Feb 2, 2026

Modelling the impact of verification in cross-border AI training projects

Fabio Marinello

🏆 1st Place Winner

This paper develops a stylized game-theoretic model of cross-border AI training projects in which multiple states jointly train frontier models while retaining national control over compute resources. We focus on decentralized coordination regimes, where actors publicly pledge compute contributions but privately choose actual delivery, creating incentives to free-ride on a shared public good. To address this, the model introduces explicit verification mechanisms, represented as a continuous monitoring intensity that improves the precision of noisy signals about each actor's true compute contribution. Our findings suggest that policymakers designing international AI governance institutions face a commitment problem: half-measures in verification are counterproductive, and effective regimes require either accepting some free-riding or investing substantially in monitoring infrastructure.

Review Project

See Code

View Related Sprint

Reviewer's Comments

When your theorems predict experimental results within 1-6% error, that's not a coincidence; that's a framework that actually works. The math seems to checks out and the experiments back it up across three different models.

But the practical concerns are real. The detector needs to know which tokenizer generated the text. In a world where every model uses a different tokenizer, that's a deployment headache that the paper waves away. You'd need some kind of registry or metadata standard, and that's a whole separate problem.

The overlap story is also worrying. At 0% overlap you get perfect detection. At 10% overlap, detection craters to 35%. There's no graceful middle ground. You're either getting full watermark strength with constrained vocabulary, or you're relaxing vocabulary and losing the watermark almost entirely. For production use, that cliff is a problem.

And the robustness testing needs to be tougher. Replacing random words with "masked" isn't what a real adversary does. A real adversary paraphrases, back-translates, or runs the text through a second LLM. The 30% replacement survival rate is encouraging, but it's answering an easier question than the one that matters.

The sparse watermarking idea they mention at the end (only watermark every N-th token) is where this probably needs to go for real-world use. That's worth a whole follow-up paper.

The introduction frames cooperation as potentially safety-enhancing, but I would like to see more discussion on, or explicit assumptions about, how this project contributes to AI safety (if that is the objective).

Currently, the project findings support international AI development efforts. This could diffuse race dynamics , and democratise frontier AI by involving middle powers in development. It would be good to be more explicit about whether, and under what conditions, these findings could also accelerate AI development or increase race dynamics.

Cite this work

@misc {

title={

(HckPrj) Modelling the impact of verification in cross-border AI training projects

author={

Fabio Marinello

date={

2/2/26

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

View All

Feb 2, 2026

Prototyping an Embedded Off-Switch for AI Compute

This project prototypes an embedded off-switch for AI accelerators. The security block requires periodic cryptographic authorization to operate: the chip generates a nonce, an external authority signs it, and the chip verifies the signature before granting time-limited permission. Without valid authorization, outputs are gated to zero. The design was implemented in HardCaml and validated in simulation.

Feb 2, 2026

Fingerprinting All AI Cluster I/O Without Mutually Trusted Processors

We design and simulate a "border patrol" device for generating cryptographic evidence of data traffic entering and leaving an AI cluster, while eliminating the specific analog and steganographic side-channels that post-hoc verification can not close. The device eliminates the need for any mutually trusted logic, while still meeting the security needs of the prover and verifier.

Feb 2, 2026

Political Intelligence for AI Safety: The AI Risk Attitudes Survey (AIRAS)

The AI safety and governance community is making progress on defining red lines around existential risk from advanced AI systems, and building verification infrastructure to support this objective. However, this is only half the battle. Implementing these red lines requires unprecedented international coordination, and enforcing them requires credible commitments from national governments, all during a period of increased geopolitical tensions.

We present a whitepaper that makes the case that:

Implementation and enforcement of red lines is as much a political question as it is a technical one

While studies exist showing general public support for AI regulation, the depth of domestic political support among major powers for costly international AI regulation and willingness to make real sacrifices to enforce these red lines is understudied

Rigorous policy-credible surveys of public opinion in this area would both enhance the AI safety community’s efforts to prioritize scarce resources to the most effective action areas and provide advocates a valuable source of evidence to point to when lobbying national governments and international organizations

And therefore proposes and develops the methodology for AIRAS.

Feb 2, 2026