Model theft and IP protection: can someone steal your fine-tuned model
In-depth analyses of real-world cyber incidents and emerging threat trends, authored exclusively by our analysts.
You have spent months and a meaningful amount of compute fine-tuning a model on your proprietary data, your domain expertise, your customers' patterns. It is one of your most valuable assets, arguably more valuable than your code, because a competitor can reimplement your app in weeks but cannot easily reproduce months of tuning and the data behind it. So here is the uncomfortable question. Could someone steal it just by using your product?
The honest answer is yes, to a meaningful degree, and it is not a theoretical concern anymore. This article explains what model theft actually means, why it is a real and growing risk, and what genuinely protects a fine-tuned model without requiring you to become a research lab.
What model theft actually means
When people talk about model theft, they usually mean one of two related things, and the difference matters.
Model extraction is when someone repeatedly queries your model through its API, using your product exactly as an ordinary customer would, and uses the pattern of inputs and outputs to train their own model that approximates your model's behaviour. Critically, they never need access to your actual weights, your training data, or your infrastructure. They only need the ability to send requests and observe responses, which is precisely what your API is designed to allow. The result is a competitor who can offer something functionally similar to what you spent months building, without paying for your data, your compute, or your expertise.
Model inversion is a related but different concern, where an attacker probes a model's outputs to infer something about the data it was trained or fine tuned on. Where extraction steals your model's capability, inversion risks exposing your training data itself, which becomes a genuine privacy problem if that data included anything personal or sensitive.
This is not theoretical anymore
For a long time this was discussed mainly in academic papers. That has changed. In 2026, a documented case became one of the largest instances of this kind of activity recorded to date, involving a very large number of automated accounts systematically querying a major AI provider's most advanced model over several weeks, with the resulting outputs used to train a competing model. It is a clear demonstration that this is an active, real world risk being pursued at scale, not a hypothetical scenario confined to research papers.
For a startup with a genuinely valuable fine-tuned model, the practical takeaway is straightforward. If your model is reachable through an API, someone with enough patience and enough queries can attempt to approximate it, and the tools and techniques to do this are increasingly accessible.
Why this matters specifically if you have fine-tuned a model
A general purpose foundation model is not usually the thing at risk here, since it is typically owned by a large provider with its own defences and the base capability is not your competitive edge in the first place. What is genuinely at risk is what you have added on top. Your fine-tuning, your prompt engineering and routing logic, your domain specific behaviour, the accumulated product decisions that make your AI good at your specific task. That is the part that took you real time and money to build, and it is exactly the part model extraction targets, because it is expressed entirely through your model's observable behaviour.
This is also a business risk beyond simple competition. A copied model can be used to search for jailbreaks and vulnerabilities in your system offline, away from your rate limits and monitoring, and then used against your live product once weaknesses are found. So model theft is not purely an intellectual property question. It can become a security problem too.
What genuinely protects a fine-tuned model
There is no single control that makes extraction impossible, and you should be sceptical of anything that claims otherwise. What works is layering several defences so that a determined attempt becomes expensive, slow, and detectable, rather than trying to make it theoretically impossible.
- Rate limiting and usage monitoring, done properly. Basic rate limits are a start, but a patient attacker can spread requests across accounts, tokens, or IP ranges to stay under simple thresholds. Effective monitoring looks for the pattern of extraction, unusual query diversity or volume from an account, rather than just raw request counts.
- Access controls that reflect who actually needs the model. Not every customer or integration needs unrestricted access to your most capable model. Tiering access, and requiring stronger authentication for higher volume use, raises the cost of large scale querying.
- Watermarking and output monitoring. Some teams embed detectable patterns in model outputs that can later help demonstrate a competing model was trained on your outputs, which matters both for detection and for any legal action afterwards.
- Contractual and legal protection. Your terms of service should explicitly prohibit using your API's outputs to train a competing model. This will not stop a determined bad actor technically, but it converts an ambiguous grey area into a clear breach of contract, which matters both practically and for any dispute afterwards, and in some jurisdictions model weights themselves can be protected as trade secrets.
- Treat your model as a protected asset in your own security thinking. This means explicit policies about who inside your own company can access weights and training data, secure storage rather than casual file sharing, and awareness that your model is a target, not just your customer data.
- Regular extraction testing of your own product. Periodically test your own API the way an attacker would, at a conceptual level, checking whether unusual query patterns actually get detected and whether your monitoring would catch a real attempt. Knowing your defences work is better than assuming they do.
A note on where the real value protection comes from
Here is a perspective worth holding onto, because it changes how much you need to worry about this. For many startups, the deepest protection is not a technical control at all. It is the fact that your proprietary data, your customer relationships, and your ongoing ability to keep improving the model are much harder to copy than a snapshot of its current behaviour. An extracted model is a copy of where you were, not where you are going. Startups that keep innovating and keep their data advantage growing make extraction a much less existential threat, because a competitor who steals a snapshot is still behind a moving target.
That said, this does not mean the technical protections are optional. It means they buy you time and raise the cost of the attempt, while your ongoing progress is your more durable defence.
The honest takeaway
Model theft through extraction is a real and growing risk, not a research curiosity, and if your product exposes a fine-tuned model through an API, you are exposed to some degree by default. The response is not paranoia or an attempt at a perfect technical barrier, because none exists. It is a sensible layer of monitoring, access control, contractual protection, and awareness that your model is a business asset worth defending deliberately, combined with the recognition that continuing to build and improve is itself a powerful form of protection.
For an AI startup, understanding this risk and having a considered answer to it is also increasingly part of how sophisticated buyers and investors assess whether you understand your own product's value and how seriously you take protecting it.
Worried about your model's IP being exposed through your API?
Book a free review and we'll look at how your fine-tuned model is protected, alongside the rest of your AI product security.
AI Security Insights
Cyber insurance for AI startups: what it covers and what it doesn't
Most startups buy cyber insurance, tick the box, and assume they are covered if something goes wrong with their AI prod…
Read articleSecurity questions investors ask AI startups before they invest
Most conversations about AI security focus on enterprise buyers, and for good reason, since that is where security most…
Read articleAI red teaming: what it is and how it differs from a normal pentest
If you have started researching security testing for your AI product, you have likely run into two terms that sound sim…
Read articleModel theft and IP protection: can someone steal your fine-tuned model
You have spent months and a meaningful amount of compute fine-tuning a model on your proprietary data, your domain expe…
Read articleMore insights, delivered monthly
Get the latest insights on AI security and compliance.

