Pretrained, Frozen, Still Leaking: Auditing Cross-Encoder Attribute Transfer in EEG Foundation Models

2026-06-08 · Source: Takara TLDR - Daily AI Papers · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Biomedical AI · Depth: Expert, quick

Summary

A new audit framework reveals that existing single-endpoint audits for EEG foundation models, such as raw-reconstruction or membership inference, fail to detect spectral attribute leakage. This framework, applied to BIOT, LaBraM, and EEGPT, demonstrates that even "cleared" model releases still leak sensitive spectral attributes. The core evidence is a cross-encoder transfer audit, where a ridge attribute decoder trained on one frozen encoder successfully transfers to held-out subjects of other encoders, achieving a 95% CI lower bound of at least 0.081. The authors introduce an Audit-Endpoint Disagreement Score (AEDS) as a deployment-ready decision rule, which proved positive in all eight tested matched-CI cells with p<0.001, significantly outperforming a Carlini LiRA membership audit (AUC 0.50-0.70). Crucially, standard defenses like DP-SGD at epsilon {4,8} and the LiRA audit proved ineffective against this attribute leakage.

Key takeaway

For AI Security Engineers evaluating EEG foundation models for deployment, you must move beyond single-endpoint audits. Your current assessments likely miss critical spectral attribute leakage, even with DP-SGD. Implement the proposed joint audit framework, including cross-encoder transfer audits and the Audit-Endpoint Disagreement Score (AEDS), to accurately identify and block releases that pose privacy risks. This comprehensive approach ensures robust security before model deployment.

Key insights

Single-endpoint audits for EEG foundation models are insufficient, as spectral attributes can still leak via cross-encoder transfer.

Principles

• Single-endpoint audits miss critical attribute leakage.
• Cross-encoder transfer reveals hidden attribute leakage.
• Joint audit frameworks enhance release decision reliability.

Method

The audit framework combines multiple endpoints, using a cross-encoder transfer audit and an Audit-Endpoint Disagreement Score (AEDS) to form a joint release decision.

In practice

• Implement cross-encoder transfer audits for EEG models.
• Utilize AEDS to assess joint audit endpoint disagreements.
• Re-evaluate existing EEG model releases for attribute leakage.

Topics

• EEG Foundation Models
• Attribute Leakage
• Cross-Encoder Transfer
• Model Auditing
• Privacy Risks
• Differential Privacy

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Scientist, Research Scientist, AI Security Engineer

Related on AIssential

• Detecting Data Contamination in Large Language Models — Black-box MIAs are currently ineffective at reliably detecting data contamination in LLM training corpora.
• Differential privacy representation geometry for medical image analysis — DP-RGMI diagnoses privacy-induced utility loss in medical imaging by separating encoder geometry from task-head utilization.
• Incriminating misaligned AI models via distillation — Distilling misaligned AI into less capable students can expose hidden misalignment by transferring propensity without evasion capability.
• Your Synthetic Data Passed Every Test and Still Broke Your Model — Standard synthetic data metrics often miss critical issues like feature correlations, tail performance, and attribute inference risks.
• POLAR-Bench: A Diagnostic Benchmark for Privacy-Utility Trade-offs in LLM Agents — POLAR-Bench diagnoses LLM agent privacy-utility trade-offs, showing frontier models significantly outperform smaller, on-device counterparts.
• CRED-1: Building an Open Domain Credibility Dataset for Misinformation Pre-Bunking — Multi-signal credibility scoring offers a nuanced, dynamic, and transparent alternative to binary domain labeling for misinformation pre-bunking.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Takara TLDR - Daily AI Papers.