The Open Spectrum

Weights, Data, and Trust · Module FT02 · Course 3

60 minutes · 7 sub-sections · Layer 1 of the Steering Stack

What does "open" actually mean for a base model — and why is it load-bearing the moment you deploy in a regulated domain?

Pillar 0 — Foundations

The three tiers of openness

TIER 1
Open-weights-only

Weights, no data.

Llama 3.x

Lets you USE it.

TIER 2
Open-data

Weights + corpus / pipeline.

MiniCPM · OLMo · Tülu · SmolLM3

Lets you AUDIT it.

TIER 3
Open-recipe

Weights + data + full code/config.

OLMo · Tülu 3 · SmolLM3

Lets you REPRODUCE & PROVE it.

Each tier adds a trust property the one below lacks.

The OSAID gap

OSI Open Source AI Definition v1.0 — released 2024-10-28 at All Things Open.

OSAID requires "sufficiently detailed information about the data" used to train the system.

What OSAID requires

  • Complete training/run code
  • "Sufficiently detailed information" about the data
  • Use / modify / redistribute

What reproducibility needs

  • The actual training corpus
  • Hyperparameters, seeds, checkpoints
  • A determinable answer to "was X in the data?"
Compliant ≠ reproducible. A Llama-style release can be OSAID-compliant without being auditable. Never conflate the two.

The NTIA argument

July 2024 — Dual-Use Foundation Models with Widely Available Model Weights (mandated under EO 14110).

Open-weight models "provide security benefits by allowing firms, researchers, and users to use potentially sensitive data" locally and on-premises.

The reasoning is mechanical:

  • Open weights → model runs inside your trust boundary
  • Closed / API-only → every inference leaves the boundary

The single best government citation for on-prem / air-gapped deployment. Why IL5/IL6 and HIPAA-covered workloads require an open-weight base.

The FMTI — openness as a number

Stanford CRFM Foundation Model Transparency Index · 100 indicators.

58
mean / 100 (May 2024)
85
top score / 100
~49
OpenAI (below mean)
Tracks the tier cleanly. Open-recipe developers (OLMo, IBM Granite) score highest; weights-only in the middle; closed at the bottom. The tier you choose is roughly the score you can defend.

Bommasani et al., arXiv:2407.12929.

Model family comparison

ReleaseTierLicenseAuditable?
OLMo 2 (Ai2)Open-recipeApache-2.0Yes
Tülu 3 (Ai2)Open-recipeApache-2.0Yes
SmolLM3 (HF)Open-recipeApache-2.0Yes
MiniCPM (OpenBMB)Open-recipeApache-2.0Yes
DCLMOpen-dataOpenYes
Nemotron (NVIDIA)Open-weights / partialNVIDIA OMLPartial
Llama 3.1 (Meta)Open-weights-onlyLlama Community Lic.No
GPT-4o (OpenAI)ClosedProprietaryNo

Capability is FT03's concern. This table is about whether you can trust the provenance.

OpenBMB & MiniCPM — the on-ramp hero

Who

OpenBMB — "Open Lab for Big Model Base." Tsinghua University + ModelBest. Apache-2.0.

The family

  • MiniCPM5-1B — dense ~1B base
  • MiniCPM3-4B — mid-size
  • MiniCPM-V 4.6 — vision
  • MiniCPM-o 4.5 — omni-modal
Open datasets: UltraChat (dialogue) · UltraFeedback (preference) · Ultra-FineWeb (curated web). The defaults the data modules return to.

Why it's the hero: open-data/recipe, runs on consumer hardware, and you can point at every byte the model saw.

Why open-data wins for sensitive domains

PropertyOnly open-data / open-recipe gives youMaps to
AuditabilityProve what the model sawHIPAA risk analysis
ReproducibilityPin a commit, rebuild on demand — no silent driftValidated-pipeline integrity
Supply-chain trustRule out hidden training-time exfiltrationIL5/IL6, air-gap
Open-data is a compliance asset, not an ideology. Each property maps to a requirement a regulator can name — and each is satisfiable only when you can see the data and the recipe.

The auditability chain

Open-data / open-recipe release
(weights + corpus + code)

↓ enables

You can AUDIT what the model saw

↓ enables

You can REPRODUCE (pinned commit, rebuild)

↓ enables

You can PROVE to a regulator: lineage, no hidden inputs, no drift

Drop the first link and the whole chain fails — which is why weights-only/closed bases cannot satisfy the audit.

Anti-patterns

Trusting a community merge with no provenance. A Hub merge with no data lineage, no evals, and a license the uploader can't grant is not an audit. Trace provenance to original bases and data.
OSAID-compliant = reproducible. No. OSAID needs "sufficiently detailed information about" the data, not the data. Compliance is inspectability, not reproducibility.
"Open" means "safe." No. Open data is auditable, not safe. An open corpus can still hold PII, copyrighted text, or poisoned examples. Openness gives the ability to vet — it does not do the vetting.

What you can now do

  1. Distinguish the three openness tiers and classify any release.
  2. Explain what OSAID requires and what it does not — and why compliance ≠ reproducibility.
  3. Cite the NTIA report as the government authority for the on-prem sensitive-data argument.
  4. Use the FMTI to quantify the transparency gap.
  5. Write the one-paragraph "can I audit this for HIPAA?" verdict for any model.
The lab: audit five real releases (MiniCPM, OLMo-2, Llama-3.1, SmolLM3, GPT-4o). No GPU — a research & classification lab.

Next: FT03 — Base Model Selection