What is a Foundation Model?
A foundation model is a large neural network — typically with billions of parameters — pre-trained on broad data at scale to serve as the base for many downstream applications. The term was coined by the Stanford CRFM in 2021 to describe models like GPT-3, BERT, CLIP, and the families that have followed. Modern foundation models include GPT-5, Claude Opus 4.6, Gemini 2.5, Llama 4, and Mistral Large.
What makes a model "foundational"
Three properties:
- Scale of pre-training. Trained on trillions of tokens or hundreds of millions of images — far more than any application-specific model would see.
- Generality. A single model handles many tasks (translation, summarization, code, math, image understanding) through prompting, without per-task training.
- Adaptability. Downstream uses adapt the model via prompting, RAG, fine-tuning, or LoRA rather than training from scratch.
The economic structure is hub-and-spoke: a small number of organizations train foundation models at enormous cost; many organizations build applications on top.
Modalities
- Text-only LLMs — GPT-3, early Claude
- Multimodal LLMs — GPT-4o/5, Claude with vision, Gemini natively
- Image-text — CLIP, DALL-E, Stable Diffusion
- Speech — Whisper, Voice Engine
- Code — Codex, Claude with code-specific training
- Embedding models — text-embedding-3, Cohere Embed
- Action / agent — Adept ACT-1, Anthropic Computer Use
Why foundation-model security is different from traditional ML security
Traditional ML systems were narrow: a fraud-detection model, a spam classifier, a recommendation system. Each had a well-defined input space and threat model.
Foundation models are general-purpose, which makes their threat surface qualitatively different:
- Inputs are unbounded. Any text, any prompt, any encoding, any retrieved document is in scope. There is no "expected input distribution" to defend.
- Behaviors are emergent. Capabilities (and failure modes) appear at scale that weren't designed for and aren't predictable from training metrics.
- Downstream applications inherit the foundation's risks. Every safety gap in GPT-5 propagates to every application built on GPT-5, often without the application developer knowing.
- Model providers have asymmetric responsibility. A vulnerability disclosed in one foundation model affects thousands of dependent applications simultaneously.
Repello's comparative red-team studies (linked below) measure foundation-model security empirically across major model families — the same prompts produce dramatically different breach rates depending on the underlying model, even when the application layer is held constant.
Distilled and derived models
A growing pattern: smaller models trained to mimic foundation models (via knowledge distillation, instruction tuning on foundation outputs, or LoRA fine-tuning). These derive from foundations but inherit only some of the safety training. Repello's DeepSeek-R1 distillation safety study documented systematic gaps where distilled variants produced harmful outputs the original would have refused.