-level mislinks).
  • Limited registry coverage: Resolution appears optimized for Hugging Face; generality to other registries (e.g., ModelScope, GitHub-only releases, academic mirrors) and closed API models with opaque versioning remains untested.
  • Temporal/version uncertainty: The system does not track time-aware identities (which upstream version existed at training time) or detect temporal inconsistencies (e.g., citing versions released after training).
  • Scalability and cost not characterized: There is no reporting of computational cost, wall-clock time, API spend, or carbon footprint for recursive expansion at depth; scaling behavior and cost/coverage trade-offs are unknown.
  • Agent reliability and ablations: Claims that extraction is “no longer the bottleneck” are not supported by ablations measuring extraction errors, hallucinations, or sensitivity to prompt/agent variations.
  • LLM-based verifier risks: The verification pipeline depends on another closed LLM; there is no human validation sample, inter-rater reliability, or error analysis for false positives/negatives in verification judgments.
  • No precision/recall metrics: Counting “verified edges” rewards volume but not quality; without gold graphs, there is no estimate of precision, recall, or coverage relative to an expert-constructed subset.
  • Conflict handling underreported: The rate and types of cross-source conflicts, resolution outcomes, and proportion requiring human intervention are not quantified; there is no taxonomy of common conflict causes.
  • Graph evolution and versioning: Procedures for incremental updates (as artifacts change), versioned snapshots, and change auditing over time are not specified.
  • Cycle detection and semantics: Cycles arising from recursive pipelines are not analyzed; how cycles are detected, represented, and interpreted (e.g., co-training loops) is unclear.
  • Bias introduced by disclosure asymmetry: Cross-model comparisons are cautioned against, but there is no normalization scheme or uncertainty-aware metric to adjust for organizations with sparse documentation.
  • Internationalization and modality gaps: Applicability to non-English artifacts and non-text modalities (speech, vision, multimodal pipelines beyond OCR) is not demonstrated or evaluated.
  • Limited testbed diversity: Only four “artifact-rich” releases are evaluated; generality to lightly documented or closed releases, and to other domains (code-only LLMs, RL agents, vision models), remains untested.
  • Operation provenance granularity: Data operations (e.g., filtering, transformation) lack standardized attribution units (rulesets, thresholds, prompts); reproducibility of these operations is not guaranteed.
  • No policy engine for license propagation: While license-relevant paths are surfaced, there is no formal semantics or automated policy engine to compute license/ToU propagation and conflicts along composite paths.
  • Contamination risk quantification absent: Train–eval couplings are identified qualitatively, but there is no measurement of contamination prevalence, leakage likelihood, or effect sizes on benchmark scores.
  • Causal attribution across chains: The framework does not allocate “credit” for influence among multi-hop contributors (e.g., Shapley-style data valuation or path-based causal attribution).
  • Security and adversarial obfuscation: The system assumes good-faith documentation; defenses against deliberate obfuscation (e.g., aliasing, redaction, misleading names) are not studied.
  • Governance and community QA: Processes for community-submitted corrections, dispute resolution, and provenance audits (e.g., cryptographic signing, source attestation) are not specified.
  • Interoperability with SBOM standards: There is no mapping to existing software/data SBOM or SPDX-like schemas to enable broader ecosystem tooling and compliance workflows.
  • Reproducibility constraints: Dependence on closed agents (Claude Code, verifier LLM) limits fully open reproducibility; open-source alternatives and sensitivity to model choice are not assessed.
  • Edge attribution policy: The BFS/unbounded attribution schemes are bespoke; the impact of edge-attribution choices on comparative metrics and conclusions is not analyzed.
  • Confidence-weighted querying: Query capabilities do not exploit uncertainty or provenance depth; there is no facility for filtering by evidence type, number of corroborating sources, or recency.
  • Human-in-the-loop design: Criteria for when to escalate to humans, required expertise, effort per conflict, and UI/tooling for efficient audit review are not characterized.
  • Ethical/legal compliance of crawling: The paper does not detail robots/ToU compliance, rate-limiting, or consent policies for scraping and re-hosting excerpts from official artifacts.
  • Downstream risk linkage: The connection between certain dependency patterns (e.g., judge reuse) and measurable harms (bias, collapse, brittleness) is hypothesized but not empirically validated.
  • Generalization to non-model artifacts: Tool, compiler, and infrastructure dependencies (e.g., tokenizers, data dedupers, retrievers, vector DBs) are unevenly represented; criteria and mechanisms to include them are unclear.
  • Standardized disclosure recommendations: The work surfaces documentation gaps but does not propose a concrete, minimal disclosure schema for model developers to reduce ambiguity at source.

Practical Applications

Immediate Applications

Below are applications that can be deployed today using the paper’s released system (ModSleuth), its formalization of dependencies, and the evidence-grounded graphs produced on real LLM releases.

  • Model/Data “SBOM” generation and CI gating — Sectors: software, finance, healthcare, education, public sector — Use cases: generate a machine-readable “software bill of materials” for AI (model/data SBOM) during releases; add a pre-merge CI check that blocks releases when upstream artifacts lack traceable evidence, have unresolved identities, or violate internal policy — Tools/workflows: ModSleuth as a GitHub Action; release checklist that requires an evidence-backed dependency graph; dashboards that surface unresolved lattice nodes and missing evidence — Assumptions/dependencies: relies on publicly declared artifacts and working links; best-effort lower bound (undocumented dependencies won’t appear)
  • License and terms-of-use risk propagation analyzer — Sectors: software, legal, finance, healthcare, education — Use cases: scan for multi-hop license obligations (e.g., Llama-derived annotations used in SmolLM3’s FineMath chain); flag “permissive washing” risks where declared licenses don’t reflect upstream generation/judging; create counsel-ready trace packs — Tools/workflows: license rule engine that traverses ModSleuth graphs; “what-if” filters to simulate removing restricted upstreams; auto-generated memos for legal review — Assumptions/dependencies: legal interpretation is jurisdiction- and license-specific; not legal advice; relies on faithful public disclosures and correct identity resolution of datasets/models
  • Train–evaluation coupling and contamination scanner — Sectors: software, education, research labs, benchmarking orgs — Use cases: detect when evaluation assets or their derivatives appear in training (e.g., GSM8K and IFEval paths in Olmo pipelines; SWE-bench-Verified used for RL in one Nemotron release); pre-deployment checks to avoid circularity and inflated metrics — Tools/workflows: benchmark registry integration; “do-not-train” list enforcement; pre-run audit on curated evaluation suites — Assumptions/dependencies: benchmark variants and synthetic expansions must be correctly resolved (identity lattice quality); some couplings are structural rather than direct leakage and need human judgment
  • Judge/reward conflict-of-interest checker — Sectors: software, evaluation services, safety & red-teaming — Use cases: identify when the same upstream family serves as both generator and judge (e.g., Qwen3-32B used as RL judge for Olmo 3); flag family-level ancestry or shared training data between system-under-test and judges/reward models — Tools/workflows: evaluation policy gate that forbids judge/generator overlap; diversity scoring for evaluators; rotation of independent judges — Assumptions/dependencies: family-level identity must be normalized; not all family overlaps imply measurable bias—supports a risk flag, not a verdict
  • Documentation and release augmentation assistant — Sectors: software, open-source communities, academic labs — Use cases: auto-fill dependency sections in model cards/data cards; reconcile paper–code discrepancies; publish an “evidence appendix” with linked anchors and versions — Tools/workflows: card augmentation bot; repo linter for unresolved artifact identities and missing sources; PR comments proposing specific citations with URLs — Assumptions/dependencies: maintainers must approve edits; some upstreams are intentionally undisclosed in closed releases
  • Procurement and vendor due diligence for AI buyers — Sectors: finance, healthcare, government, enterprise IT — Use cases: request and verify dependency graphs from vendors; evaluate concentration risk in external upstreams (paper shows 75–82% external dependencies); screen for restricted-model paths (e.g., GPT-4, Llama clauses) before integration — Tools/workflows: standardized submission form for dependency graphs; procurement scorecards summarizing external share, depth, and judge/generator diversity — Assumptions/dependencies: vendors must cooperate; third-party verification relies on public artifacts and may undercount
  • Sensitive-data governance in regulated domains — Sectors: healthcare (HIPAA/PHI), finance (SEC/FINRA), public sector (GDPR/AI Act readiness) — Use cases: ensure that clinical or financial assistants are not indirectly trained on restricted corpora via synthetic expansions or filtering chains; maintain audit records for regulators — Tools/workflows: domain-specific blocklists (PHI sources, customer data mirrors); periodic re-scan of dependency graphs; evidence bundles for audits — Assumptions/dependencies: provenance of synthetic data remains challenging; requires policies that map legal norms into graph rules
  • Ecosystem-mapping dataset for research and community oversight — Sectors: academia, civil-society observatories, standards bodies — Use cases: study concentration, recursive dependence, and emergent coupling at ecosystem scale; replicate the paper’s quantitative findings; build public dashboards — Tools/workflows: hosted query endpoint over ModSleuth graphs; bibliometric-style analytics (centrality, hop counts); export to graph databases — Assumptions/dependencies: continued curation; versioning to handle time-varying artifacts and link rot

Long-Term Applications

Below are applications that likely require further research, standardization, ecosystem adoption, or integration with external infrastructure.

  • Open standard for AI provenance and identity (ML SBOM) — Sectors: software, policy, standards, MLOps vendors — Use cases: create an SPDX- or CycloneDX-like schema for models and datasets, including operation-centered relations and an identity lattice; enable interchange across repos and clouds — Tools/workflows: reference spec and validators; converters from ModSleuth graphs to the standard; repository badges for compliance — Assumptions/dependencies: consensus across major platforms (Hugging Face, model hubs, cloud providers); governance for schema evolution
  • Regulatory reporting and compliance automation — Sectors: government, regulated industry (finance, healthcare), audits — Use cases: auto-generate disclosures for EU AI Act, NIST AI RMF-aligned documentation, and sectoral rules; submit verifiable evidence packs with links and signatures — Tools/workflows: “Compliance-as-graph” services; templates that translate dependency graphs into required forms; regulator portals for ingestion — Assumptions/dependencies: regulators must accept machine-readable provenance; requires legal clarity on synthetic-data lineage obligations
  • Ecosystem-scale continuous monitoring and alerts — Sectors: software platforms, open-source foundations, civil-society monitors — Use cases: crawl updates to model/dataset cards and repos; detect newly discovered upstream risks (license changes, benchmark leak revelations) and push alerts to dependent releases — Tools/workflows: scheduled crawlers; change-diffing over identity facets; alerting and remediation playbooks — Assumptions/dependencies: rate limits and access constraints; stable artifact identifiers and archival snapshots
  • Cryptographically verifiable chain-of-provenance — Sectors: software security, supply-chain integrity, cloud/edge deployers — Use cases: sign releases and dependency edges; verify chain from dataset to training run to model; integrate with C2PA/SCITT-style attestations — Tools/workflows: signing keys and attestations for operations (generate/filter/judge); tamper-evident logs; provenance verifiers in deployment pipelines — Assumptions/dependencies: key management at scale; broad vendor adoption; handling of proprietary data without leaking secrets
  • Risk scoring and insurance underwriting for AI supply chains — Sectors: insurance, enterprise risk, finance — Use cases: assign scores based on external dependency share, depth, judge/generator diversity, license risk exposure, and train–eval coupling; price risk or set coverage conditions — Tools/workflows: actuarial models over graph metrics; quarterly portfolio scans; remediation guidance tied to premium incentives — Assumptions/dependencies: historical loss and incident data remain sparse; scoring requires transparent and stable metrics
  • Contamination-aware training and evaluation governance — Sectors: software, education/assessment providers, research labs — Use cases: automatically exclude benchmark-adjacent data when curating mixes; enforce evaluator independence; schedule periodic rotation of judges with distinct ancestry — Tools/workflows: curriculum design tools that query graphs for exclusions; evaluator pools with family-diversity constraints; audit trails of decisions — Assumptions/dependencies: feasible substitutes must exist for excluded data; may trade off some performance during transition
  • Inferring hidden dependencies via multimodal signals — Sectors: academia, security, closed-model vendors — Use cases: complement declared graphs with weight- and behavior-based inference to surface undisclosed ancestry or model-mediated selection — Tools/workflows: hybrid provenance pipelines that combine ModSleuth with weight-similarity and behavioral fingerprinting — Assumptions/dependencies: research maturity and benchmark availability; careful treatment to avoid false accusations
  • Education and community norms for transparent releases — Sectors: academia, open-source, conferences — Use cases: reproducibility badges that require dependency graphs with evidence; reviewer checklists for papers that touch synthetic data and judges; student training on provenance hygiene — Tools/workflows: conference policies; templates and tutorials; community-run audits and public leaderboards — Assumptions/dependencies: incentives and recognition mechanisms; overhead acceptable to authors and maintainers

Notes on Feasibility and Dependencies

  • Coverage limits: All applications inherit the paper’s core disclosure constraint—graphs represent a lower bound because they are built from publicly declared artifacts; closed releases may under-report.
  • Identity resolution: Effective use of the identity lattice depends on stable identifiers, dataset derivation metadata, and repository hygiene (especially on Hugging Face).
  • Legal nuance: License propagation analysis depends on nontrivial legal interpretation; outputs should be treated as triage signals requiring counsel review.
  • Temporal consistency: Artifacts and cards change; robust deployments must snapshot sources and re-run periodic audits to keep evidence current.
  • Model-agent reliability: Automated extraction and verification rely on capable LLM agents and verifiers; human-in-the-loop review remains important for conflicts or ambiguities.

Glossary

  • Ablation: An experimental technique where components or data are systematically removed or varied to assess their impact. "Evaluation / ablation"
  • Agentic system: An automated, goal-directed system (often built on LLMs) that can plan, navigate sources, and take actions to complete tasks. "an agentic system that recursively reconstructs LLM dependency graphs"
  • Ancestry inference: Methods to infer a model’s lineage by analyzing its weights or behavior rather than documentation. "ancestry inference from weights or behavioral signals"
  • Beam search: A heuristic search that explores the top-K promising candidates at each step to manage combinatorial growth. "or beam search to expand the top-KK structurally central ancestors"
  • BFS reachability: Counting relationships that are forward-reachable from a target via breadth-first search in a graph. "Under BFS reachability"
  • Canonicalization: Normalizing heterogeneous references to a standard, canonical identifier or form. "extraction, canonicalization, evidence grounding, and validation"
  • Checkpoint inheritance: Dependency where a model’s weights derive from, or are initialized with, another model’s checkpoint. "through checkpoint inheritance"
  • Data card: A documentation artifact that describes a dataset’s composition, sources, and intended use. "data cards"
  • Datasheet: A structured reporting framework for datasets that details their creation, content, and limitations. "datasheets"
  • Decontamination: Procedures to remove evaluation or sensitive content from training data to prevent leakage or bias. "standard decontamination cannot trace"
  • Dependency graph: A graph of artifacts and edges that captures how upstream models or datasets influence downstream systems. "LLM dependency graphs"
  • Direct dependency: An upstream artifact that materially affects a model’s training or weights (e.g., generators, filters, OCR). "direct and indirect dependencies"
  • Downstream artifact: The model or dataset influenced by upstream artifacts and operations. "shapes a downstream artifact"
  • DPO (Direct Preference Optimization): A training approach that optimizes models using preference comparisons without explicitly learning a reward function. "DPO generator and RL judge"
  • Ecosystem mapping: An auditing approach that charts relationships and flows across ML artifacts within a broader ecosystem. "ecosystem mapping"
  • Evidence anchors: Specific citations, URLs, or source excerpts attached to graph edges for verification. "36{,}187 evidence anchors."
  • Evidence grounding: Requiring that each dependency claim is supported by explicit source evidence. "evidence grounding"
  • Facets (identity): Attribute fields that specify parts of an artifact’s identity (e.g., family, size, stage). "identity itself is represented as an open-vocabulary set of facets"
  • Filtering classifier: A model that scores or selects data points to include or exclude from training corpora. "filtering classifiers"
  • Identity collision: A resolution error where multiple mentions incorrectly map to the same artifact or conflict in identity. "Identity collisions"
  • Identity lattice: A hierarchical representation that captures artifact identities at varying specificity levels. "introduces an identity lattice"
  • Indirect dependency: An upstream artifact that influences development decisions without directly entering training. "indirect dependencies"
  • Judge model: A model used to evaluate or score outputs, often shaping which examples are retained or rewarded. "judge models"
  • License obligations: Legal requirements (e.g., usage restrictions) that can propagate across multi-hop reuse. "multi-hop license obligations"
  • Model card: A standardized documentation artifact describing a model’s training, data, usage, and limitations. "model cards"
  • Model lineage: The weight-level ancestry describing how a model’s parameters derive from other checkpoints. "Weight-level model lineage"
  • Model-mediated selection: Data selection processes controlled by models (generation, judging, filtering, rewarding) rather than humans. "Model-mediated selection."
  • ModSleuth: The system introduced to reconstruct and audit LLM dependencies from public artifacts. "We introduce ModSleuth"
  • Multi-hop paths: Dependency chains spanning multiple steps, often hiding indirect or transitive influences. "multi-hop paths"
  • OCR (Optical Character Recognition): Systems that convert images or PDFs into machine-readable text, often used in preprocessing. "OCR systems"
  • Operation-centered relationships: Representing dependencies via specific pipeline operations (generation, filtering, rewriting, evaluation). "operation-centered relationships"
  • Preference learning: Training methods that use human or model preferences to guide outputs or rankings. "preference learning"
  • Provenance: The origin and lineage of data or models, used to track and audit their lifecycle. "dataset provenance tracing"
  • Recursive expansion: Repeatedly tracing upstream artifacts to recover transitive dependencies across the ecosystem. "This recursive expansion is what turns scattered one-hop evidence into an auditable dependency graph"
  • Reward model: A model that assigns scalar rewards to outputs, guiding RLHF or data selection. "reward models"
  • RLHF (Reinforcement Learning from Human Feedback): Training that uses human preference-derived signals to optimize models via reinforcement learning. "Nemotron-3-Super RLHF"
  • RL-Zero: A training recipe that uses reinforcement signals without explicit ground truth, often with LM judges. "Olmo 3 RL-Zero models"
  • Source anchors: Attached links or quotations that make dependency claims verifiable. "attached source anchors"
  • Source-grounded evidence: Evidence drawn from official, primary sources (papers, cards, repos) rather than third-party claims. "source-grounded evidence"
  • Synthetic data: Data generated by models to augment or replace human-curated datasets. "synthetic data generation and curation"
  • Synthetic supervision: Training signals (labels, preferences, traces) produced by models rather than humans. "synthetic supervision"
  • Train--evaluation coupling: Structural overlap or influence between training pipelines and evaluation benchmarks. "train--evaluation coupling"
  • Upstream artifact: A model or dataset that influences a downstream artifact via generation, filtering, or other operations. "upstream artifact"
  • YAML: A human-readable configuration format commonly used for training scripts and pipelines. "Training scripts, YAMLs, and data-prep code"

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 8 tweets with 48 likes about this paper.