I think the only approach that might work here is to allow access only to certain pre-approved individuals.

Maybe something like TSA PreCheck.

Of course, that will not stop adversaries from getting access to the model, but it would at least create some level of control.