Google, Microsoft and OpenAI route their AI 'trust layer' work through the Linux Foundation

Google, Microsoft and OpenAI are joining a Linux Foundation–housed effort to build a shared trust layer for AI systems, per The New Stack, and the read for CI/CD owners is structural: artefact provenance for models and agents is about to be asked to ride the same plumbing that already carries binary attestation. The reporting frames the work as a cross-vendor alignment under the Foundation rather than another single-vendor framework — three of the loudest AI logos signing onto a neutral venue at the same time.

The Foundation, The New Stack notes, has long outgrown its roots as a steward of the Linux kernel. It has become the default neutral ground for identity, provenance and supply-chain efforts that need more than one logo behind them — Sigstore for artefact signing, SLSA for build provenance, the OpenSSF for the wider supply-chain remit. An AI trust layer slotting in alongside those projects is the obvious shape, even if the press release does not yet say so in words a pipeline can parse.

The vendors call it open. In practice, a cross-vendor trust effort of this size starts as a working group and a vocabulary spec, then drafts an API, then a reference implementation, then — much later — a runtime an auditor will accept. None of that is wrong; the alternative is three incompatible attestation formats glued together by a build script. It is just that a platform team that needs an AI-artefact gate this quarter still has nothing to wire up.

Where this lands on the pipeline

The pieces a CI/CD owner cares about are already well understood as problems on the binary side. Signing model weights maps onto signing a container image. Pinning an agent definition to a digest is the same shape as pinning an action to a commit SHA. Attesting that the training set has not been swapped underneath a fine-tuned checkpoint is in-toto's job description; attesting which workload produced an inference is OIDC's. What an AI trust layer adds is a name, a schema and an owner for the AI-specific facts that need to flow through those existing pieces — what counts as a model, a weight set, a tool definition, a training-data manifest, an agent identity.

That is also the part that has historically held cross-vendor work back. Three vendors agreeing that signing is a good idea is easy. Three vendors agreeing on a schema that all three are willing to emit by default is the harder problem the Foundation tends to be brought in to solve.

The residual caveat

The first deliverable likely to reach a pipeline is the vocabulary, not the gate. The signing and verification API comes after. The build that actually fails because an unsigned model artefact crept into a release comes later still. Until those land, anyone running model artefacts through CI is improvising on top of OCI registries and ad-hoc scripts — which is exactly the state the binary world was in before Sigstore matured. The new coalition does not change that today; it sets a clock on how long the improvisation has left.