All insights AI Security

The Model Provenance Problem

24 Mar 2026 17 min read Sam Spillard

How I Learned to Stop Worrying and Love the BOM

Introduction

Less than 3 hours. That’s how long it took to reveal that all was not what it seemed when, on 19th March 2026, Cursor announced Composer 2 [1]. Composer 2, developed by San Francisco start-up Anysphere, Inc. (recently valued at $29.3B, with an ARR of over $1B), was a major release. Pitched as “frontier-level at coding”, and outperforming Anthropic’s Claude Opus 4.6 on Terminal-Bench 2.0, the release blog touted quality improvements coming from Cursor’s “first continued pretraining run, which provides a far stronger base to scale our reinforcement learning”. The price was aggressive. The message was clear: Cursor was positioning itself as a major player in the game of proprietary coding models.

Then a developer called Fynn started poking around [2]. While inspecting requests that Cursor was making, he noticed something unexpected in the body: accounts/anysphere/models/kimi-k2p5-rl-0317-s515-fast

That wasn’t a Cursor model name. That was a near-verbatim description of what this new model really was: a version of Kimi K2.5 that had some RL applied. The post went viral, clocking over 444,000 views in under a day. Within hours, Yulun Du, head of pretraining at Moonshot AI, had posted publicly that after testing Composer 2’s tokeniser, it was “almost certainly the result of further fine-tuning of our model.” He tagged Cursor’s co-founder and asked bluntly why they weren’t respecting the modified MIT licence that Moonshot AI had applied to Kimi K2.5.

Cursor’s vice president of developer education, Lee Robinson, eventually acknowledged the open-source base, explaining that roughly a quarter of the compute spent on the final model came from Kimi K2.5 [3][4], with Cursor responsible for the rest through continued pre-training and reinforcement learning. Moonshot AI subsequently described the relationship as an “authorised commercial partnership” through inference partner Fireworks AI and offered congratulations [5].

The technical drama resolved, more or less, into a licensing dispute. But the story it revealed about how modern AI models are built, distributed, and obscured raises questions that go well beyond a billing disagreement between two startups.

The Provenance Problem

Cursor’s situation is not an isolated curiosity. It is a symptom of something structural in how AI development now works. The economics of building large language models have created a powerful incentive to start from open-weight foundations. Training a frontier model from scratch is forecast to cost north of $1B by 2027 [6]. Fine-tuning an existing open-weight model costs a fraction of that. As Chinese AI companies - particularly Moonshot AI, DeepSeek, and Alibaba’s Qwen - release increasingly capable models under permissive open-source licences, Western developers face a straightforward commercial trilemma: start from scratch, enter a commercial agreement with a Western Lab, or fine-tune a Chinese model.

The result is a layered ecosystem where the true origin of a model can be several steps removed from what the end user sees. Cursor built on Kimi K2.5. Kimi K2.5 was itself built by a Beijing-based company backed by Alibaba and Tencent. The model was trained on 15 trillion tokens of data. Its weights are now embedded inside a product used by over a million developers daily. Had Flynn not stumbled across an unrenamed variable in Cursor’s API requests, would those developers have had any idea of the true provenance of the model they were using?

This isn’t a new problem in software. Supply chain risks in open-source code have been a concern for decades. And they are far from solved [7]. The concept of a “software bill of materials” (SBOM) has gained considerable traction over the past decade. Any piece of software is built from components: libraries, frameworks, dependencies. And organisations deploying that software ought to know what those components are, who made them, and whether they contain any known vulnerabilities. But AI model weights are different from software libraries in important ways. They are not auditable in the conventional sense. You cannot read a large language model the way you can read source code. The “knowledge” embedded in model weights - the associations, tendencies, and potential biases built in during training - is opaque even to the organisations that build the models. And when one model is fine-tuned on top of another, some of the foundational characteristics of the base model persist in ways that are not always predictable or detectable.

The Cursor case is just an accidentally visible case of this problem: the model ID leaked through an API endpoint. In most cases, there would be nothing to leak.

Whose Homework Was Stolen?

For some context around the problem, it is worth understanding some information about the company behind the original model: Moonshot AI.

Founded in March 2023 by Yang Zhilin, Zhou Xinyu, and Wu Yuxin - all alumni of Tsinghua University, one of China’s most prestigious technical institutions - Moonshot is one of a few major AI Labs in China to break into the Western market [8]. It is headquartered in Beijing and has received major funding from Alibaba, which led a $1 billion round in early 2024 [9], and Tencent, which participated in a subsequent $300 million raise [10]. The company is incorporated in Singapore through a subsidiary entity - Moonshot AI Pte. Ltd. - a structure that could create a misleading impression of its jurisdictional footprint. The Kimi Platform privacy policy never mentions China or Beijing [11].

In December 2025, the US Department of Commerce’s Centre for AI Standards and Innovation (CAISI) singled out Moonshot AI as evidence of the “growing depth” of China’s AI industry - the second Chinese model developer to receive a US government evaluation, after DeepSeek [12]. In February 2026, Anthropic publicly accused Moonshot, along with DeepSeek and MiniMax, of using thousands of fraudulent accounts to generate over 16 million exchanges with Claude in order to extract capabilities through a process known as “distillation” - training their own models on outputs from Anthropic’s. Moonshot has not publicly responded to those allegations [13].

The broader context matters here. Article 7 of China’s National Intelligence Law, enacted in 2017, states that “all organisations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law.” The precise scope of this obligation is genuinely contested among scholars: some argue it does not require active participation in intelligence gathering, whilst others argue there is evidence that the CCP is trying to shift responsibility of it’s citizens from defence to offence [14]. Given the CCP has been classified as conducting “the most sophisticated, global and comprehensive campaign of transnational repression in the world” [15], this could provide another channel through which the CCP gets to extend its campaign. Either way, the fact that Chinese models are playing a larger and larger role in the modern ecosystem is uncontested. The ATOM Project shows that the “flip” (where total downloads of Chinese models exceeded those of Western models for the first time) happened in August of 2025 [16]. As of their latest data in January 2026, the gap has only widened, with Chinese models now being downloaded 36% more than Western models.

For organisations in the UK that are concerned about data sovereignty, the Singapore incorporation of Moonshot’s international entity does not change this picture. What matters is the practical question of where engineering teams sit, where model training and data processing occur, and which country’s legal framework ultimately governs the company’s obligations. On all three counts, the answer involves Beijing.

The UK’s Exposure

The United Kingdom occupies a distinctive and somewhat uncomfortable position in global AI. On one hand, Britain is a genuinely world leading AI nation: home to DeepMind, The AI Security Institute (the world’s first national AI safety body of its kind), a strong academic tradition in machine learning (despite it’s success in the Defence & Security sectors, The Alan Turing Institute has only recently dabbled in the frontier-model space, and not on models of their own design [17]), and a government that has, at least in rhetoric, committed to making AI a cornerstone of it’s growth strategy.

On the other hand, the UK neither builds nor maintains frontier AI models of it’s own. Unlike the US, China, France (with Mistral) and even the UAE, Britain does not have a domestically controlled, state-sponsored AI capability at the foundation model level. British AI strategy has, in practice, meant integrating US-origin commercial models from OpenAI [18], Anthropic [19] and Google [20] into Government workflows - a dependency that carries it’s own strategic risks, but at least one whose provenance is reasonably well understood.

However, the UK government has taken a notably conservative posture toward Chinese AI tools. When DeepSeek emerged in January 2025 and sent shockwaves through global markets, UK AI minister Feryal Clark told Bloomberg that using the app was ultimately “a personal choice,” while advising users to be careful about how their data might be used. This contrasted sharply with the responses of other Western governments: Italy’s privacy regulator blocked the app outright, the US Pentagon and NASA restricted access, Australia banned it from government devices, and Taiwan cited national information security concerns. The UK stopped well short of a formal ban [21].

The 2023 AI Safety Summit at Bletchley Park emphasised international cooperation, including with Chinese participants, and the government has been reluctant to be seen as driving a technological decoupling that could harm UK businesses and research institutions. But the Cursor case reveals a limitation in this approach. Even setting aside the question of whether a UK developer should use Kimi K2.5 directly, the question of whether they should use a product built on Kimi K2.5 - without knowing that it is built on Kimi K2.5 - is one that current UK policy is entirely unprepared to address.

Defence and Security Implications

The NCSC (National Cyber Security Centre) has published guidance on AI security risks [22], and both the UK’s Government Communications Headquarters (GCHQ) [23] and Secret Intelligence Service (SIS, aka MI6) [24] have spoken publicly about the transformative implications of AI for the intelligence community. In this context, the provenance of AI models used in defence and intelligence workflows is not an abstract concern - it is a direct security consideration. If a coding assistant used by by defence software developers, or an AI tool embedded in an intelligence analysis pipeline, contains a Chinese-origin base model, that is information those organisations would, at a minimum, want to know. The risk isn’t necessarily that the model contains a “backdoor” in any simple sense - but rather that model behaviour, bias and potential vulnerabilities may reflect training choices made under a different jurisdiction’s legal, political and security framework.

If a UK defence contractor’s developer is using Cursor and submitting code to Composer 2, for example, they are submitting that code to a system whose underlying weights were derived from a model built by a Beijing-based company subject to Chinese intelligence law. This is not a theoretical risk - it is a concrete risk pathway that has not been adequately scrutinised.

The concern is compounded by the nature of reinforcement learning fine-tuning of the kind Cursor applied to Kimi K2.5. Fine-tuning modifies the model’s behaviour but does not replace its foundational representations. The patterns, associations, and tendencies encoded during Moonshot AI’s original training remain embedded in the base weights. Exactly what those tendencies are: whether they include any content biases, any systematic evasions, any anomalous behaviours on particular inputs; cannot be verified without substantial interpretability work that neither Cursor nor its users have performed.

Security analysts at the Institute for AI Policy and Strategy raised similar concerns about Moonshot’s “Kimi Claw” agentic product in February 2026, noting that the combination of Moonshot’s legal framework and an “always-on” agent with broad access to user systems “creates the potential to cause severe and widespread harm to American and allied citizens.” They argued the national security risks could exceed those of the TikTok case, not because of any evidence of active malice, but because the structural exposure is categorically deeper than a social media application [25].

The Broader Pattern

It would be a mistake to treat the Cursor x Moonshot story as a unique event. The pattern is far more widespread. Just two days before the Cursor controversy emerged, Rakuten launched “Rakuten AI 3.0” in Japan. Dubbed “Japan’s largest and most powerful AI”, analysis revealed it was actually based on DeepSeek V3, and had the MIT licence file deleted [26]. These are not rogue actors: these are mainstream commercial companies making commercially rational decisions to build on the most capable available foundation models, which increasingly come from China. Models from Chinese AI labs are being downloaded, fine-tuned and embedded in products sold to Western consumers, enterprises and governments, often without any disclosure that a Chinese-origin base model underlies the product. Open-weight models are trained at enormous cost by their creators, and then released with their parameters publicly available, often with relatively permissive licenses. The rationale for doing so varies: some labs, particularly in the West, believe openness serves the public interest. Others, including several Chinese AI companies, may be pursuing strategic goals around ecosystem adoption, standard-setting and the generation of fine-tuning data from global users.

This is not an argument that open-weight Chinese AI models are inherently malicious, or that Moonshot AI is acting in bad faith. Kimi K2.5 is a powerful, legitimately released model, and Cursor’s use of it appears to have been properly authorised. The concern is structural and systemic rather than conspiratorial: when model provenance is opaque, when supply chains are invisible, and when the “made in America” label on an AI product can conceal a Chinese-origin foundation, the risk surface for sensitive applications becomes very difficult to assess.

What Could Good Look Like?

The Cursor episode, for all the initial X drama, is a relatively benign version of the model provenance problem. The more concerning scenario is the one that doesn’t become a public: a model whose provenance remains permanently hidden, embedded in tools used for sensitive purposes, discovered only after significant exposure (if at all). Addressing this requires action on several fronts.

  • The UK should explore the development of an AI Bill of Materials standard, requiring organisations that procure or deploy AI in sensitive contexts to obtain and verify documentation of a model’s full training lineage. Base model origin, fine-tuning datasets, reinforcement learning methodology. This needn’t be a bureaucratic nightmare: the SBOM precedent shows it can be done in a structured, machine-readable way. The AI Security Institute would be a natural home for developing this standard.
  • UK public sector AI procurement guidance should be updated to require vendors to disclose base model provenance as a condition of contract. This is not about banning Chinese-origin base models categorically, but about ensuring informed decisions. A procurer who knows that a product is built on a Chinese open-weight model can make a risk-based assessment; a procurer who doesn’t know cannot.
  • The AI Security Institute should expand it’s model evaluation work to include provenance auditing alongside capability and safety assessment. Evaluation what a model can do is impotant; understanding what it is made of and where it comes from is equally important.
  • Further research and development of model lineage detection tools (for example explroation of activation-space classifiers to determing linage from indexed base models) in support of automated compliance tooling.
  • The UK can build on the AI Summit and Hiroshima AI Process, to lead interantional efforts to develope, agreed and implement AI supply chain transparency norms.

Conclusion

The Cursor incident really unfolded to just be an awkward PR day for the teams involved, with a little bit of discourse on the licensing landscape of the modern AI stack. But in another sense, it was a brief and accidental illumination of a supply chain that is largely invisible and impenetrable, and that touches the software underpinning cricial systems and processes across the UK and its allies. The model ID in Fynn’s original X post showed the entire story; but only because someone happened to look, and because someone else forgot to rename a variable. The questions is: does the UK government, NCSC and defence establishment want to look too, before the question is answered in much more uncomfortable circumstances?

If you would like to discuss this topic with us, please get in touch.

References

  1. Composer. See https://cursor.com/blog/composer-2
  2. Fynn X post. See https://x.com/fynnso/status/2034706304875602030
  3. Lee Robinson X post 1. See https://x.com/leerob/status/2035079470021829108
  4. Lee Robinson X post 2. See https://x.com/leerob/status/2035035355364081694
  5. Kimi X post 1. See https://x.com/Kimi_Moonshot/status/2035074972943831491
  6. Epoch AI Training Cost. See https://epoch.ai/blog/how-much-does-it-cost-to-train-frontier-ai-models
  7. Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack. Microsoft. See https://www.microsoft.com/en-us/security/blog/2025/12/09/
  8. Moonshot AI. See https://www.moonshot.ai/
  9. Moonshot Funding 1. Bloomberg. See https://www.bloomberg.com/news/articles/2024-02-27/alibaba-leads-record-deal-to-create-2-5-billion-china-ai-player
  10. Moonshot Funding 2. Bloomberg. See https://www.bloomberg.com/news/articles/2024-08-05/tencent-joins-300-million-financing-for-china-s-ai-unicorn
  11. Moonshot Privacy. See https://platform.moonshot.ai/docs/agreement/userprivacy#1-personal-information-we-collect
  12. Center for AI Standards and Innovation (CAISI). NIST. See https://www.nist.gov/news-events/news/2025/12/caisi-evaluation-kimi-k2-thinking
  13. Detecting and preventing distillation attacks. Anthropic. See https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks
  14. Beijing’s New National Intelligence Law: From Defense to Offense. Lawfare. See https://www.lawfaremedia.org/article/beijings-new-national-intelligence-law-defense-offense
  15. China: Transnational Repression Origin Country Case Study. Freedom House. See https://freedomhouse.org/report/transnational-repression/china
  16. The ATOM Project: Towards fully open models for US research & industry. See https://atomproject.ai/
  17. Project t0: Unlocking the benefits of leaner language models. Alan Turing Institute. See https://www.turing.ac.uk/research/research-projects/project-t0
  18. OpenAI to expand UK office and work with government departments to turbocharge the UK’s AI infrastructure and transform public services. UK Government. See https://www.gov.uk/government/news/openai-to-expand-uk-office-and-work-with-government-departments-to-turbocharge-the-uks-ai-infrastructure-and-transform-public-services
  19. Anthropic partners with the UK Government to bring AI assistance to GOV.UK services. UK Government. See https://www.anthropic.com/news/gov-UK-partnership
  20. UK government harnesses Gemini to support faster planning decisions. Google. See https://blog.google/innovation-and-ai/products/uk-government-harnesses-gemini-to-support-faster-planning-decisions/
  21. DeepSeek AI banned by NASA, US Navy, and more over privacy concerns. Toms Guide See https://www.tomsguide.com/computing/online-security/deepseek-ai-banned-by-nasa-us-navy-and-more-over-privacy-concerns
  22. Guidelines for secure AI system development. NCSC. See https://www.ncsc.gov.uk/collection/guidelines-secure-ai-system-development
  23. Pioneering a New National Security. GCHQ. See https://www.gchq.gov.uk/artificial-intelligence/index.html
  24. MI6 boss extols “the mastery of technology” in first public speech. Civil Service World. See https://www.civilserviceworld.com/news/article/mi6-boss-pumps-mastery-of-technology-in-first-public-speech
  25. Kimi Claw: Risks from Chinese-Hosted “Always On” AI Agents. Institute for AI Policy and Strategy. See https://www.iaps.ai/research/kimi-claw-risks
  26. Rakuten’s “Japan’s Most Powerful AI” Exposed as Rebranded DeepSeek V3. BigGo Finance. See https://finance.biggo.com/news/202603181324_Rakuten_AI_3.0_Exposed_as_DeepSeek_V3_Rebrand