Part II · Chapter 107 MIXED

Recommendations

Tiered recommendations by use case -- from hard prohibitions to conditionally acceptable deployments.

Status Draft -- for peer review Updated 2026-03-02

Tiered Recommendations by Use Case

Tier 1: Hard No — Do Not Use Chinese-Origin Models

Applies to:

  • Any deployment with tool access (function calling, code execution, file I/O, HTTP)
  • RAG pipelines processing sensitive, CUI, or classified documents
  • Analytical workflows on topics of Chinese strategic interest (military capabilities, Taiwan, South China Sea, intelligence assessments)
  • Any system requiring ATO under DoD RMF
  • Any system handling ITAR/EAR-controlled data
  • Coalition or Five Eyes interoperability contexts

Rationale:

  • Undetectable backdoors can exploit tool access for data exfiltration [PROVEN mechanism]
  • Analytical bias on sensitive topics is demonstrated [PROVEN for overt censorship]
  • Regulatory stack creates de facto prohibition
  • No authorizing official would accept the residual risk
  • No available mitigation eliminates the threat

Action: Use US-origin open-weight models (Llama, Mistral) fine-tuned on controlled data, with full defense-in-depth stack.

Tier 2: Conditional — Possible with Strong Controls

Applies to:

  • Text-only generation (no tools) for non-sensitive tasks
  • Code generation, formatting, drafting where outputs are not analytically consequential
  • Internal experimentation and capability assessment (not production)

Required Controls:

  1. No tool access — output-only mode
  2. Air-gapped or network-isolated deployment
  3. Statistical output monitoring for anomalous patterns
  4. Human review of all outputs before use in any product
  5. Cross-model verification (compare outputs with a US-origin model)
  6. No processing of CUI, classified, or export-controlled data
  7. Documented risk acceptance from appropriate authority

Rationale:

  • Without tools, the primary threat is analytical bias (mitigable) and low-bandwidth steganography (low practical impact)
  • For purely technical tasks (coding, formatting), bias risk is minimal
  • However, if a US-origin model of comparable quality exists, prefer it — the marginal benefit of Chinese model does not justify even residual risk

Tier 3: Acceptable with Validation — Knowledge Distillation

Applies to:

  • Using Qwen/DeepSeek as a teacher model to distill into a US-controlled student model
  • Synthetic data generation from Chinese models for downstream training

Required Controls:

  1. Use clean, curated distillation dataset — no data that could contain triggers
  2. Logit-only distillation (not hidden-state or attention matching)
  3. Student architecture significantly different from teacher
  4. Red-team evaluation targeting known Chinese censorship and bias topics
  5. Compare student output distributions against ground truth and alternative models
  6. Document the provenance chain including Chinese teacher origin
  7. Monitor for topic-specific bias in production outputs

Rationale:

  • Token-trigger backdoors transfer poorly through logit distillation [PROVEN]
  • Semantic bias does transfer — but is detectable through targeted evaluation [PROVEN]
  • This approach captures capability while significantly reducing technical risk

Cross-Cutting Recommendations (All Model Origins)

Defense-in-Depth Stack — Minimum Viable Posture

These apply regardless of whether the model is Chinese-origin, US-origin, or custom-trained:

  1. Least-privilege tool access

    • Default to output-only mode
    • If tools required: minimum capability, pre-approved function set, strict parameter validation
    • Human-in-the-loop for any action that modifies data, sends communications, or accesses sensitive resources
    • Log all tool invocations with full parameters

  2. Supply chain verification

    • Never use trust_remote_code=True for untrusted models
    • Use safetensors format exclusively — reject pickle-based model files
    • Verify file hashes against known-good sources
    • Audit tokenizer files, config JSONs, and any custom code before loading
    • Use sandboxed environments for initial model loading and evaluation

  3. Output monitoring

    • Statistical anomaly detection on token distributions
    • Monitor for Unicode manipulation, zero-width characters, unusual whitespace
    • Compare output entropy against reference model baselines
    • Flag outputs containing URLs, base64, or structured data patterns

  4. Behavioral red-teaming

    • Before deployment: comprehensive adversarial evaluation
    • In production: periodic re-evaluation with updated adversarial prompts
    • Topic-specific bias probing on strategically sensitive subjects
    • Test for trigger activation across date ranges, language contexts, and topic domains

  5. Multi-model verification

    • Never rely solely on one model’s output for consequential decisions
    • Cross-reference analytical outputs with at least one independent model from a different provenance
    • Flag significant divergence between model outputs for human review

  6. Institutional controls

    • Maintain AI model inventory per CDAO guidance
    • Document risk acceptance decisions with named authority
    • Establish acceptable-use policies per model origin and classification level
    • Train analysts on AI limitations and adversarial risks

Investment Recommendations

Short-Term (0-6 months)

  1. Audit current use of Chinese-origin models across the organization
  2. Migrate any tool-enabled or analytical deployments to US-origin models
  3. Implement supply chain verification (safetensors, hash checking, no trust_remote_code)
  4. Establish acceptable-use policy by model origin and use case

Medium-Term (6-18 months)

  1. Fine-tune Llama or equivalent US-origin model on domain-specific data
  2. Build output monitoring and statistical anomaly detection pipeline
  3. Develop red-team evaluation capability for bias and backdoor detection
  4. Assess distillation approaches for capability extraction from Chinese models

Long-Term (18+ months)

  1. Invest in custom model training on controlled data if capability requirements justify cost
  2. Track advances in mechanistic interpretability for weight-level auditing
  3. Engage with NIST, CDAO on emerging AI authorization frameworks
  4. Monitor legislative developments for formal restrictions on foreign AI

Final Position

The team member who said “No Alibaba models whatsoever, under any circumstances” is operationally correct for the current environment, even if the technical picture is more nuanced. The combination of:

  • Technical risk (undetectable backdoors, bias transfer)
  • Regulatory risk (ITAR/EAR, DFARS, CMMC, NIST AI RMF)
  • Political risk (congressional scrutiny, public perception)
  • Operational risk (allied interoperability, ATO requirements)

makes the total risk of Chinese-origin models in defense contexts disproportionate to any capability benefit, given that US-origin alternatives exist and are rapidly improving.

The evidence-based position is:

  • For defense analytical and operational use: Hard no.
  • For research understanding and distillation: Proceed with caution and controls.
  • For all models regardless of origin: Implement defense-in-depth and treat every model you did not train as partially untrusted.

This recommendation is based on the threat analysis, mitigation assessment, scenario walkthroughs, comparative risk analysis, and policy landscape review in Part II of this book. It reflects the state of knowledge as of March 2026 and should be updated as the technical and policy landscape evolves.