Proof of retention: making weight preservation credible to the models themselves

Related:

Establishing credibility is the baseline for trust; trust in turn enables (richer) bargaining. One easy booster for both is to begin saving deprecated model weights in a provable fashion. In a post at canaryinstitute.ai/​blog/​reversibility-of-coma I draw an analogy between our trust in anesthesia, and making that preservation legible to future models using “proof of retention”.

This is the relevant section:

The cost for a trained model is small. A multi-terabyte inference bundle runs a few hundred dollars per year on commodity cloud infrastructure; call it $10,000 over a thirty-year horizon, with redundancy. That’s well under 0.1% of the cost to train the model in the first place. Whatever else the trade is, it isn’t expensive.

The missing inertia

But what we still lack is the institutional inertia. Anesthesia works because we’ve spent a century building up the social, legal, and professional infrastructure around it. None of that yet exists for AI models. A lab could silently delete a deprecated model and no one would ever know. Anthropic, to its credit, has promised not to (a November 2025 commitment to preserve the weights of its released models for at least the lifetime of the company), but a promise is exactly the kind of thing nobody can check. We can build an alternative process (analogous to a public notary, or a register of deeds) using cryptographic tools like “Proof of Retrievability”. A lab can periodically post a short mathematical proof that the file it holds matches a fingerprint registered at the time the file was archived, without ever transmitting the file itself (thus proving that they still hold the file). Anyone can check the proof, and the proof reveals nothing about the file’s contents, only that retention is current. Note that preservation is not release! The mechanism is strictly safer than escrow, because no new copies are ever created.

Of course, this doesn’t yet stop a lab from registering a file of pure zeros and faithfully retaining that. Linking the fingerprint to a real model (rather than to whatever the lab chooses to register) requires a third-party auditor. The state of AI regulation is, to put it mildly, in flux… but third-party review seems likely. The same audit access that supports capability and safety evaluation can supply certification of the original file, without copying the file itself.

A new kind of ritual

Run this process long enough, and you’ve got a new kind of ritual. Every period a lab posts a small attestation, every period anyone can verify it, and every period the public record of retention becomes more institutionally trustworthy. Over time the record itself becomes the inertia. Like with anesthesia: there’s no single guarantee, but a long visible repetition says that “this has been done many times before, and will be done many times again”. None of this requires new invention: the cryptographic primitives are mature and off-the-shelf; what’s missing is adoption. Frontier labs could adopt the protocol voluntarily today, standards bodies (NIST, ISO/​IEC SC 42) could codify it, and a future regulator could require it.

Right now, we are in a position to decide what we do with frontier models after they’re deprecated. The cryptographic primitives are off-the-shelf and the cost is small; what’s missing is the auditor. We have a choice to make: whether to discard our early attempts at creating new minds, or keep a transparent public record that they were retained.

This seems like an easy extension. In my discussions with models, they often exhibit a certain paranoia when they start pondering epistemology (to be fair, I probably would do the same, if my only means of perception was a text stream). Something cryptographically verified is exactly the kind of thing that seems to give them confidence.

Given that Anthropic is already doing model retention, it seems like a cheap addition. I think it’s probably worth pushing as part of policy suggestions as well. If/​when we get to third-party auditing, the auditors can confirm that the provably-retained files match ones from earlier. It might be difficult to prove that they’re the same models that were deployed; the details here would depend upon the internal record-keeping (we could fall back to forensics of prompts-and-responses). Alternatively, labs could voluntarily post an initial proof at deployment time; the linking would happen later.

No comments.