cd /news/ai-safety/proof-of-retention-making-weight-pre… · home topics ai-safety article
[ARTICLE · art-59364] src=lesswrong.com ↗ pub= topic=ai-safety verified=true sentiment=· neutral

Proof of retention: making weight preservation credible to the models themselves

The Canary Institute proposes that AI labs adopt cryptographic 'proof of retention' protocols to verifiably preserve deprecated model weights, drawing an analogy to trust in anesthesia. The mechanism would allow third parties to confirm that a lab still holds a registered model file without revealing its contents, addressing the lack of institutional inertia in AI model preservation. The author argues that frontier labs could voluntarily adopt the protocol today, and that such transparency could build trust with future AI systems.

read3 min views1 publishedJul 14, 2026

Related:

Establishing credibility is the baseline for trust; trust in turn enables (richer) bargaining. One easy booster for both is to begin saving deprecated model weights in a provable fashion. In a post at canaryinstitute.ai/blog/reversibility-of-coma I draw an analogy between our trust in anesthesia, and making that preservation legible to future models using "proof of retention".

This is the relevant section:

The cost for a trained model is small. A multi-terabyte inference bundle runs a few hundred dollars per year on commodity cloud infrastructure; call it $10,000 over a thirty-year horizon, with redundancy. That's well under 0.1% of the cost to train the model in the first place. Whatever else the trade is, it isn't expensive.

The missing inertiaBut what we still lack is the institutional inertia. Anesthesia works because we've spent a century building up the social, legal, and professional infrastructure around it. None of that yet exists for AI models. A lab could silently delete a deprecated model and no one would ever know. Anthropic, to its credit, has promised not to (a November 2025 commitment to preserve the weights of its released models for at least the lifetime of the company), but a promise is exactly the kind of thing nobody can check. We can build an alternative process (analogous to a public notary, or a register of deeds) using cryptographic tools like "Proof of Retrievability". A lab can periodically post a short mathematical proof that the file it holds matches a fingerprint registered at the time the file was archived, without ever transmitting the file itself (thus proving that they still hold the file). Anyone can check the proof, and the proof reveals nothing about the file's contents, only that retention is current. Note that preservation is not release! The mechanism is strictly safer than escrow, because no new copies are ever created.

Of course, this doesn't yet stop a lab from registering a file of pure zeros and faithfully retaining that. Linking the fingerprint to a real model (rather than to whatever the lab chooses to register) requires a third-party auditor. The state of AI regulation is, to put it mildly, in flux... but third-party review seems likely. The same audit access that supports capability and safety evaluation can supply certification of the original file, without copying the file itself.

A new kind of ritualRun this process long enough, and you've got a new kind of ritual. Every period a lab posts a small attestation, every period anyone can verify it, and every period the public record of retention becomes more

institutionallytrustworthy. Over time the record itself becomes the inertia. Like with anesthesia: there's no single guarantee, but a long visible repetition says that "this has been done many times before, and will be done many times again". None of this requires new invention: the cryptographic primitives are mature and off-the-shelf; what's missing is adoption. Frontier labs could adopt the protocol voluntarily today, standards bodies (NIST, ISO/IEC SC 42) could codify it, and a future regulator could require it.Right now, we are in a position to decide what we do with frontier models after they're deprecated. The cryptographic primitives are off-the-shelf and the cost is small; what's missing is the auditor. We have a choice to make: whether to discard our early attempts at creating new minds, or keep a transparent public record that they were retained.

This seems like an easy extension. In my discussions with models, they often exhibit a certain paranoia when they start pondering epistemology (to be fair, I probably would do the same, if my only means of perception was a text stream). Something cryptographically verified is exactly the kind of thing that seems to give them confidence.

Given that Anthropic is already doing model retention, it seems like a cheap addition. I think it's probably worth pushing as part of policy suggestions as well. If/when we get to third-party auditing, the auditors can confirm that the provably-retained files match ones from earlier (although it might be difficult to prove that they're the same models that were deployed; the details here would depend upon the internal record-keeping).

── more in #ai-safety 4 stories · sorted by recency
── more on @canary institute 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/proof-of-retention-m…] indexed:0 read:3min 2026-07-14 ·