5.4.1 Verifiable Audits
Original Problem in the Paper
Paper motivation: external audits/assessments are proposed as core governance tools; attesting to audit process/outcome could build trust among developers, auditors, governments, and users and prove compliance. Open problems: verify claimed capabilities/performance without full access, use ZK proofs despite high overhead, prove live inference pipeline matches audited pipeline, handle dynamic models, scale beyond enclave-only critical systems, inform users with low friction, and prevent auditor exfiltration of weights; verify safety measures post-deployment.
July 2026 Update & Trajectory
Verifiable audit ingredients are maturing: ZK inference proofs for 13B LLMs, TEEs/confidential AI factories, AI Act/GPAI audit/documentation obligations, and system cards. But end-to-end audit registry plus live certificate matching for deployed dynamic pipelines is not production-standard by July 2026. ZK/TEE overhead, dynamic updates, model exfiltration, and user-facing verification remain open.
Deployed / Operationalized
- Empirical audit artifacts: system cards, safety scorecards, external red-team summaries, and regulator documentation forms.
- TEE/confidential-computing architecture can attest measured inference environments before releasing secrets.
- ZK LLM inference proofs demonstrate feasibility for selected models/proofs but are not yet routine for large live services.
New Tractable Vectors
- ZK proof of inference authenticity for moderately large LLMs without revealing weights.
- Enclave certificate chains tying evaluated containers/model artifacts to runtime key release.
- Regulatory audit/documentation workflows under EU AI Act and GPAI Code of Practice.
Key Open Questions
- End-to-end public audit registries binding audit results to every user-facing generation from a dynamic pipeline.
- Scalable ZK/TEE verification for frontier multimodal systems with acceptable latency/cost.
- Safe auditor access that avoids model-weight exfiltration or benchmark leakage.
- Verifying that post-deployment safety filters/classifiers are attached, current, and enforced for every relevant request.
Evidence & Primary Sources
- zkLLM provides zero-knowledge proofs for LLM inference; for 13B-parameter LLMs it reports proof generation under 15 minutes and proof size under 200 kB while preserving parameter privacy; submitted 2024-04-24. (2024-04-24): https://arxiv.org/abs/2404.16109
- NVIDIA 2026 zero-trust AI factory architecture uses hardware TEEs and cryptographic attestation to verify workload integrity before key release, but explicitly leaves application vulnerabilities, availability, and network/storage security outside scope; published 2026-03-23. (2026-03-23): https://developer.nvidia.com/blog/building-a-zero-trust-architecture-for-confidential-ai-factories/
- EU GPAI Code of Practice was published 2025-07-10 and updated/endorsed by 2026-04-23 as an adequate voluntary compliance tool covering transparency, copyright, and safety/security chapters. (2026-04-23): https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai
- OpenAI GPT-4o System Card publishes end-to-end safety assessment and Preparedness Framework scorecard, showing audit-like transparency but not cryptographic verifiability; published 2024-08-08. (2024-08-08): https://openai.com/index/gpt-4o-system-card/