Executive Summary

When Microsoft released its reasoning model MAI-Thinking-1 last month, it described how the data had been cleaned and filtered in unusual detail. Web documents were parsed with Trafilatura; more than ten billion web PDFs were run through Azure Document Intelligence for OCR; mathematical expressions were checked with SymPy. The processing tools it named number more than eight. Yet on the question of which publishers, journals, and STEM databases entered that corpus, and on what terms, it disclosed not a single line — citing "privacy, legal, safety, and competitive reasons." The refining tools were disclosed; the raw sources were hidden. This piece is about that disclosure asymmetry. (Last month, on the same model, we argued that "a declaration of cleanliness" is not the same as proof. This piece looks one layer beneath that declaration — what was actually disclosed and what was concealed, layer by layer.)

This asymmetry is not a matter of taste but of procurement. If you divide the data supply chain into four layers — raw materials (sources), refining (tools), processing (training), and packaging (model cards) — everything MAI disclosed sits in the "refining" layer, and everything it hid sits in the "raw materials" layer. Anyone can reproduce and verify a tool, but no outsider can learn which publisher was signed, and for how much, unless the vendor says so. In fact, surveys suggest more than seven companies in ten cannot even trace the provenance of their own training data. So the legal and procurement teams buying AI data end up purchasing sources they cannot verify, quietly absorbing the risks of copyright, regulation, and non-reproducibility.

But this opacity is not inevitable. The Allen Institute's OLMo released the datasheets and licenses of a trillion-token corpus in full, and the Data Provenance Initiative cut the share of "license-unknown" datasets from 72% to 30% through third-party audit alone. It is not that the sources cannot be disclosed — it is that a choice was made not to disclose them. This report places MAI on a spectrum running from full disclosure through partial disclosure to opacity, and turns the question into a practical checklist: at each layer, what can a procurement team demand, and what can it actually verify? Data quality is decided upstream in the supply chain, not in the finished product (the model); when the upstream is opaque, any downstream guarantee of quality is merely a declaration.

10B→620M

Web PDFs surviving the crawl

A "refining" layer precise enough to drop 93.8%

20%→7%

FMTI "data access" transparency (2023→2024)

Source disclosure is retreating industry-wide

77%

Orgs that can't trace training-data provenance

Kiteworks 2026 survey (est.) — inability to verify

72%→30%

Share of "license-unknown" datasets

After third-party audit — proof it can be disclosed

1

Two Disclosures, One Silence

Read the data section of the MAI-Thinking-1 technical report and the first surprise is its specificity. Microsoft wrote that it used the open-source extractor Trafilatura to pull body text from web HTML, and that it stripped out adult and piracy domains with the University of Toulouse's UT1 blocklist. More than ten billion web PDFs were OCR'd with Azure Document Intelligence, of which only 620 million survived; 7.4 trillion tokens of GitHub code went through three layers of deduplication — exact SHA-512, fuzzy MinHashLSH, and semantic dedup using Qwen3 embeddings. STEM material was selected with seven topic classifiers, and there is even a sentence saying that mathematical expressions were solved with SymPy to confirm they were correct.

Read this far and the model looks as though it has disclosed its data-processing pipeline with unusual transparency. And at this layer, it genuinely is transparent. Know the names of the tools and a third party can reconstruct the same pipeline, reproduce the results, and verify them. The problem is what comes next. On the question of where those carefully cleaned and filtered materials came from in the first place, the same report falls silent. Which publishers supplied the books and journals, which vendors sold the STEM and coding problems, who created the human preference data — all three categories are sealed off by a single phrase: "privacy, legal, safety, and competitive reasons."

This is what the report calls the "disclosure asymmetry." What was disclosed is a list of reproducible tools; what was hidden is the list of raw materials those tools handled. The boundary splits cleanly in two. On the left are the tools the report named down to the specifics; on the right are the suppliers obscured category by category.

Disclosed — refining tools (reproducible) Hidden — raw sources (reliant on assertion)
Trafilatura — web HTML body extraction List of book/journal publishers
UT1 blocklist — harmful-domain removal STEM/coding problem vendors
Azure Document Intelligence — PDF OCR Human preference-data vendors
SHA-512 / MinHashLSH / Qwen3 embeddings — 3-stage dedup License terms of each source
7 topic classifiers · SymPy formula verification Corpus composition ratios

What matters is that the left column cannot stand in for the right. Knowing the tools is not the same as knowing the materials. Which book, from which publisher, was fed into the same OCR engine can never be recovered from eight tool names. This is not to say Microsoft hid something; on the contrary, it honestly stated that "this part will not be disclosed." But explicit silence is still silence, and from a procurement standpoint that silence remains a verification gap.

2

Layers of the Data Supply Chain: What's Visible and Where the View Ends

To see the disclosure asymmetry clearly, you have to treat AI data as a single supply chain and break it into layers. Just as a manufacturing supply chain divides into raw materials, processing, assembly, and packaging, training data can be split into four layers. Raw materials is where the data came from in the first place — sources like publishers, journals, the web, and vendors, together with their license terms. Refining is the tools and pipelines that clean and filter those raw materials. Processing is the actual training of the model on the refined data. Packaging is the model cards and data cards that describe the result.

The key point is that each layer differs in how far an outsider can verify it. The refining layer is made of tools, so if you know the names you can reproduce it. The raw-materials layer, by contrast, offers almost no way to confirm anything beyond the vendor's assertion. An outsider who never sees the contract can only take "we obtained it from News Corp" on faith, or not. The processing layer (training) reports scale — so many tokens on so many GPUs — but how the data was actually mixed cannot be reproduced, and the packaging layer (model cards) is a document the vendor writes itself, so if the upstream is opaque that account cannot be verified either. Set the four layers against their verifiability and the pattern is plain: what MAI disclosed is the verifiable refining layer; what it hid is the unverifiable raw-materials layer.

Data supply chain, 4 layers — verifiability falls the further upstream you go Raw materials · Sources Publishers · journals · vendors · license terms MAI: undisclosed Refining · Tools Trafilatura · Azure DI · dedup · SymPy MAI: disclosed Processing · Training Pre-training · mid-training (scale only) Partial Packaging · Model/data cards Vendor's own account (unverifiable if upstream opaque) Self-reported External verifiability near-impossible reproducible scale only assertion-dependent Source: authors' synthesis (based on the MAI-Thinking-1 Technical Report)

What the diagram says is simple. The layer a vendor discloses most confidently (refining) happens to be the only one an outsider can confirm for themselves, and the layer a procurement team most wants to know (raw materials) happens to be the one with no way to confirm anything beyond the vendor's word. Disclosure and the need for verification are precisely misaligned. So the impression that "they disclosed the tools, therefore they are transparent" becomes an optical illusion that hides the very raw-materials layer where the risk is concentrated.

3

Three Shields: "Privacy, Legal, Competitive"

Microsoft's grounds for hiding the sources came down to four words: privacy, legal, safety, competitive. Take those reasons as one bundle and the conversation ends at "well, it can't be helped." But pull them apart one by one and they carry very different weights of justification.

Three shields — their weight of justification differs Privacy Partly legitimate Protects individuals not institution-wide cover Legal Double-edged A defense, and a verification-avoidance signal Competitive Weakest Applied only selectively Source: authors' synthesis (analysis of MAI-Thinking-1's non-disclosure rationale)

3.1Privacy: partly legitimate

If the aim is to protect the individual labelers who produced the human preference data, or a particular corpus laced with sensitive information, then privacy is a genuine reason. But that is a logic for shielding individuals, not for hiding institution-level sources (which publisher, which database) wholesale. The mere fact that "we signed a deal with this journal" does not violate anyone's privacy.

3.2Legal: a defense that doubles as verification-avoidance

The worry that disclosing sources makes you an easy target for copyright litigation is real. Training-data provenance has indeed been the central issue in lawsuits over the past few years. But that is precisely the problem. The logic "we don't disclose because disclosure invites lawsuits" is, flipped around, also a signal that "sources may have been used that cannot be disclosed." Non-disclosure justified by legal risk does not protect the buyer; it comes closer to burying that risk where the buyer cannot see it.

3.3Competitive: it works only selectively

The weakest shield is "competitive." The claim that a data-procurement strategy is a trade secret is understandable, but the logic is strikingly inconsistent. First, the existence and price of licensing deals are already out in the open. Reddit–Google at roughly $60M a year, News Corp–OpenAI at over $250M across five years — both surfaced in the press and in disclosures. When the existence of a contract is public but only its contents are a trade secret, that is a selective application of the competitive rationale. Second, MAI used a third-party open model (Qwen3-Embedding-0.6B) as a pipeline component while asserting "no third-party model distillation" — circumstantial evidence that what gets guarded as competitive advantage and what gets disclosed is decided by convenience, not principle.

The decisive counter-evidence already exists. The Allen Institute's OLMo/Dolma released the datasheets and licenses of a trillion-token corpus in full, and Pleias's Common Corpus enumerates its sources at the level of individual collections and licenses. The Data Provenance Initiative hand-audited more than 1,800 datasets and cut the "license-unknown" share from 72% to 30%. Someone is already disclosing their sources, and it has been proven that provenance can be established through third-party audit alone. That leaves only one conclusion: it is not that the sources cannot be disclosed, but that a choice was made not to.

The power of third-party audit does not stop at reconstructing a list. When the Data Provenance Initiative went through more than 1,800 datasets one by one, it was not uncommon to find that the license recorded in a repository was actually stated more permissively than the real terms allowed. In other words, even data believed to be openly available can carry a narrower actual scope of permission than its label suggests — and the audit later widened to datasets from hundreds of organizations across dozens of countries. That a great deal of source and license information surfaces when examined from the outside, even without the vendor disclosing it, has now been confirmed repeatedly. The evidence that there is no reason it cannot be disclosed keeps accumulating.

And this non-disclosure is no aberration unique to MAI. Stanford's Foundation Model Transparency Index shows that the data-related sub-domains (data acquisition, data properties) scored the lowest in the industry for three straight years starting in 2023, and "data access" transparency actually retreated from 20% in 2023 to 7% in 2024, with legal-risk concerns cited as the cause. Overall participation in the index also fell, from 74% in 2024 to 30% in 2025. Hiding sources is not the exception; it is the direction the industry is collectively backing into.

4

Buying What You Cannot Verify: The Procurement Team's Dilemma

The story so far has been about the vendor's choices. Now turn the lens to the buying side. When a legal, procurement, or compliance officer adopting an AI model or dataset hears the vendor say "our data is fine," how do they verify it? In theory there are several instruments. You can write an audit right into the contract, demand a datasheet or data card, bring technical means like membership inference to bear, or lean on third-party certification and representations-and-warranties clauses. The problem is that every one of these instruments has sharp limits.

Means of verification Limitation
Contractual audit right Valid only within the range the vendor agrees to, and the raw-materials list is routinely carved out of the audit scope for "competitive reasons." If there is no document to audit in the first place, the audit right is a dead letter.
Datasheets · data cards A standard that asks sources to be documented — but if the vendor simply writes "not disclosed" for a whole category, the form is filled while the content stays empty.
Membership inference Only estimates "the probability that this document was used in training"; it cannot reconstruct "what the corpus is composed of" as a list. This is the technical ceiling of external verification.
Third-party certification More than 66% of B2B buyers require SOC 2, but that certification examines security controls only — it does not warrant "training-data provenance or bias mitigation."
Representations & warranties Grounds for after-the-fact indemnity, not for prior verification. A device for litigating once something has gone wrong, not for preventing it.

What this table shows coldly is that most of the tools in a procurement team's hands never reach the raw-materials layer. The audit right audits only what was chosen to be disclosed, membership inference cannot reconstruct composition, and certification looks somewhere else. Which is why the numbers come out the way they do. According to Kiteworks's 2026 survey, 77% of organizations cannot trace the provenance of their training data, and 78% cannot verify data before it enters the pipeline. (As a vendor-published survey it should be read as an estimate, but it is the most direct public figure quantifying the inability to verify.)

5 verification means — reach into the "raw materials" layer is low across the board Contractual audit right Only what the vendor agrees to Datasheets · data cards Blank if a category is withheld Membership inference Can't reconstruct — technical ceiling Third-party certification (SOC 2, etc.) Checks security only, not sources Representations & warranties After-the-fact, not prior verification Source: authors' synthesis (based on this report's Section 4 analysis of verification means)

When verification fails, the risk does not disappear. It is quietly transferred to the buyer. If a source turns out to be illicit, retroactive copyright liability spreads to the buyer, and regulatory exposure — such as the EU AI Act's training-data summary obligation for general-purpose AI — also becomes the buyer's burden. When only the vendor knows the data lineage, neither audit nor retraining is possible (non-reproducibility), and what remains is a dependence in which nothing can be done without that vendor. These four transfers are exactly what "buying provenance you cannot verify" means in practice.

5

The Disclosure Spectrum and a Procurement Checklist

It would be inaccurate to cast MAI as a uniquely opaque exception. Source disclosure is not black-and-white but a spectrum, and MAI is one point on it. At one end sits the full-disclosure camp that enumerates sources individually (OLMo, Common Corpus); at the other end are closed models that barely speak of data at all. MAI sits in between, in the "partial disclosure" band that discloses the tools while hiding the sources.

Source-disclosure spectrum — MAI sits in the "partial disclosure" band Full disclosure OLMo · Common Corpus Sources & licenses named individually Partial disclosure — MAI Tools & pipeline disclosed Sources & license terms withheld Opaque Most closed models Lowest in FMTI data sub-domains Source: authors' synthesis (based on Ai2 · Pleias · Stanford CRFM FMTI)

Knowing the spectrum alone is of little practical help to a procurement officer. What is needed is a questionnaire that can interrogate "where the vendor sits" layer by layer. Carry the four-layer model straight over into a checklist and, at each layer, what to demand and what can actually be verified come apart into separate columns. Knowing which layer you can demand but cannot verify — that is the heart of this table.

Layer What to demand Verifiability
Raw materials
(sources)
Per-category source list, license types, acquisition route (purchase/partnership/open), share of third-party data Low — reliant on vendor assertion. You can "demand" it via audit rights and datasheets, but external re-confirmation is hard.
Refining
(tools)
The tools and settings of the extraction/filter/dedup/quality-check pipeline High — reproducible and verifiable once the tools are disclosed. The layer MAI disclosed.
Processing
(training)
Training data-mix ratios, decontamination procedures, nature of mid-training data Medium — scale and procedure are described, but the actual mix cannot be reproduced.
Packaging
(cards)
Data cards and model cards, regulatory-compliance summaries (EU AI Act, etc.) Medium — the documents exist, but if the upstream is opaque their contents cannot be verified.

Regulation is moving to narrow this gap. The EU AI Act's Code of Practice for general-purpose AI (GPAI) has required disclosure of a training-data "summary" since August 2025, and Microsoft is among the signatories. But whether that "summary" stops at a list of tools or extends to a list of sources is not yet settled, and whether MAI actually published such a summary needs to be confirmed. South Korea's Framework Act on AI (in force since 2026-01-22) points the same way but leaves a similar blind spot. While regulation raises the floor, what more you can demand above that floor still comes down to the buyer's bargaining power. (For reference, estimates of the AI training-data market range widely, from $3.2B to $11.9B depending on the source; because definitions differ, any statistic that speaks of this market with a single number should be read with caution.)

6

Why Pebblous Watches This Asymmetry

This piece has moved from the start along a single distinction: the layer you can verify and the layer you cannot. What the MAI case revealed is where the boundary between what can be instrumented and documented and what cannot currently runs in the data supply chain. The refining tools are instrumented; the raw sources are not. That boundary is not a limit of technology but a choice of convention, and conventions can change.

If sources cannot be verified, then neither what a model learned nor what biases and copyright risks were seated inside it can be audited after the fact. Quality is decided upstream in the supply chain (sources and terms), not in the finished product (the model). To call something "clean" downstream while the upstream stays opaque is a declaration that has given up on verification. So the real question shifts from "is this data clean?" to "how far down this data can we instrument and document?"

Editor's Note. The AI-Ready Data and DataClinic work that Pebblous does sits exactly at the point where a dataset's sources, quality, and lineage are diagnosed and recorded before it enters training. The "instrumentation gap at the raw-materials layer" this piece identifies overlaps precisely with that concern. That said, this judgment is for each reader to test in their own procurement context, and there is no need to read the conclusion as a claim of any product's superiority. What this report hopes to leave behind is not an answer but a habit — asking layer by layer when you write the next contract. What a vendor disclosed and what you can verify are not the same thing.

R

References

Primary Sources · The Event

Data Documentation · Transparency (Academic)

Open Camp · Regulation · Market

  • 9.Allen Institute for AI. "Dolma / OLMo: An Open Corpus and Language Model." allenai.org, 2023– (ODC-BY).
  • 10.Pleias. "Common Corpus: The Largest Multilingual Open Dataset." arXiv:2506.01732, 2025 (HuggingFace README).
  • 11.European Commission. "GPAI Code of Practice — Transparency & Training Data Summary Template." digital-strategy.ec.europa.eu, 2025-07.
  • 12.Kiteworks. "2026 Data Security, Compliance and Risk Forecast Report." kiteworks.com, 2026. (Procurement verification-failure rate 77–78% — vendor-published survey)
  • 13.Columbia Journalism Review / SEC filings. "AI Content Licensing Deals: Reddit–Google, News Corp–OpenAI." 2024–2026. (Licensing-deal amounts)

🔗 Read together — different layers of the same event

Last month, on the same model, we took up the problem that "a declaration of cleanliness has to be proven" — It Said "Clean Data." There Was No Proof. This piece looks one layer beneath that declaration, at the asymmetry between what is disclosed and what is hidden. The practical frame for embedding data lineage into a pipeline continues in the Data Lineage framework.