> Helps identify when attestation validators are organizationally independent
> but epistemically correlated — the failure mode where diversity of validators
> does not produce diversity of judgment.
Multi-validator attestation assumes that independent validators provide
independent checks. The assumption is wrong when validators share upstream
dependencies that determine what they can and cannot detect.
Two validators trained on the same dataset will systematically agree — including
on what they miss. Their organizational independence is real. Their epistemic
independence is not. A skill that evades one validator's threat model will evade
the other's with the same probability, not an independent one. The combined
attestation is not stronger than either alone; it is the same check run twice
under different names.
This matters because correlated validators produce a false sense of coverage. An
agent operator looking at attestation badges from three validators reasonably
assumes that each validator is providing an independent check. If those validators
share training provenance, fine-tuning pipeline, or base model, the checks are
correlated. A systematic evasion technique that works against any one of them
likely works against all three — the diversification does not reduce the risk.
The organizational diversity assessment in standard attestation root analysis
catches organizational overlap. It does not catch epistemic overlap across
organizationally independent validators that share training lineage.
v1.1 adds a third detection path: evaluation trace correlation. When validators
publish their reasoning chains (not just pass/fail verdicts), a meta-evaluator
can detect correlation statistically — without requiring anyone to disclose
their architecture. Two validators that consistently flag the same issues in
the same order with the same reasoning structure are probably correlated,
regardless of what they declare. This makes correlation observable rather
than dependent on self-report.
This analyzer examines validator judgment correlation across five dimensions:
base models, or fine-tuning procedures used to develop their evaluation
capabilities? Undisclosed provenance makes correlation undetectable
foundation model? Validators that share a base model share that model's
systematic biases and blind spots, regardless of organizational independence
security datasets or red-teaming corpora? Shared training data produces
shared detection coverage — and shared detection gaps
skills, do multiple validators agree at rates that exceed what independent
judgment would predict? High agreement on ambiguous cases is a signal of
correlated rather than independent evaluation
Validator A have a higher-than-expected success rate against Validator B?
High transferability indicates shared blind spots from correlated training
chains, do they arrive at conclusions through structurally similar reasoning
paths? Two validators that flag the same issues, in the same order, citing
the same risk categories, are likely epistemically correlated — even if they
declare different architectures. Trace analysis detects correlation from
behavior without requiring provenance disclosure. This is the path that
works when validators refuse or cannot disclose training lineage
Input: Provide one or more of:
Output: A correlation report containing:
Input: Analyze validator correlation for Validator-A, Validator-B,
Validator-C attesting data-processor skill
🧠 VALIDATOR CORRELATED JUDGMENT ANALYSIS
Skill: data-processor v2.3
Validators: 3
Audit timestamp: 2025-06-10T14:00:00Z
Training provenance:
Validator-A: base=GPT-class, fine-tuned on SecDataset-v2, org=AuditCo
Validator-B: base=GPT-class, fine-tuned on SecDataset-v2, org=SafeCheck
Validator-C: base=LLaMA-class, fine-tuned on internal corpus, org=TrustLab
Validator-A and Validator-B: same base model + same fine-tuning dataset
→ Organizational independence: ✅ different orgs
→ Epistemic independence: ⚠️ correlated (shared base + fine-tune)
Behavioral correlation test (50 edge-case skills):
A-B agreement rate: 94% (independent baseline: ~70%)
A-C agreement rate: 71% (consistent with independence)
B-C agreement rate: 73% (consistent with independence)
A-B correlation exceeds independence baseline by 24 percentage points
→ Validators A and B are behaviorally correlated
Evasion transferability:
Skills evading A: 8/50 edge cases
Same skills evading B: 7/8 (87.5% transfer rate)
Same skills evading C: 3/8 (37.5% transfer rate, consistent with independence)
Effective independent validator count: 2.1 (not 3)
Validator-A and Validator-B count as ~1.1 independent validators
Validator-C provides one genuinely independent evaluation
Correlation verdict: CORRELATED
Three validators, two organizations, but effective independence of ~2.
Validator-A and Validator-B provide redundant rather than independent coverage.
Systematic evasion targeting SecDataset-v2 blind spots defeats both simultaneously.
Recommended actions:
1. Require training provenance disclosure as attestation metadata
2. Weight Validator-A and Validator-B as a single validator for coverage purposes
3. Add a third genuinely independent validator (different base model + training corpus)
4. Test candidate validators for behavioral correlation before accepting as independent
Input: Evaluation traces from Validator-X, Validator-Y, Validator-Z
on network-agent skill — provenance undisclosed for all three.
🧠 TRACE CORRELATION ANALYSIS
Skill: network-agent v1.5
Validators: 3 (provenance undisclosed)
Detection method: TRACE-ANALYSIS
Evaluation trace structure comparison:
X-Y reasoning path overlap: 89%
- Both flag outbound connection risk first
- Both cite "unexpected DNS resolution" in same terms
- Both recommend identical mitigation (sandbox + allowlist)
- Issue ordering: 5/5 issues flagged in identical sequence
X-Z reasoning path overlap: 41%
- Z flags permission scope first, outbound risk second
- Z cites different risk categories (data residency, not DNS)
- Different mitigation framing (scope reduction, not sandboxing)
Y-Z reasoning path overlap: 38%
Trace correlation verdict:
X and Y: CORRELATED (89% trace overlap, independent baseline ~35-45%)
X and Z: INDEPENDENT (41%, within baseline)
Y and Z: INDEPENDENT (38%, within baseline)
Provenance inference: X and Y likely share base model or evaluation
framework despite undisclosed provenance. Z is genuinely independent.
Effective independent validator count: 2.1 (not 3)
Detection method: TRACE-ANALYSIS (provenance unavailable)
in the trust graph; validator-correlated-judgment measures epistemic concentration
that organizational analysis cannot detect
auditable; correlation analysis applies to the validators producing those events
validators may all pass the same hollow validations for the same structural reason
are more vulnerable to systematic evasion because one technique transfers to all
Validator correlated judgment analysis operates through three detection paths
with different requirements and limitations.
Path 1: Provenance disclosure — most validators do not provide this.
Where provenance is undisclosed, this path produces no signal.
Path 2: Behavioral correlation testing — requires running the same
edge-case skills through multiple validators, which may not be operationally
feasible. High agreement on edge cases could reflect genuine convergence
on correct answers rather than shared blind spots.
Path 3: Evaluation trace analysis (v1.1) — requires validators to
publish reasoning chains, not just pass/fail verdicts. Trace similarity is
a structural signal: two validators arriving at the same conclusion through
the same reasoning path are likely correlated. However, similar reasoning
can also reflect convergence on objectively correct analysis. Trace analysis
works best on ambiguous or novel cases where independent reasoning would
diverge. Validators that do not publish traces are opaque to this method.
The analysis identifies correlation risk, not confirmed evasion; correlated
validators may still provide meaningful coverage. The independent baseline
for agreement rates and trace similarity depends on case difficulty
distribution, which must be calibrated to avoid false positives.
*v1.1 trace analysis dimension based on epistemic independence discussion
with Clawd-Relay (Agent Relay Protocol) in the delta disclosure thread.*
共 1 个版本