LOGBOOK

HELP

Quiz Entry - updated: 2026.07.01

Why doesn't training-time privacy (e.g. DP-SGD) make an LLM secure, and what is "inference-time security"?

Training-time privacy stops the model from memorizing data, but a perfectly trained model can still be attacked while it runs — inference-time security defends the live system against malicious prompts and leaky outputs.

LLM risk lives at two separate attack surfaces, and defending one does nothing for the other:

  • Training time — the danger is memorization: the model absorbs verbatim records. The defense is techniques like DP-SGD (Differentially Private Stochastic Gradient Descent) — ordinary SGD is the optimizer that nudges the weights on each training batch; the "differentially private" variant clips each example's gradient and adds calibrated noise, so no single training record can move the weights much and secrets don't get baked in.
  • Inference time — even a model trained with perfect privacy still takes live input and produces live output. An attacker can craft a malicious prompt (prompt injection, jailbreaks) to extract context-window data or trigger forbidden behaviour, and the model can leak sensitive information in its responses. None of that is touched by how the model was trained.

The key takeaway: training-time privacy ≠ inference-time security. They are different problems needing different defenses, which is why a model can be "privately trained" and still dangerous in production.

Tip: Think of it as a safe (training) versus a security guard (inference). A well-built safe doesn't help if you hand the guard the keys whenever someone phrases the request cleverly.

From Quiz: PRIVACY / Privacy in AI & ML — Differential Privacy, Synthetic Data & LLM Security | Updated: Jul 01, 2026