July 13, 2026, (Inside AI) — A new auditing method developed by MIT researchers can determine whether an AI model has been fine-tuned to generate child sexual abuse material (CSAM) without ever producing an image, sidestepping the legal and ethical barriers that have stymied safety checks.
Led by graduate student Vinith Suriyakumar and associate professors Ashia Wilson and Marzyeh Ghassemi, the team collaborated with child safety nonprofit Thorn to create a technique that inspects a model’s internal adaptations rather than its outputs. The approach, detailed in a paper presented at the International Conference on Machine Learning, achieved 100% accuracy in identifying models specialized for CSAM generation.
The breakthrough comes as reports of AI-generated CSAM skyrocket. The National Center for Missing and Exploited Children fielded over 1.5 million such reports in 2025, up from just 67,000 in 2024. Open-source generative AI models, easily fine-tuned using methods like low-rank adaptation (LoRA), have enabled bad actors to create hyper-realistic abusive imagery at scale.
“This unlocks a new avenue for platforms that host open-source models and for law enforcement to actually test whether a model is capable of generating CSAM. Before, we had no way of measuring this. It was a huge blind spot that some people were taking advantage of. Now, we can address an AI safety problem that is having severe negative impacts,” Suriyakumar said.
Why Output-Based Audits Failed
Traditional safety testing involves prompting a model and examining its responses. But generating CSAM, even for testing, is illegal in the U.S. and many other jurisdictions. This created a paradox: auditors couldn’t verify if a model was dangerous without committing a crime. Manual checks also don’t scale to the thousands of model variants uploaded monthly, and exposing human reviewers to such content carries psychological risks.
The MIT-Thorn team bypassed generation entirely. Their method, called Gaussian probing, feeds random data points into a model and analyzes how its internal representations shift due to LoRA adaptors—the lightweight add-ons that specialize a base model. By capturing these shifts at multiple layers and averaging them, the probe creates a fingerprint of the adaptation’s purpose.
“We never run the model all the way to the end or prompt the model, so we never generate images,” Suriyakumar explained. The technique proved robust: when tested on variations of three model types, it correctly flagged CSAM-tuned versions every time, even distinguishing them from models fine-tuned for other harmful but non-CSAM content.
A Scalable Shield for Hosting Platforms
Because Gaussian probing requires no image generation and minimal computation, it can be integrated into model-hosting platforms like Hugging Face or Civitai to automatically screen uploads. This could stop dangerous models before they spread, addressing a gap that has allowed illicit LoRA adaptors to proliferate on public repositories.
The approach also resists evasion better than output filters. A malicious actor would need to fundamentally alter the base model’s architecture to hide the telltale adaptations, a far higher bar than simply tweaking prompts. “There is a huge bucket of child safety concerns with AI, and these are real concerns that need to be addressed. A lot of children are being harmed by AI deepfakes. We’ve shown that Gaussian probing can be a very useful tool, and we hope the research community really pours more attention into this problem,” Wilson said.
The research, supported in part by the Bridgewater AIA Labs Research Fellowship, also involved Lena Stempfle, an MIT postdoc, and collaborators from Boston University and Thorn. The team plans to test the method on a broader range of models and explore whether it can detect harmful capabilities in base models before any fine-tuning occurs—a preemptive strike against misuse.
While the technique marks a significant step, experts caution that it addresses only one vector of AI-generated CSAM. Models trained from scratch on abusive datasets or those using other adaptation methods may still evade detection. Nonetheless, for the open-source ecosystem where LoRA has become the de facto customization tool, Gaussian probing offers a pragmatic, legally sound solution.
“Now we have a technological approach to partially address this concern. So much effort was poured into this collaboration, which enabled us to tackle a really hard problem that is harming so many children, nationally and around the world. Hopefully, we can have a transformative impact in this area,” Ghassemi said.