OML: A Primitive for Reconciling Open Access with Owner Control in AI Model Distribution
Zerui Cheng, Edoardo Contente, Ben Finch, Oleg Golev, Jonathan Hayase, Andrew Miller, Niusha Moshrefi, Anshul Nasery, Sandeep Nailwal, Sewoong Oh, Himanshu Tyagi, Pramod Viswanath
TL;DR
This paper introduces OML, a cryptographic primitive that enables open access to AI models for local use while ensuring owner control and monetization, addressing a key challenge in AI model distribution.
Contribution
It formalizes the problem of white-box model protection, introduces security definitions, and presents the first practical OML construction combining fingerprinting and crypto-economic enforcement.
Findings
OML achieves cryptographically enforced open access with owner control.
Theoretical bounds on model protection properties are established.
Empirical evaluation demonstrates practical feasibility of OML 1.0.
Abstract
The current paradigm of AI model distribution presents a fundamental dichotomy: models are either closed and API-gated, sacrificing transparency and local execution, or openly distributed, sacrificing monetization and control. We introduce OML(Open-access, Monetizable, and Loyal AI Model Serving), a primitive that enables a new distribution paradigm where models can be freely distributed for local execution while maintaining cryptographically enforced usage authorization. We are the first to introduce and formalize this problem, introducing rigorous security definitions tailored to the unique challenge of white-box model protection: model extraction resistance and permission forgery resistance. We prove fundamental bounds on the achievability of OML properties and characterize the complete design space of potential constructions, from obfuscation-based approaches to cryptographic…
Peer Reviews
Decision·Submitted to ICLR 2026
The paper defines what counts as Open-access, Monetizable, and crucially Loyal; “Loyal” is set as a pre-hoc target (full-quality outputs only after a cryptographically bound permission check), while the current instantiation is explicitly scoped as post-hoc. It also provides a concrete, operable accountability workflow (OML 1.0: hidden fingerprints, permission issuance, periodic probes, slashing) together with a closed-form detection probability \Pr[\text{caught}]=1-(1-\alpha)^n, making the audi
a) The paper defines *Loyal* as producing high-utility outputs only when valid, cryptographically-bound permissions are presented (pre-hoc verification). Yet Table 2 labels OML 1.0 as “Post-hoc,” relying on economic deterrence and detection rather than pre-execution denial of utility. This contradicts the claimed realisation of the OML primitive: a post-hoc mechanism cannot satisfy the pre-hoc loyalty property as defined. For this, I am expecting either (a) upgrade OML 1.0 with a concrete pre-ho
- The goal of the paper is an important one. Black-box and white-box modes of distributing AI services both have critical limitations, which indeed should be addressed. - The theorems in section 2.3, while relatively straightforward results, have some originality in their usage towards sketching the design space of this goal.
- **Core issue: the proposed 'feasibility demonstration' does not address the problems raised in the motivation.** Model extraction resistance (as it would need to be interpreted for OML 1.0 to be a secure OML) does not prevent catastrophic undesirable behavior. For example, in OML 1.0 it appears that the model host can simply leak the weights of the OMLized model to any other party, which can then run any query they want locally without having to worry about an auditing mechanism. In this case,
1. The paper identifies a timely and important dilemma: how to break the monopoly of API-gated models while still enabling creators to monetize and govern their models. The OML primitive is defined clearly with three core properties (open access, monetizability, loyalty), grounding a broad vision for democratized AI development. This framing is novel and could spur much follow-up work. 2. The authors provide strong theoretical analysis. They prove that perfect white-box protection is impossible
1. As the authors themselves acknowledge, absolute protection is impossible under white-box access. Consequently, OML 1.0 only provides post-hoc enforcement ("next-day security") rather than real-time prevention. Unauthorized usage can occur and be detected only later by probing with secret keys. This economic-deterrence approach is inherently weaker than cryptographic enforcement; a highly-motivated adversary might still abuse a model before penalties apply. The reviewer is left uncertain about
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsScientific Computing and Data Management · Big Data and Business Intelligence