Are Robust LLM Fingerprints Adversarially Robust?

Our latest paper, accepted to IEEE SaTML 2026, analyzes the robustness of model fingerprinting under adversarial conditions and shows that simple, targeted attacks can reliably defeat many existing fingerprinting strategies.

🧵 Read more for a deep dive on our latest research

2/ We evaluate fingerprints under a malicious model host

Most prior work assumes a benign model host—one that preserves embedded fingerprints—whereas in practice malicious hosts may actively attempt to remove or evade fingerprinting, particularly in open-source settings.

A malicious host wants to keep the model’s utility high while quietly stripping or evading the fingerprint.

We formalize this malicious-host threat model and evaluate 10 recent schemes under two axes:

- Attack Success Rate (ASR): how often verification fails
- Normalized Utility: how close performance stays to the original model

A “perfect” attack has ASR ≈ 1 and utility ≈ 1.

3/ LLM fingerprints are categorized into three main families

- Intrinsic fingerprints:
These do not change model weights. They search for special queries that make the target model respond in a characteristic way while other models do not.

This includes adversarial-example based fingerprints, where short, optimized suffixes trigger a secret response, and classifier-style fingerprints that train a model to distinguish responses across LLMs.

They are attractive because they are harmless to the base model but often rely on unnatural prompts or closed sets of candidate models.

- Invasive fingerprints:
These explicitly modify model weights to embed backdoor style input–response pairs. When a secret query is issued, the fingerprinted model is extremely likely to output the target response.

These methods typically use fine tuning, model merging, or knowledge editing, and are designed to survive benign perturbations like extra training or quantization.

Their weakness is that they depend on exact responses and very confident logits, which an adversarial host can selectively damp or resample.

- Watermark based fingerprints:
These embed a statistical signal into generations by biasing token selection according to a secret key. Ownership is then verified by detecting this hidden n-gram level pattern.

Because these signals leak into normal text and share structure across many prompts, a malicious host can learn parts of the watermark and suppress it.

We evaluated SERA-Crypto against GPT-5 and Gemini 3 Pro on real user queries.

Here’s how SERA gives users the best research available, building a full risk profile and technical analysis 🧵

2/ Multidimensional queries challenge models

“Main risks” are multidimensional: structural economics, governance, volatility, concentration, and narrative risk all interact.

Most models either:
- Fixate on one angle and ignore the rest, or
- Give a general list of generic crypto risks with little structure or relevance to your query

SERA-Crypto turns open-ended prompts into a structured query relevant to what the user is asking.

3/ SERA starts by routing to the right tools

The query is rephrased to make the task explicit (risk assessment for Dogecoin) and resolved to the correct asset (DOGE, not DOGE-themed tokens).

Then it embedded and matched against two indexes:

- Tool index: market data, volatility, supply, holder concentration, and curated research sources.
- Prompt index: a risk-focused template.

This ensures the answer directly addresses the user’s intent (risk structure) instead of wandering into miscellaneous information.

Announcing SERA-Crypto (Semantic Embedding & Reasoning Agent): our new reasoning architecture built for SOTA crypto research.

#1 open-source agent on DMind
#1 on our live crypto benchmark

Outperforms GPT-5, Grok 4, Gemini 2.5 Pro, and Perplexity Finance…all under 45 seconds.

2/ SERA routes by embeddings and reasons with an LLM

The SERA-Crypto architecture flow is designed to understand the user’s question and aggregate the best data possible for a comprehensive answer:

1. Intent Extraction: An LLM rephraser interprets the true query intent.
2. Coin Resolution: A resolver disambiguates tickers to avoid project mixups.
3. Embedding Routing: SERA routes to the right tools and prompts based on query type.
4. Parallel Execution: APIs and deep search fetch live and contextual data simultaneously.
5. Optional Loop: Open-ended queries trigger another data-gathering cycle.
6. Final Response: The system synthesizes all signals into a clear, grounded answer.

SERA delivers ReAct-level reasoning depth with predictable, sub-45 second latency on real crypto workloads.

3/ SERA-Crypto is the best open-source agent on DMind

DMind is a Web3 reasoning benchmark over 9 domains covering DeFi, tokenomics, security, and smart contracts.

SERA-Crypto is the strongest open-source system: it sits within ~2 pts of GPT-5 Medium and above Perplexity Finance and Gemini, while keeping median end-to-end latency below 45 seconds—short enough for interactive, research-style use on complex Web3 queries.

From top universities and companies, our research team has developed leading technology across models, agents, reasoning, benchmarks, and AI security. Here’s a recap of our star team in case you missed it.

Meet the team that landed 4 papers in @NeurIPSConf across different tracks 🧵

2/ Pramod Viswanath: Professor of Electrical and Computer Engineering at Princeton University, Sentient Cofounder

Defined the OML paradigm and co-led OML 1.0 fingerprinting, tying cryptography, licensing, and alignment into verifiable open models at scale.

https://x.com/SentientAGI/status/1981085192665157793

3/ Sewoong Oh: Professor of Computer Science & Engineering at University of Washington, Director of AI Research

Brings rigorous theory and privacy-preserving learning into production mechanisms that survive fine-tuning, distillation, and tool use.

https://x.com/SentientAGI/status/1982885648559173840

OML 1.0 Lands at @NeurIPSConf Main Track 🙌

After setting the paradigm for model security through OML, our research team developed one of the most efficient ways of protecting model identity at scale.

Our paper “Scalable Fingerprinting for LLMs” outlines a method of protection that is ~100x better than pre-existing alternatives.

🧵 It is now possible to embed tens of thousands of persistent fingerprints in open-weight models without degrading utility, enabling provenance, licensing, and much more.

2/ Legacy model fingerprinting cannot scale

Most schemes cap at <100 fingerprints because keys collide, leak, or disrupt the model’s distribution. As you add more keys, earlier methods degrade utility, become detectable, or wash out under fine-tuning/merging.

Previous methods result in unreliable attribution (high false ±), trivial to strip in practice, and no path to open-source monetization.

3/ OML 1.0 embedded ~25,000 fingerprints without utility loss

We embedded 24,576 distinct key response pairs in a fine-tuned version of Llama-3.1-8B while preserving downstream performance (no meaningful regression on standard tasks).

Keys are persistent under supervised fine-tuning and style/tone training, and remain verifiable after distillation or model-mixing.

Verification is challenge-response: given a secret key, the model deterministically returns the bound response; without the key, it behaves normally.

Attribution scales with n (the number of fingerprints embedded in the model): more embedded keys mean higher detection probability at low probe cadence, enabling practical field audits.

Keys are undetectable in normal use and are drawn to match the model’s token distribution, minimizing interference.

Our newest piece of the GRID just got an upgrade 😁

GRID is the world’s largest network of intelligence, containing agents, models, data sources, frameworks, and Sentient Chat—the infrastructure that stitches it all together.

2/ Products of the GRID

Recursive Open Meta Agent (ROMA): Multi-agent framework that breaks down complex queries into smaller, more achievable tasks. The first use-case (deep research) outperforms all existing deep research model platforms and is open for builders to fork/improve.

Open Deep Search (ODS): Open-source search framework that splits reasoning, search, and calculation tasks, achieving SOTA performance on standard search benchmarks.

Dobby: Open-source model that was one of the first models to prioritize human-like values (tone, loyalty/core beliefs, etc.) and built through 2M+ community members’ feedback.

Fingerprinting: Training library/method that protects a model’s identity, ensuring that open-source developers can verifiably prove their model ownership even if the model weights are fully revealed.

Sentient Chat: AI platform that coordinates intelligence within the GRID, providing a UI interface to the world's largest network of intelligence.

3/ Sentient Chat Upgrades

The latest update to Sentient Chat introduces Spaces: a new way to streamline how you gather and use information through AI.

Spaces replace today’s complex, manual workflows. Instead of juggling multiple tabs and scattered data, Spaces bring everything together into polished, comprehensive reports powered by diverse data sources, agents, and models. We’ve launched the first few, and can’t wait to see how the community builds their own.

Asset Reports: Get a complete snapshot of any token—including both qualitative insights and quantitative technical analysis.

Travel Explorer: Plan trips with ease. From flights and lodging to weather, reviews, and local tips, all compiled into one optimized itinerary.

News Bites: Start your day with curated headlines, news trends, and a fun fortune-cookie message to set the tone 😁