AI safety / Jul 13, 2026 / 4 min
When the Test Is as Illegal as the Model
On July 13, MIT and Thorn unveiled Gaussian probing — a technique that flags open-source image models adapted for child sexual abuse material by reading LoRA fingerprints from random noise, never generating illegal output — closing a blind spot platforms could not legally test while NCMEC logged 182,000 actionable AI-exploitation reports in 2025.
On July 13, MIT and the child-safety nonprofit Thorn published Gaussian probing — a method that detects whether an open-source image model has been fine-tuned to produce child sexual abuse material by feeding it random noise and reading how LoRA adaptors rewired its internals, without generating a single illegal pixel.
The paradox: Engineers test AI for harm by prompting models and inspecting outputs. For CSAM, that test is itself a federal crime — regardless of intent.
What MIT built
- Researchers led by MIT graduate student Vinith Suriyakumar and associate professors Ashia Wilson and Marzyeh Ghassemi partnered with Thorn to solve what Suriyakumar called a problem where "we had to throw out the entire toolkit and take a different approach."
- Instead of prompting, the team probes LoRA adaptors — lightweight fine-tuning files that specialize base diffusion models for tasks like artistic styles or, in malicious hands, illegal imagery.
- The technique feeds models random Gaussian data points and captures how adaptors alter computation at multiple internal layers — never running inference to completion.
- On test variations of three model types, compared against ground-truth LoRA adaptors from public platforms and authorized CSAM datasets, the method identified CSAM-specialized models with 100% accuracy.
- The paper, "Evaluation without Generation," was presented as a spotlight at the Trustworthy AI for Good workshop at the International Conference on Machine Learning.
- Wilson: "A lot of children are being harmed by AI deepfakes. We've shown that Gaussian probing can be a very useful tool."
Why this matters now
- Low-rank adaptation made it cheap to publish thousands of model variants monthly on open hubs — turning general image generators into specialized tools anyone can download.
- Suriyakumar: "Before, we had no way of measuring this. It was a huge blind spot that some people were taking advantage of."
- Manual output-based auditing does not scale, traumatizes human reviewers, and cannot legally test CSAM capabilities under U.S. law.
- Gaussian probing is designed to be scalable and relatively inexpensive — suitable for hosting platforms screening uploads before distribution.
- The researchers note adversaries would need to carefully alter base-model internals to evade detection — harder than swapping sample images.
The scale platforms couldn't measure
- NCMEC received 1.5 million CyberTipline reports in 2025 with a generative-AI nexus to child exploitation — a figure often cited without context.
- 1.1 million of those came from Amazon AI Services: hash matches for known CSAM found in training datasets, with zero actionable suspect or victim location data, per NCMEC's 2025 CyberTipline report.
- Excluding Amazon's bulk submissions, more than 182,000 reports involved offenders possessing, generating, or attempting to generate GAI-linked CSAM.
- Breakdown: 7,000+ reports of users generating or possessing AI-generated CSAM; 30,000+ of attempts via uploaded files and text prompts; 145,000+ of AI tools used to alter existing CSAM without prompts.
- Since 2023, NCMEC has categorized more than 158,000 images and videos as GAI CSAM and identified 275 victims.
- For comparison, all of 2024 saw 67,000 AI-related CyberTipline reports — before Amazon's training-data scans swelled the headline number.
Washington is already asking questions
- Senate Judiciary Chairman Chuck Grassley released NCMEC data in April showing eight tech giants submitted 17 million exploitation reports in 2025 — 81% of CyberTipline volume — while NCMEC flagged reporting quality failures at Amazon AI Services, Meta, TikTok, and others.
- NCMEC told Grassley some companies failed to disclose CSAM found in AI training data or submitted millions of reports lacking basic location information.
- Grassley: "Many ESPs regularly tout the number of reports they submit to the CyberTipline, but fail to disclose that millions of reports lack basic information… This leaves children unprotected online."
What platforms already do — and what they miss
- Civitai — a major open-model hub — partners with Thorn for CSAM detection on generated and uploaded content and trains Semi-Permeable Membrane adaptors to block prohibited concepts in its on-site generator.
- Those defenses govern Civitai's hosted inference. Downloaded LoRA files run locally with no gatekeeper — the exact distribution path Gaussian probing targets.
- The technique does not solve every abuse vector: closed commercial systems, prompt-jailbroken benign models, and base models before adaptation remain separate problems the researchers plan to study.
Convina's view: Open-source AI shipped a moderation theater — platforms could scan what users generated on-site while poisoned LoRA files walked out the door untested, because the only reliable audit was also a crime. Gaussian probing is the first scalable fix for that specific hole, and 100% lab accuracy is not the same as production deployment — but the alternative was willful blindness dressed up as community guidelines. Hosting platforms that don't adopt pre-distribution screening within a year aren't serious about child safety; they're serious about liability disclaimers. Congress should fund this capability at NCMEC and require model marketplaces to screen LoRA uploads — not because every open-weight file is dangerous, but because the ones that are have been impossible to catch until now.