The Open Spectrum
Weights, Data, and Trust · Module FT02 · Course 3
60 minutes · 7 sub-sections · Layer 1 of the Steering Stack
What does "open" actually mean for a base model — and why is it load-bearing the moment you deploy in a regulated domain?
Pillar 0 — Foundations
The three tiers of openness
TIER 1
Open-weights-only
Weights, no data.
Llama 3.x
Lets you USE it.
TIER 2
Open-data
Weights + corpus / pipeline.
MiniCPM · OLMo · Tülu · SmolLM3
Lets you AUDIT it.
TIER 3
Open-recipe
Weights + data + full code/config.
OLMo · Tülu 3 · SmolLM3
Lets you REPRODUCE & PROVE it.
Each tier adds a trust property the one below lacks.
The OSAID gap
OSI Open Source AI Definition v1.0 — released 2024-10-28 at All Things Open.
OSAID requires "sufficiently detailed information about the data" used to train the system.
What OSAID requires
- Complete training/run code
- "Sufficiently detailed information" about the data
- Use / modify / redistribute
What reproducibility needs
- The actual training corpus
- Hyperparameters, seeds, checkpoints
- A determinable answer to "was X in the data?"
Compliant ≠ reproducible. A Llama-style release can be OSAID-compliant without being auditable. Never conflate the two.
The NTIA argument
July 2024 — Dual-Use Foundation Models with Widely Available Model Weights (mandated under EO 14110).
Open-weight models "provide security benefits by allowing firms, researchers, and users to use potentially sensitive data" locally and on-premises.
The reasoning is mechanical:
- Open weights → model runs inside your trust boundary
- Closed / API-only → every inference leaves the boundary
The single best government citation for on-prem / air-gapped deployment. Why IL5/IL6 and HIPAA-covered workloads require an open-weight base.
The FMTI — openness as a number
Stanford CRFM Foundation Model Transparency Index · 100 indicators.
Tracks the tier cleanly. Open-recipe developers (OLMo, IBM Granite) score highest; weights-only in the middle; closed at the bottom. The tier you choose is roughly the score you can defend.
Bommasani et al., arXiv:2407.12929.
Model family comparison
| Release | Tier | License | Auditable? |
| OLMo 2 (Ai2) | Open-recipe | Apache-2.0 | Yes |
| Tülu 3 (Ai2) | Open-recipe | Apache-2.0 | Yes |
| SmolLM3 (HF) | Open-recipe | Apache-2.0 | Yes |
| MiniCPM (OpenBMB) | Open-recipe | Apache-2.0 | Yes |
| DCLM | Open-data | Open | Yes |
| Nemotron (NVIDIA) | Open-weights / partial | NVIDIA OML | Partial |
| Llama 3.1 (Meta) | Open-weights-only | Llama Community Lic. | No |
| GPT-4o (OpenAI) | Closed | Proprietary | No |
Capability is FT03's concern. This table is about whether you can trust the provenance.
OpenBMB & MiniCPM — the on-ramp hero
Who
OpenBMB — "Open Lab for Big Model Base." Tsinghua University + ModelBest. Apache-2.0.
The family
- MiniCPM5-1B — dense ~1B base
- MiniCPM3-4B — mid-size
- MiniCPM-V 4.6 — vision
- MiniCPM-o 4.5 — omni-modal
Open datasets: UltraChat (dialogue) · UltraFeedback (preference) · Ultra-FineWeb (curated web). The defaults the data modules return to.
Why it's the hero: open-data/recipe, runs on consumer hardware, and you can point at every byte the model saw.
Why open-data wins for sensitive domains
| Property | Only open-data / open-recipe gives you | Maps to |
| Auditability | Prove what the model saw | HIPAA risk analysis |
| Reproducibility | Pin a commit, rebuild on demand — no silent drift | Validated-pipeline integrity |
| Supply-chain trust | Rule out hidden training-time exfiltration | IL5/IL6, air-gap |
Open-data is a compliance asset, not an ideology. Each property maps to a requirement a regulator can name — and each is satisfiable only when you can see the data and the recipe.
The auditability chain
Open-data / open-recipe release
(weights + corpus + code)
↓ enables
You can AUDIT what the model saw
↓ enables
You can REPRODUCE (pinned commit, rebuild)
↓ enables
You can PROVE to a regulator: lineage, no hidden inputs, no drift
Drop the first link and the whole chain fails — which is why weights-only/closed bases cannot satisfy the audit.
Anti-patterns
Trusting a community merge with no provenance. A Hub merge with no data lineage, no evals, and a license the uploader can't grant is not an audit. Trace provenance to original bases and data.
OSAID-compliant = reproducible. No. OSAID needs "sufficiently detailed information about" the data, not the data. Compliance is inspectability, not reproducibility.
"Open" means "safe." No. Open data is auditable, not safe. An open corpus can still hold PII, copyrighted text, or poisoned examples. Openness gives the ability to vet — it does not do the vetting.
What you can now do
- Distinguish the three openness tiers and classify any release.
- Explain what OSAID requires and what it does not — and why compliance ≠ reproducibility.
- Cite the NTIA report as the government authority for the on-prem sensitive-data argument.
- Use the FMTI to quantify the transparency gap.
- Write the one-paragraph "can I audit this for HIPAA?" verdict for any model.
The lab: audit five real releases (MiniCPM, OLMo-2, Llama-3.1, SmolLM3, GPT-4o). No GPU — a research & classification lab.
Next: FT03 — Base Model Selection