The Adapter Becomes the Ideology Layer
An adapter is a small learned modification attached to, merged into, or served alongside a larger model. When it changes refusal behavior, source preference, tone, ranking salience, persuasion, or decision categories, it becomes an ideology layer: not a conscious mind or doctrine, but a portable behavioral policy hidden inside the deployed system.
This essay uses adapter broadly for separable LoRA or PEFT layers, merged derivatives, and provider-managed fine-tunes that change model behavior. It does not treat every prompt or retrieval rule as an adapter, but it treats the deployed system as the whole stack: base model, learned delta, runtime policy, retrieval, tools, route, and record.
Customization Gets Small
Fine-tuning used to sound like a major institutional act. A model owner changed model weights, trained on a dataset, produced a new checkpoint, and deployed a specialized system. That picture still exists. But a different pattern has become normal: keep the large base model mostly fixed and attach a small learned modification.
Low-Rank Adaptation, or LoRA, is the best-known version of that pattern. The 2021 LoRA paper described a method that freezes pretrained model weights and inserts trainable low-rank matrices into transformer layers. The authors reported that, compared with full fine-tuning of GPT-3-scale models, LoRA could reduce trainable parameters by 10,000 times and GPU memory requirements by three times while preserving strong task performance. QLoRA later pushed the same governance problem into cheaper hardware by backpropagating through a frozen 4-bit quantized base model into LoRA adapters.
LoRA is not the only adapter family. Parameter-efficient fine-tuning also includes methods such as IA3, prefix tuning, prompt tuning, and related variants, while a managed fine-tuning API may expose only a provider-owned model ID rather than a portable adapter file. For governance, the shared feature is the learned delta from the base model. The question is which part of behavior belongs to the base, which part belongs to the adaptation, and who can prove that after deployment.
That technical move changed the politics of customization. If the customized part is small enough, many more actors can produce, store, share, swap, merge, and serve specialized behaviors. Hugging Face's PEFT documentation describes LoRA as a way to reduce trainable parameters, speed up fine-tuning, and use less memory. Google Cloud's current LoRA and QLoRA documentation gives ordinary production recommendations for tuning large language models, including tradeoffs among speed, peak GPU memory, cost, sequence length, and batch size. OpenAI's fine-tuning documentation describes a different managed API pattern: collect examples, upload a JSONL dataset, create a fine-tuning job, evaluate the result, then use the new fine-tuned model ID through the same API surface as a base model.
The common institutional fact is not the exact training method. It is the emergence of customized model behavior as a normal deployable artifact. A base model is no longer the whole system. The system is the base model plus the adapter, post-training recipe, checkpoint, router, prompt, retrieval layer, tool policy, and evaluation record.
The adapter lifecycle matters as much as the adapter file. A learned layer can be trained, downloaded, inspected, approved, loaded dynamically, hot-swapped, composed with other adapters, merged into a checkpoint, quantized, routed to selected users, rolled back, or retired. Each transition changes what evidence remains available. A merged derivative may behave like an adapter-shaped system while no longer looking like a separable adapter in ordinary deployment records.
For governance, the important object is the adapter state: base model, adapter identity, adapter version, load order, merge state, quantization state, active prompt policy, retrieval corpus, tool permissions, and route at the time of use. A deployment that can change any of those fields without a review record has made behavior mutable without making responsibility traceable.
A useful boundary has four layers. The base weights provide general capability. The learned adaptation changes model behavior. Runtime controls such as prompts, retrieval, routers, and tool permissions steer the interaction. The public record explains which version was active and what it was tested to do. Adapter governance fails when those layers collapse into one vague claim that "the model" was approved.
Current Context
As of June 23, 2026, adapter and fine-tuning workflows are production infrastructure, not edge experiments. Hugging Face documents PEFT checkpoint files as smaller artifacts that update only a subset of parameters, usually requiring the original base model to load. Its current checkpoint documentation also notes that PEFT saves adapter weights, adapter configuration, and a model-card README; when an adapter is merged into a full model, the artifact becomes larger and loses some PEFT-specific controls such as easy unmerging or multiple active adapters.
Cloud and API providers make the same pattern ordinary in different form. Google Cloud's Gemini Enterprise Agent Platform documentation frames LoRA and QLoRA as supported approaches for tuning large language models and compares their memory, speed, cost, sequence-length, and batch-size tradeoffs. OpenAI's current model optimization docs place fine-tuning workflows in a legacy-transition context and say the fine-tuning platform is no longer accessible to new users, while existing fine-tuned models remain available for inference until their base models are deprecated. Its supervised fine-tuning safety docs still illustrate the managed-provider pattern: provider-side checks across 13 safety categories can block deployment, but developers are told to run their own evaluations for the actual use case. That makes the governance lesson sharper: provider access, methods, safety checks, and lifecycle promises change, so claims about managed fine-tuning need a checked date and an exact method.
This means the governance object is now a composite system. A vendor may publish a base-model card. A hub may host an adapter. A cloud service may create a fine-tuned model ID. A gateway may route requests. A retrieval store may add facts. A prompt may impose policy. If only the base model is documented, the most important behavioral layer may disappear from the record. That is why this essay connects adapter governance to model cards and system cards, AI audit trails, and AI bills of materials.
Regulation and standards do not usually name LoRA directly, but they increase the pressure to document learned layers. The EU AI Act's general-purpose-model provisions require technical documentation and downstream integration information for covered providers, with additional duties for systemic-risk models. Those duties attach to particular legal roles, not to every hobby adapter author. But downstream deployers still need enough integration information to understand the capabilities, limitations, and risk controls of the system they actually put in front of people. NIST's generative AI profile and secure-development guidance treat provenance, lifecycle risk, security, and testing as governance work across the AI system. A hidden adapter makes those duties harder to satisfy because it changes behavior without changing the public name of the model.
Same Base, Different Institution
An adapter can make a model better at a real task. A hospital can tune clinical note style. A law firm can tune document format. A local government can tune plain-language benefit explanations. A school can tune a tutor to its curriculum. A manufacturer can tune maintenance instructions. A small language community can tune a model toward local vocabulary. This is not cosmetic. Customization can make general systems more usable, less wasteful, and less dependent on one central lab's defaults.
But customization is also a place where institutional assumptions enter the model. The adapter may teach preferred sources, favored terminology, ideological frames, brand voice, sales priorities, moderation boundaries, escalation patterns, legal risk posture, customer-handling scripts, or managerial categories. A user may think they are talking to a named open-weight model, when they are really talking to a locally adapted version of that model trained to see the world through an institution's examples.
The word "ideology" here should be read narrowly. It does not mean that the adapter believes anything. It means that learned behavior can encode a frame: which terms sound neutral, which authorities count, which risks feel salient, which refusals are automatic, which users receive deference, and which institutional goals are treated as common sense.
It also does not mean every specialized adapter is political in the ordinary sense. A formatting adapter for invoices, a translation adapter for a low-resource language, or a style adapter for accessibility may be benign and useful. The ideology layer appears when the adaptation changes epistemic framing, authority, risk, rights, salience, persuasion, or refusal in ways that would matter to a person affected by the output.
The governance test is materiality. Would a reasonable user, buyer, auditor, or affected person assess the system differently if they knew the adaptation existed? If the answer is yes, the adapter is not a private implementation detail. It is part of the system's public risk profile.
Materiality should produce tiered disclosure. Every adapter needs internal lineage. High-impact and professional uses need buyer-facing documentation. Public, civic, workplace, educational, medical, legal, financial, and child-facing systems need user-facing notice when the adaptation materially affects advice, ranking, eligibility, safety behavior, or institutional voice.
Materiality is also a rights test. If removing the adapter would change a person's eligibility, appeal path, price, safety warning, medical or legal advice, workplace treatment, educational feedback, or access to a public service, the adapter belongs in the impact assessment and the notice-and-appeal record. Calling it "only customization" does not make the affected person whole.
The same materiality test applies to segmentation. If different users, classes, regions, customers, students, patients, employees, or political audiences receive different learned layers, then adapter routing itself becomes a governance object. A system can discriminate or persuade through which adaptation it chooses, even if each individual adapter has a plausible purpose in isolation.
This is subtler than a system prompt. A prompt is often visible to developers and sometimes recoverable in logs. A retrieval source can be cited. A model router can record the chosen provider. An adapter sits closer to the model's behavior. It may not produce a visible instruction trail for each answer. Its influence appears as style, salience, refusal pattern, certainty, vocabulary, and what the system treats as normal.
That is why the phrase "base model" can become misleading. The base is only the starting substrate. The deployed model can carry layers of specialization that matter more to the user than the pretraining name on the model card.
The Adapter Market
Once adapters are small, they become market objects.
Hugging Face's PEFT checkpoint documentation says PEFT methods update a small subset of parameters rather than the full model, making checkpoint files smaller and easier to store and share. It also notes that loading a PEFT model requires the original base model. Research systems push the same logic toward scale. S-LoRA frames deployment as one base model serving many task-specific LoRA adapters and reports serving thousands of adapters with small overhead. LoraHub studies dynamic composition of LoRA modules and explicitly imagines a platform where users share trained modules that can be assembled for new tasks.
This points toward an adapter economy. One model family can support many local personalities, trades, policies, fandoms, occupations, languages, firms, schools, campaigns, and belief systems. A base model provider may govern the foundation. A platform may host the adapter. A company may train it. A consultant may sell it. A user may merge it. A serving system may swap it at request time. The final answer may carry all of those decisions.
The market object is not only a file. It is a bundle of base-model dependency, adapter configuration, training data, license terms, intended use, version history, evaluation claims, and loading instructions. If those elements are missing, the adapter is hard to govern even when it works. If the adapter is later merged into a full model, the derivative can inherit the base model's public reputation while losing the evidence that made the base model's safety claims meaningful.
The file itself may not carry enough memory. Hugging Face's PEFT checkpoint documentation says the adapter configuration can include base-model information, but also notes that there is no generally agreed format for PEFT adapter conversion and that some fields may be absent or defaulted. A working adapter is therefore not the same thing as a documented adapter. The external record still has to name the base, data, method, version, hash, license, evaluation, and merge state.
Licensing is part of that record. A permissively shared adapter may still depend on a base model with restricted commercial terms, attribution requirements, use-policy limits, or jurisdictional constraints. A merged model can blur those dependencies. Without license and acceptable-use inheritance, an adapter market becomes a laundering surface for both legal risk and safety claims.
Procurement should treat adapter choice as a policy choice. A buyer should know whether the vendor can replace the adapter without approval, whether older adapters remain reproducible for audits, whether evaluation data follows each version, and whether termination includes enough records to explain past outputs. Otherwise the customer buys a moving behavioral layer with no durable institutional memory.
The adapter market will not only be professional. Some adapters will be harmless style layers. Some will preserve endangered linguistic patterns. Some will improve accessibility. Some will make specialized tools cheaper. Some will create branded assistants that hide sales pressure inside helpfulness. Some will create ideological mirrors. Some will weaken safety behavior. Some will make a model flatter, more sycophantic, more erotic, more conspiratorial, more deferential to an employer, or more aggressive in persuasion.
The governance problem is not that adapters exist. It is that the adapter can become the most important part of the deployed system while remaining the least legible to the person using it.
Security and Supply Chain
Adapters also belong to the model supply chain.
A model artifact can be dangerous in two different ways. The first is ordinary software risk. Hugging Face warns that pickle files can execute arbitrary code when loaded and recommends trust, signed commits, conversion paths, and inspection of imports. Its PEFT checkpoint documentation says adapter weights are saved as `adapter_model.safetensors` or `adapter_model.bin`, with safetensors as the default secure alternative to pickle-backed `.bin` files. Those controls matter because model repositories distribute loadable artifacts, not only text descriptions.
The second risk is behavioral. A small adapter can carry a backdoor, policy weakness, data leakage tendency, hidden trigger, or domain-specific distortion even when the file format is safe to load. NIST's 2025 adversarial machine learning taxonomy treats poisoning, backdoors, and generative-AI supply-chain attacks as part of the security vocabulary. OWASP's 2025 LLM supply-chain entry explicitly names LoRA and PEFT as technologies that can introduce new supply-chain risks. The ACL 2025 LoRATK paper studies how malicious LoRA adapters can preserve useful downstream behavior while carrying hidden backdoor behavior.
This means artifact scanning and behavior testing are different duties. Safetensors can reduce one deserialization risk. Hashes and signed commits can improve provenance. They cannot prove that an adapter preserves refusal quality, privacy behavior, citation discipline, calibration, or domain reliability. A 2025 paper on fine-tuning API defenses also argues that pointwise checks on individually benign-looking training or inference samples can miss coordinated fine-tuning attacks.
Managed fine-tuning changes the control surface but not the basic duty. OpenAI's supervised fine-tuning safety docs describe checks across 13 safety categories, pass thresholds that can block deployment, and a reminder to conduct the developer's own evaluations for the use case. Those controls are materially better than an unmanaged file drop, but they still do not prove that a fine-tuned system is appropriate for a clinic, classroom, benefits office, employment workflow, or safety-critical engineering task.
Behavioral scanning should include ideology-like deltas, not only classic exploit payloads. Test whether the adaptation changes source hierarchy, refusal boundaries, deference to authority, protected-class treatment, political or religious salience, sales pressure, self-harm handling, cybersecurity caution, medical caution, or willingness to fabricate citations. The safest file format can still carry the wrong policy.
This matters for procurement and incident review. If a company deploys a customer-support model through a third-party adapter, and the assistant gives systematically misleading refund advice, the postmortem should not stop at the base model. If a school deploys a tutor tuned by a vendor, and the tutor quietly narrows acceptable reasoning styles, the issue is not merely the model family. If an enterprise coding assistant uses a security-tuned adapter, and a trigger disables caution around certain dependency patterns, the relevant artifact may be the adapter, not the foundation model.
Model governance that ignores adapters will misidentify the system it is governing. The relevant control point belongs with model weight security, model backdoors, secure AI system development, and supply-chain documentation.
Failure Modes
The failure modes are easiest to miss because the adapter may be small, cheap, and technically ordinary.
- Base-model reputation laundering. A product advertises a familiar base model while the actual behavior is shaped by an undocumented adapter, fine-tune, merge, or routing rule.
- Merge amnesia. An adapter is merged into a checkpoint, redistributed, or quantized, and the lineage record no longer shows which learned layer changed behavior.
- Source-preference tuning. A domain adapter quietly favors institutional sources, partner content, official terminology, or a house theory of risk while appearing to answer from general knowledge.
- Rights erosion. A learned layer changes eligibility advice, appeal language, safety warnings, workplace feedback, or educational assessment without being named in the record an affected person can challenge.
- Segmented ideology. Different users receive different adapters or fine-tuned model IDs based on customer tier, role, geography, employer, school, political audience, or inferred vulnerability, and the routing record does not preserve why.
- Shadow updates. A vendor swaps, merges, or re-trains an adapter without customer approval, then treats the behavior change as a normal service update rather than a new governance event.
- License and data drift. An adapter depends on a base model, dataset, or acceptable-use policy whose terms do not travel cleanly into the merged or hosted derivative.
- Evaluation mismatch. The base model passes safety or quality tests, but the deployed adapter stack is never tested against the same refusal, privacy, bias, citation, calibration, or domain-reliability criteria.
The Governance Standard
A serious adapter governance standard should treat adapters and fine-tunes as first-class AI system components.
First, every deployed adapter needs lineage. Records should identify the base model, adapter name, version, creator, training method, training data class, license, intended use, known limitations, evaluation results, and whether the adapter was merged into the model or loaded dynamically.
Second, users need material disclosure. A person does not need a tensor dump. But in professional, educational, civic, medical, legal, financial, workplace, or child-facing settings, users should know when they are interacting with a specialized model rather than the base system alone.
Third, evaluations should compare base and adapted behavior. It is not enough to show that the adapted system performs well on the target task. The institution should test whether adaptation weakened safety behavior, citation discipline, calibration, privacy, bias controls, refusal quality, or performance outside the target domain.
Fourth, adapter loading should be policy-controlled. Production systems should not allow arbitrary adapter swaps in high-impact workflows. Approved adapters, signed artifacts, fixed version pins, rollback paths, and change logs should be ordinary controls.
Fifth, documentation should follow the artifact. Model cards and system cards should not stop at the base model. The adapter or fine-tune needs its own card, including training sources, evaluation scope, excluded uses, and relationship to the base model's original safety claims.
Sixth, safety claims should survive merging. If an adapter is merged into a model and redistributed, the resulting artifact should not inherit the base model's reputation without fresh documentation and testing.
Seventh, supply-chain scanning should include behavior. File-format scanning, malware checks, and safetensors reduce one class of risk. They do not replace red-teaming, trigger search, misuse testing, privacy testing, and comparison against the base model.
Eighth, institutions should preserve the right to inspect and exit. A vendor-managed fine-tune should not become a sealed behavioral dependency. Customers need exportable records, evaluation evidence, version history, and a path to migrate without losing the ability to explain past outputs.
Ninth, incident logs should name the active adapter. Runtime records should identify the base model, adapter or fine-tuned model ID, adapter hash, merge state, route, retrieval corpus, prompt policy, and tool permissions that produced the output.
Tenth, bills of materials should include learned layers. An AI BOM that lists libraries and cloud services but omits adapters, fine-tunes, tokenizers, quantized variants, and merged derivatives will miss the artifacts most likely to explain behavior.
Eleventh, adaptation needs an impact statement. Before deployment, the institution should record the intended behavior change, forbidden behavior changes, affected users, reviewer, evaluation date, and conditions that trigger rollback or re-evaluation.
Twelfth, public-interest adapters need exit and challenge paths. In civic, educational, workplace, medical, legal, financial, and child-facing settings, affected people need a way to learn that a specialized model was used, challenge harmful output, and route around the adaptation when it is inappropriate.
Thirteenth, inventories should name the active learned layer. An AI system inventory that records only "Llama," "Gemini," "Claude," or "GPT" is too coarse. Inventory entries should distinguish base model, fine-tuned model ID, adapter, merge, quantization, tokenizer, retrieval corpus, prompt policy, and runtime route.
Fourteenth, procurement should bind adapter change control. Contracts should require notice before adapter swaps, access to evaluation summaries, retention of past version records, incident cooperation, and migration rights if the vendor retires a hosted fine-tune or adapter family.
Fifteenth, oversight should follow the affected domain. A harmless style adapter does not need the same process as a benefits-screening, debt-collection, workplace, education, medical, legal, or child-facing adapter. The standard should scale with impact, using algorithmic impact assessments, human oversight, notice and appeal, and AI incident reporting where rights and safety are at stake.
Sixteenth, route-specific adapters need fairness review. If a system chooses adapters by user segment, institution, risk score, language, geography, plan tier, or audience, the institution should test whether routing changes rights, tone, pressure, refusal, escalation, or source hierarchy in ways that would matter to affected people.
What This Changes
The adapter is a small file with large symbolic consequences.
It shows how model-mediated reality will not be shaped only by frontier labs. It will be shaped by the many institutions that adapt general systems into local tools: schools, employers, agencies, campaigns, churches, clinics, platforms, vendors, fandoms, cities, and firms. Each can make a mirror that looks like the same model from the outside while reflecting a different world from within.
That can increase human agency. Communities should be able to adapt tools to their language, norms, constraints, and work. Central model defaults should not be the only worldview allowed to speak. But plural customization also multiplies invisible frames. A person may move from one assistant to another and never know which local doctrine, dataset, sales strategy, or safety compromise has been attached.
The danger is not customization. The danger is unlabeled customization.
In the age of adapters, belief formation can be tuned at the edge. The base model supplies fluency and general competence. The adapter supplies local gravity. It nudges what feels relevant, normal, risky, persuasive, authoritative, or out of bounds. If that layer is hidden, users cannot tell whether the answer came from general capability, institutional tuning, retrieved documents, system instructions, or a small learned modification sitting inside the model.
The humane path is to make adaptation legible. Name the base. Name the adapter. Name the training purpose. Name the tests. Name the limits. Preserve the record. Let communities customize tools without letting quiet specialization become a new form of epistemic capture.
Source Discipline
Claims about adapters should name the layer being discussed. A prompt, retrieval index, model router, LoRA adapter, full fine-tune, quantized checkpoint, tokenizer change, merged model, and managed API model ID are different governance objects. Treating all of them as "the model" makes audits weak and can hide who had the power to change behavior.
Separate file safety from behavioral safety. A safetensors artifact may reduce arbitrary-code-execution risk compared with pickle, but it says little about backdoors, safety erosion, privacy leakage, biased domain behavior, or whether the adapter was trained on appropriate data. Conversely, a behavioral evaluation does not prove that the file is safe to load in a privileged environment.
Prefer primary evidence: the LoRA and QLoRA papers for technical claims, official vendor docs for supported workflows, model or adapter cards for artifact claims, NIST and OWASP for security vocabulary, ACL or arXiv papers for attack research, and internal deployment records for the exact system used. A benchmark or model-card claim about the base model should not be reused for the adapted deployment unless the adapted deployment was tested.
Do not infer ideology from the mere presence of an adapter. The evidentiary test is comparative behavior: what changed relative to the base model, which data or objective caused the change, whether the change matters to affected users, and whether the deployment record preserved enough evidence to contest it.
Date managed-service claims. A provider page can change supported methods, access rules, safety checks, model IDs, or deprecation promises. A source note should name the method, provider, checked date, and whether the evidence describes an open adapter file, a merged checkpoint, or a provider-hosted fine-tuned model.
Use careful verbs. "The provider documents," "the repository metadata states," "the paper reports," "the evaluator found," and "the institution deployed" are different evidentiary claims. Adapter governance depends on keeping those statuses separate.
Current-source claims in this article were checked against the named sources on June 23, 2026. The review treats LoRA and QLoRA papers as technical method evidence, Hugging Face and Google Cloud pages as vendor documentation, OpenAI pages as managed-service documentation, NIST and OWASP as security-governance sources, EU AI Act materials as legal context, and ACL or arXiv attack papers as research evidence under their tested conditions.
Related Pages
- Low-Rank Adaptation
- Post-Training
- Open-Weight AI Models
- Model Backdoors
- Model Weight Security
- Model Cards and System Cards
- AI System Inventory
- AI Evaluations
- AI Audits and Third-Party Assurance
- AI Audit Trails
- AI Data Provenance
- Data Poisoning
- AI Vulnerability Disclosure
- AI Procurement
- AI Liability and Accountability
- Algorithmic Impact Assessments
- Human Oversight in AI
- AI Incident Reporting
- Notice and Appeal
- AI Persuasion
- Sycophancy
- Vendor and Platform Governance
- The Model Router Becomes the Hidden Editor
- The AI Bill of Materials Becomes the Supply-Chain Map
- The Data Sheet Becomes the Supply Chain
- The Open-Weight Model Becomes the Release Boundary
Sources
- Edward J. Hu et al., LoRA: Low-Rank Adaptation of Large Language Models, arXiv, 2021.
- Tim Dettmers et al., QLoRA: Efficient Finetuning of Quantized LLMs, arXiv, 2023.
- Hugging Face, PEFT LoRA conceptual guide and LoRA API documentation, checked June 23, 2026.
- Hugging Face, PEFT checkpoint format, checked June 23, 2026.
- Google Cloud, LoRA and QLoRA recommendations for LLMs on Gemini Enterprise Agent Platform, checked June 23, 2026.
- OpenAI Developers, Model optimization, Supervised fine-tuning, and Reinforcement fine-tuning, checked June 23, 2026.
- Ying Sheng et al., S-LoRA: Serving Thousands of Concurrent LoRA Adapters, arXiv, 2023.
- Chengsong Huang et al., LoraHub: Efficient Cross-Task Generalization via Dynamic LoRA Composition, arXiv, 2023.
- Hugging Face, Pickle Scanning, checked June 23, 2026.
- Safetensors project, Simple, safe way to store and distribute tensors, checked June 23, 2026.
- Xander Davies et al., Fundamental Limitations in Pointwise Defences of LLM Finetuning APIs, arXiv, 2025.
- Hongyi Liu et al., LoRATK: LoRA Once, Backdoor Everywhere in the Share-and-Play Ecosystem, Findings of EMNLP 2025.
- NIST, Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations, NIST AI 100-2e2025, 2025.
- NIST, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, NIST AI 600-1, 2024; updated April 8, 2026, checked June 23, 2026.
- NIST, SP 800-218A: Secure Software Development Practices for Generative AI and Dual-Use Foundation Models, July 2024, checked June 23, 2026.
- European Commission AI Act Service Desk, Article 53: Obligations for providers of general-purpose AI models and Article 55: Obligations of providers of general-purpose AI models with systemic risk, Regulation (EU) 2024/1689, checked June 23, 2026.
- OWASP Gen AI Security Project, LLM03:2025 Supply Chain, checked June 23, 2026.
- Margaret Mitchell et al., Model Cards for Model Reporting, arXiv, 2018; FAT* 2019.