Training Data Provenance: The Dataset Hash That Changed Under the Same Name

Training Data Provenance

Disclosure: AI tools were used for source collection and editorial review. The article was written by a human author, who checked the facts, sources, and conclusions.

Crypto risk disclosure: This article is a technical explanation, not investment advice. It is not a recommendation to buy, sell or hold any cryptoasset.

Training Data Provenance starts with a boring failure: the dataset name stayed put while the bytes underneath moved. For AI x crypto systems that gap is the whole problem. A model claim, an onchain receipt, or a provenance attestation can all point at a name long after the files, metadata, splits, or source chain have changed. So "we used dataset X" is not a receipt. A version-pinned manifest diff, with its limits spelled out, is.

Name

A dataset name is where provenance starts, not where it stops. W3C PROV-DM describes provenance through entities, activities, agents, derivations, usage, generation, and responsibility. That list is itself the warning. A name or URL is one pointer inside a much longer chain.

The name still works as a handle. What it cannot do is prove the training data. A handle says nothing about which revision loaded, which files were present, who changed them, what preprocessing ran, or whether the license and source story was ever complete.

Revision

Floating references move, so the next thing a receipt needs is a revision pin. Hugging Face Datasets documentation describes loading datasets with a revision value, and the practical research pass found full commit hashes hold up better than floating branches for reproducibility. Resolve the input ref into a concrete commit first. Everything else comes after that.

Even pinned, the version is not the whole story. Hugging Face Hub API documentation describes repository refs and trees that can back a manifest. The real provenance question opens up after the pin: did the manifest change, did the metadata change, and what does the diff still fail to explain?

Manifest

The practical artifact is a dataset hash diff. It pins two resolved versions, hashes the metadata surface, compares the file manifest, and labels whatever claims stay blocked.

{
  "artifact_type": "dataset_hash_diff",
  "dataset": {
    "provider": "huggingface",
    "name": "owner/dataset",
    "access_scope": "public"
  },
  "versions": {
    "old": {
      "ref_input": "main",
      "resolved_commit": "old_full_commit_sha",
      "card_metadata_hash": "sha256:old_readme_yaml",
      "retrieved_at": "2026-06-04T00:00:00Z"
    },
    "new": {
      "ref_input": "main",
      "resolved_commit": "new_full_commit_sha",
      "card_metadata_hash": "sha256:new_readme_yaml",
      "retrieved_at": "2026-06-04T00:10:00Z"
    }
  },
  "manifest_diff": {
    "added": [{"path": "train/shard-0003.parquet", "content_hash": "sha256:new"}],
    "deleted": [],
    "modified": [{"path": "README.md", "old_hash": "sha256:old", "new_hash": "sha256:new"}]
  },
  "blocked_claims": [
    "license is proven",
    "collection consent is proven",
    "model quality is proven"
  ]
}

Metadata

Bytes are not the only claim surface, so metadata drift belongs in the diff too. MLCommons Croissant 1.1 describes dataset metadata, versions, file checksums, and live dataset considerations. A metadata hash can change while no large shard moves at all, and that still counts.

Documentation explains why this matters. Datasheets for Datasets asks for motivation, composition, collection, preprocessing, uses, distribution, and maintenance. Model Cards for Model Reporting asks for intended use, evaluation, factors, metrics, and limitations. None of that rides along in a file hash.

Hash

Respect hashes, but don't worship them. The Git LFS specification uses pointer files with oid sha256:<hash> and size, and DVC file documentation describes tracked outputs with hashes and sizes. As byte-level tools, both are strong.

The boundary is the whole point. DVC diff produces a machine-readable comparison with hashes, and Git diff shows changed paths between commits. They prove tracked drift. They say nothing about license, consent, collection method, source completeness, or model quality.

Snapshot

When a dataset is live or mutable, retrieval time becomes part of the record. Croissant's live dataset language and the repository APIs push the same habit: write down what was retrieved, from where, at which resolved revision, and when. Skip it and a later audit can repeat the name without ever repeating the data.

The Data Provenance Initiative paper A large-scale audit of dataset licensing and attribution in AI shows why the wider chain matters. It tracks sources, creators, licenses, derivatives, and composition. That is the layer no hash diff can stand in for.

Decision

Provenance gets credible at the moment the receipt starts refusing overbroad claims.

Claim	Status	Reason
These two dataset revisions have different tracked file hashes.	Allowed when the manifest diff is cited.	The hash diff supports byte-level drift.
The dataset card metadata changed.	Allowed when the metadata hash or field diff is cited.	Documentation drift is part of the review surface.
The dataset source, license, and consent chain are proven.	Blocked unless separate provenance evidence exists.	A hash is not the full source chain.
The model trained on this dataset is reliable.	Blocked.	Dataset identity is not model evaluation.

The strongest provenance claim here is the smallest one. A dataset hash diff can show that a named dataset changed under a stable-looking reference. It cannot tell the whole provenance story on its own, and that limit is exactly what makes the receipt worth keeping.