Unit 02
Mechanisms by which it may be achieved
This unit covers the mechanisms themselves. Concrete ways a third party might check claims about AI development. It is deliberately broad. One reading per track, so you leave knowing what each track covers and can choose one to focus on in Unit 3.
As you read, keep the claim being verified separate from how the evidence for it is gathered. Usually the claim itself is a single thing, say that a given workload is not being run, or that a chip is where it claims to be. What changes from one paper to the next is the evidence channel: an on-chip attestation, an off-chip measurement, a cryptographic proof, physical access for a human inspector, or a certification regime. Read this way the mechanisms stop being a long list and become different answers to the same small set of questions.
How to use this unit
All ten readings, about five hours
Read the system overview first, then move through the tracks in any order.
READ 2.1
Core
25-35 min
A system overview for near-term, low-trust AI compute verification
Naci Cankaya (2026)
A working draft of the whole verification stack: what has to be sensed, what has to be proven, what information can safely cross the boundary, and what kind of adversary the system is meant to survive.
What to read
Sections 1 to 3.
Link
Mechanisms that try to make the chip, package or attached hardware produce evidence about where it is, what it is allowed to run, or what work it performed.
READ 2.2
Core
35-55 min
Secure, Governable Chips
Aarne, Fist et al. (CNAS, 2024)
The policy-facing case for on-chip governance: secure hardware could support export-control enforcement, operating licences and future agreement verification without creating a general surveillance back door.
What to read
Executive summary, technical underpinnings, implementation challenges and recommendations.
Link
READ 2.3
Core
35-50 min
Flexible Hardware-Enabled Guarantees (flexHEG)
Petrie et al. (2025)
A concrete architecture for adding a guarantee processor around AI accelerators, so a regulator can get workload guarantees while the operator keeps models and data private.
What to read
Abstract, introduction and the system-design section.
Link
Checking whether an output plausibly came from the claimed model, even when exact deterministic replay is unavailable.
READ 2.4
Core
15-25 min
Example Schemes for Verifying High-Stakes AI Agreements
Amodo Design (2026)
A plain-language introduction that frames inference verification as selective recomputation. The verifier checks randomly chosen steps, so the prover cannot know in advance which work must be reproducible.
What to read
The full post.
Link
Proving a claim about a model or training run without revealing the weights or data.
READ 2.5
Core
30-45 min
Trustless Audits without Revealing Data or Models
Waiwitlikhit et al. (2024)
The shortest introduction to ZK audit logic: proving that training or evaluation was computed correctly while keeping the model, data or audit details hidden.
What to read
The full paper.
Link
READ 2.6
Core
30-45 min
Zero-knowledge verification for frontier AI training is possible
Peigne et al. (2026)
A proposal for proving properties of a frontier training run without revealing the model or dataset, using a proving architecture designed around the training trace.
What to read
The introduction and the protocol-design sections.
Link
Reading network, timing, memory and other side-channel signals to infer what a cluster is doing.
READ 2.7
Core
3-5 min
The Fundamentals and Feasibility of Secure Network Taps
Naci Cankaya (2026)
The main distinction is in the summary: network taps are much more plausible for low-bandwidth north-south traffic than for high-bandwidth east-west accelerator fabric, where link budgets and covert channels dominate.
What to read
The three-minute summary only.
Link
READ 2.8
Core
60-80 min
What does it take to catch a Chinchilla? Verifying Rules on Large-Scale Neural Network Training
Shavit (2023)
The compute-monitoring proposal that later work builds on: inspecting chips and datacentres well enough to detect large training-rule violations. Its most distinctive idea is proof of learning from training checkpoints, which is closer to proving a training run than to telemetry.
What to read
The full paper.
Link
READ 2.9
Core
30-45 min
Governing Through the Cloud: The Intermediary Role of Compute Providers in AI Regulation
Heim et al. (2024)
Explains why cloud providers are attractive intermediaries for AI regulation. They already sit between users and compute, and can record, verify or enforce some rules at lower cost than direct state inspection.
What to read
Introduction, the governance-capacities section, and the conclusion.
Link
Trusted environments, audit protocols and certification regimes that produce evidence someone else can check.
READ 2.10
Core
20-30 min
Attestable Audits: Verifiable AI Safety Benchmarks Using Trusted Execution Environments
Schabl et al. (2025)
A TEE-based audit protocol for proving that a benchmark ran on a specific model and dataset while keeping sensitive model and benchmark details protected.
What to read
The full paper.
Link
Finished this unit? Please give us your feedback on how it went!