Unit 02

Mechanisms by which it may be achieved

This unit covers the mechanisms themselves. Concrete ways a third party might check claims about AI development. It is deliberately broad. One reading per track, so you leave knowing what each track covers and can choose one to focus on in Unit 3.

As you read, keep the claim being verified separate from how the evidence for it is gathered. Usually the claim itself is a single thing, say that a given workload is not being run, or that a chip is where it claims to be. What changes from one paper to the next is the evidence channel: an on-chip attestation, an off-chip measurement, a cryptographic proof, physical access for a human inspector, or a certification regime. Read this way the mechanisms stop being a long list and become different answers to the same small set of questions.

How to use this unit All ten readings, about five hours

Read the system overview first, then move through the tracks in any order.

Start here

READ 2.1 Core 25-35 min

A system overview for near-term, low-trust AI compute verification

Naci Cankaya (2026)

A working draft of the whole verification stack: what has to be sensed, what has to be proven, what information can safely cross the boundary, and what kind of adversary the system is meant to survive.

What to read

Sections 1 to 3.

Link

Hardware-rooted

Mechanisms that try to make the chip, package or attached hardware produce evidence about where it is, what it is allowed to run, or what work it performed.

READ 2.2 Core 35-55 min

Secure, Governable Chips

Aarne, Fist et al. (CNAS, 2024)

The policy-facing case for on-chip governance: secure hardware could support export-control enforcement, operating licences and future agreement verification without creating a general surveillance back door.

What to read

Executive summary, technical underpinnings, implementation challenges and recommendations.

Link
READ 2.3 Core 35-50 min

Flexible Hardware-Enabled Guarantees (flexHEG)

Petrie et al. (2025)

A concrete architecture for adding a guarantee processor around AI accelerators, so a regulator can get workload guarantees while the operator keeps models and data private.

What to read

Abstract, introduction and the system-design section.

Link

Inference verification

Checking whether an output plausibly came from the claimed model, even when exact deterministic replay is unavailable.

READ 2.4 Core 15-25 min

Example Schemes for Verifying High-Stakes AI Agreements

Amodo Design (2026)

A plain-language introduction that frames inference verification as selective recomputation. The verifier checks randomly chosen steps, so the prover cannot know in advance which work must be reproducible.

What to read

The full post.

Link

Zero-knowledge proofs

Proving a claim about a model or training run without revealing the weights or data.

READ 2.5 Core 30-45 min

Trustless Audits without Revealing Data or Models

Waiwitlikhit et al. (2024)

The shortest introduction to ZK audit logic: proving that training or evaluation was computed correctly while keeping the model, data or audit details hidden.

What to read

The full paper.

Link
READ 2.6 Core 30-45 min

Zero-knowledge verification for frontier AI training is possible

Peigne et al. (2026)

A proposal for proving properties of a frontier training run without revealing the model or dataset, using a proving architecture designed around the training trace.

What to read

The introduction and the protocol-design sections.

Link

Telemetry and detection

Reading network, timing, memory and other side-channel signals to infer what a cluster is doing.

READ 2.7 Core 3-5 min

The Fundamentals and Feasibility of Secure Network Taps

Naci Cankaya (2026)

The main distinction is in the summary: network taps are much more plausible for low-bandwidth north-south traffic than for high-bandwidth east-west accelerator fabric, where link budgets and covert channels dominate.

What to read

The three-minute summary only.

Link
READ 2.8 Core 60-80 min

What does it take to catch a Chinchilla? Verifying Rules on Large-Scale Neural Network Training

Shavit (2023)

The compute-monitoring proposal that later work builds on: inspecting chips and datacentres well enough to detect large training-rule violations. Its most distinctive idea is proof of learning from training checkpoints, which is closer to proving a training run than to telemetry.

What to read

The full paper.

Link
READ 2.9 Core 30-45 min

Governing Through the Cloud: The Intermediary Role of Compute Providers in AI Regulation

Heim et al. (2024)

Explains why cloud providers are attractive intermediaries for AI regulation. They already sit between users and compute, and can record, verify or enforce some rules at lower cost than direct state inspection.

What to read

Introduction, the governance-capacities section, and the conclusion.

Link

Attestation and audit

Trusted environments, audit protocols and certification regimes that produce evidence someone else can check.

READ 2.10 Core 20-30 min

Attestable Audits: Verifiable AI Safety Benchmarks Using Trusted Execution Environments

Schabl et al. (2025)

A TEE-based audit protocol for proving that a benchmark ran on a specific model and dataset while keeping sensitive model and benchmark details protected.

What to read

The full paper.

Link

Finished this unit? Please give us your feedback on how it went!