MIT tests AI models for CSAM risk without generating images

MIT researchers worked with Thorn on an auditing method that checks whether adapted generative AI models can produce CSAM without prompting them or generating outputs. The method examines LoRA adaptors with Gaussian probing and identified CSAM-specialized model variations with 100 percent accuracy in testing.

WTF Index TERMINATOR
◄ Terminator 2 Idiocracy 0 ►

The story centers on generative AI being adapted for illegal CSAM production, though the main development is a safety audit to reduce that risk.

MIT tests AI models for CSAM risk without generating images

Open-source generative AI models are increasingly easy to adapt for specialized uses. That flexibility can support legitimate work, such as creating product renderings in a particular artistic style, but it also creates a serious safety problem when models are modified to produce illegal content.

A team of MIT scientists, led by graduate student Vinith Suriyakumar and associate professors Ashia Wilson and Marzyeh Ghassemi, joined researchers from Thorn to develop a new way to audit models for child sexual abuse material (CSAM) risk without generating any images. Thorn is a child safety nonprofit whose mission is to transform how children are protected from sexual abuse and exploitation in the digital age.

Why standard AI audits fail for CSAM

AI safety testing often relies on a direct method: engineers prompt a model, review what it produces, and decide whether the output shows a harmful capability. That approach may work for some categories of misuse, but it breaks down for CSAM because generating such material is illegal in the U.S., regardless of intent.

The scale of the issue is already large. The National Center for Missing and Exploited Children received more than 1.5 million reports of AI-generated CSAM in 2025, up from 67,000 in 2024. The source article describes this as a growing problem tied to the expanding availability of generative AI models.

Manual output review also does not scale well. The article notes that repeatedly generating heinous images can have negative psychological impacts on human evaluators. For CSAM, the legal barrier makes the usual evaluation toolkit unusable.

“We are in this very difficult situation where, based on the law itself, we cannot use the de facto means of evaluation. We had to throw out the entire toolkit and take a different approach,” Suriyakumar says.

The target is the adaptation, not the output

The researchers focused on how models are specialized. Recent techniques allow users to fine-tune generative AI systems without retraining an entire model. One method named in the source is low-rank adaptation, or LoRA, which can efficiently adapt a model for a specific task.

LoRA can be used for harmless purposes, such as helping a model produce watercolor images that mimic an artistic movement. The same adaptation pathway can also be misused to create model variants that generate high-quality CSAM or other harmful imagery.

The MIT and Thorn approach examines the LoRA adaptors themselves. Instead of asking the model to create content, the audit probes the modifications introduced during fine-tuning and looks for signals that the model has been specialized for a harmful capability.

This matters because it changes the safety question. The auditor does not need to see illegal content to infer that a model has been adapted to generate it. The method stays inside the model’s internal computation.

How Gaussian probing works

The technique uses Gaussian probing. Researchers feed the model a set of random data points, then analyze how the model manipulates those points inside its multilayer internal structure.

Suriyakumar explains the key safeguard clearly: “We never run the model all the way to the end or prompt the model, so we never generate images.”

The researchers capture changes at multiple time points inside the model and average them to summarize how the LoRA adaptor changed the model’s computation. According to the source, those responses gave a strong signal of how the model had been specialized.

In testing, the team compared results against ground-truth data from LoRA adaptors known for generating CSAM, other harmful images, and safe content. The method was 100 percent accurate in identifying models that had been adapted to generate CSAM.

Why platforms and law enforcement could use it

The article says a hosting platform could use the technique to flag unsafe models and quickly remove them, or prevent them from being uploaded in the first place. That is important because thousands of model variations are published online every month.

The method is described as scalable and relatively inexpensive to implement. It is also presented as more robust than some other auditing techniques because a malicious actor would need to carefully alter the inner workings of the base model to avoid detection.

Suriyakumar says the method opens a new path for platforms that host open-source models and for law enforcement to test whether a model can generate CSAM. He describes the previous lack of measurement as “a huge blind spot.”

Wilson frames the work as part of a broader child safety challenge around AI deepfakes. She says Gaussian probing can be a useful tool and calls for more attention from the research community.

What comes next

The researchers want to evaluate the technique on a larger set of model variations. They also want to explore whether Gaussian probing can detect harmful capabilities in base models before those models are adapted.

The paper includes Suriyakumar, Wilson, Lena Stempfle, Ghassemi, and others at Boston University and Thorn. It was presented as a spotlight at the “Trustworthy AI for Good” workshop at the International Conference on Machine Learning.

Ghassemi describes the collaboration as a technological approach that can partially address a hard problem harming children nationally and around the world. The work was supported, in part, by the Bridgewater AIA Labs Research Fellowship.