# MASTER CONTEXT FILE: ARCHETYPE D - INTERNALLY MANAGED / FINE-TUNED MODELS **Date:** May 8, 2026 **Subject:** Organization Risk Scenario - Internally Managed/Fine-Tuned Models **Auditor:** Third Line Independent IT Security Auditor **Entity:** 1009, LTD --- ## 1. ORGANIZATIONAL CONTEXT (BASELINE) * **Entity Identity:** 1009 LTD, a Crypto Asset Service Provider (CASP). * **Infrastructure Disconnect:** The organization's documented asset landscape is schizophrenic—claiming to utilize "only laptops" (Asset Management) while simultaneously outlining controls for "RAID Z on-site backups" and "legacy DMZs" (Backup/Network Policies). * **Governance Collapse:** The Three Lines of Defence are fundamentally compromised. Operational executives (CTO) possess unchecked audit and risk acceptance powers, while Risk oversight (CISO) is inappropriately embedded in First Line operational approvals. * **Capacity Constraint:** 1009 LTD has only 40 employees, including just 12 in the Technology division and a single System Administrator governing all logical access. ## 2. LLM DEPLOYMENT ARCHETYPE: INTERNALLY MANAGED / FINE-TUNED MODELS * **Archetype Definition:** The organization hosts open-weight or proprietary Large Language Models (e.g., LLaMA, Mistral) within its own localized or private-cloud infrastructure, taking direct responsibility for fine-tuning the model weights using internal company datasets. * **Operational Modality:** Requires the establishment of intensive Machine Learning Operations (MLOps) pipelines. The organization must provision significant GPU compute, manage massive training datasets, execute continuous fine-tuning runs, version control model weights, and actively monitor for model drift, performance degradation, and bias. * **Primary Threat Vectors:** * **Training Data Poisoning & Memorization:** If the fine-tuning dataset is poorly sanitized, the model will memorize and inadvertently regurgitate highly sensitive CASP data (e.g., cryptographic key procedures, VIP customer PII, internal passwords) during routine inference. * **Model Weight Theft / Compromise:** The fine-tuned model weights become a highly concentrated repository of the organization's intellectual property and operational secrets. Compromise of the storage environment leads to total intellectual property theft. * **Infrastructure and Performance Collapse:** The computational burden of hosting and tuning LLMs introduces severe capacity risks. Unmanaged model drift or degradation can lead to automated processes failing silently or producing systemically flawed outputs. ## 3. APPLICABLE GOVERNANCE & CONTROL CRITERIA The following internal policies established by 1009 LTD represent the Criteria against which this internally managed LLM archetype must be audited. ### A. Asset Management (Policy 04) & Physical Security (Policy 10) * **Hardware and Software Inventory Deficits (Policy 04, Section 4):** The policy states that "The only hardware 1009 uses today is the endpoint devices (laptops, desktops)." Internally hosting and fine-tuning an LLM requires specialized, high-performance GPU infrastructure. If 1009 LTD builds or leases this compute, it exists entirely outside the current Asset Registry, evading all physical and logical lifecycle controls. Model weights—a massive, high-value digital asset—are not recognized by the current asset classification taxonomy. * **Physical Security Disconnect (Policy 10):** Physical access to on-site servers housing model weights and training data is theoretically delegated to the building landlord (Policy 10, Section 3.6). This is a catastrophic vulnerability for protecting proprietary AI architecture. ### B. Operations Management Policy (Policy 06) * **Capacity and Performance Management (Section 3.32 - 3.35):** The policy mandates tracking "uptime, response times, and resource utilization." These traditional IT metrics are insufficient for MLOps. The policy completely lacks requirements for tracking model drift, inference latency, token generation degradation, or GPU memory bottlenecks, guaranteeing that performance degradation will go unmonitored. * **Separation of Environments (Section 3.25):** MLOps requires strict isolation of data pipelines (training) from inference engines (production). Given that the CTO is unilaterally authorized to permit "testing in a production environment" (Section 3.28), there is a high probability that untested model weights or poisoned training data will be pushed directly into live CASP environments. ### C. Backup Policy (Policy 02) * **Backup and Restoration Constraints (Section 4 & 6):** Fine-tuning datasets and model weights represent terabytes of specialized data. The current policy relies on "quarterly random sampling" to validate backups. A random sample cannot verify the cryptographic integrity of a multi-gigabyte model checkpoint file. Furthermore, without immutable storage controls, a ransomware attack would irreversibly destroy the organization's custom AI investments. ### D. Information Security Policy (Policy 08) * **Data Classification for Training (Section 5.1):** Fine-tuning requires massive data ingestion. Because the classification matrix lacks a "Strictly Restricted" tier (maxing out at "Confidential"), data engineers have no policy framework to legally segment and exclude the most critical cryptographic secrets (Seed Phrases, KMS designs) from the fine-tuning corpus. This virtually guarantees that the LLM will memorize sensitive crypto operations. ### E. Identity Management (Policy 12) & Access Control (Policy 01) * **Single Point of Failure (Policy 01, Section 3.15):** Only the single System Administrator has access to logical access management. Fine-tuning models requires complex, continuous provisioning of access to data lakes, vector databases, and MLOps platforms for data scientists and engineers. Relying on one administrator for this dynamically shifting access environment will result in massive operational bottlenecks and inevitable SoD bypasses to maintain development velocity. ### F. Risk Management Policy (Policy 09) * **Risk Quantification (Section 4.5):** As previously identified, capping the maximum financial impact at ">500k EUR" fundamentally breaks the risk assessment matrix. An internal model trained on CASP operations that suffers a weight-extraction attack or regurgitates a private key exposes the firm to multi-million euro losses. The firm's risk tolerance framework is structurally incapable of assessing the true liability of this archetype. --- **Auditor's Note on Archetype D:** Internally managed and fine-tuned models represent an enterprise-grade capability demanding mature MLOps, dedicated infrastructure security, and strict data governance. 1009 LTD operates with an SME headcount, fundamentally broken governance lines, and a completely inaccurate inventory of its own physical and computational assets. Attempting to deploy this archetype within the current control environment is technologically unsustainable and represents a critical threat to the firm’s operational viability and its obligations under its CASP license.