The Ice Bullet: Security in Distribution-Defined Systems
A research note on why artifact integrity does not guarantee behavioral integrity in foundation model pipelines.
The thesis studies a supply-chain threat model built on subliminal learning results from 2024 to 2026. Core claim: deterministic controls protect artifacts, while behavior in foundation models is distribution-shaped and can drift through channels that pass content-level screening.
The paper distinguishes two security surfaces. Artifact integrity covers data provenance, signed weights, access controls, and pipeline integrity. Behavioral integrity covers what the model actually does across real contexts after training.
In specification-defined software, those surfaces are tightly coupled. In foundation models, execution is deterministic at compute level while behavior is learned over high-dimensional representations that cannot be exhaustively specified.
The Ice Bullet case studies one path through this gap. Recent work on subliminal learning shows trait transfer across semantically unrelated data under shared lineage conditions. Related poisoning studies show low-count insertion and multi-generation propagation in synthetic data workflows.
This makes synthetic-data supply chains a plausible high-risk channel when teacher and student models share base lineage. In that setting, data can look harmless at token level while still shaping model geometry.
The thesis proposes three measurable hypotheses: H1 compositionality threshold, H2 robustness under real mixing and preprocessing, H3 detectability boundary between output-level evaluation and representation-level auditing.
The scope is constrained. The paper provides no exploit code, no operational attack playbook, and no claim of confirmed in-the-wild incidents as of February 22, 2026.
Operational implication: keep deterministic controls, then extend with distribution-native safeguards such as representation auditing, weight-space provenance signals, and synthetic lineage metadata.