From Deep Learning to Deep Voting

The chapter then explores alternatives to addition during the training process, revealing a fundamental trade off between three factors: AI capability (driven by unrestricted feature learning), attribution (tracking where features came from), and computational complexity (tracking the path of feature mixing). It proposes a key innovation, a re-purposing of differential privacy for attribution: differential attribution, using the natural boundaries of training documents to identify which concepts must mix freely and vice versa, thereby pushing this Pareto frontier by providing a data-driven approach to balance addition and concatenation.

Building on this insight, the chapter develops a specific form of concatenation to replace addition in key sections of the deep learning training process. This transformation—from deep learning to deep voting—cascades upward through the aformentioned hierarchy of problems, reducing the need for dense feature mixing across data sources, enabling attribution-based control, and unlocking a viable path towards another 6+ orders of magnitude of training data and compute productivity. Taken together, the chapter reveals how a seemingly technical choice (the use of addition) creates far-reaching consequences for AI systems, and how careful, data-driven use of concatenation may dramatically expand AI’s access to computational and data resources.

The Symptom: Data/Compute Underutilization

As of NeurIPS 2024, leading AI researchers have reported that available compute and data reserves are approaching saturation, creating constraints on both computational resources and pre-training scale (Robison 2024; Strati et al., 2024). However, this assessment overlooks approximately six orders of magnitude of underutilized compute productivity and siloed data. Rather than absolute scarcity, the industry faces structural problems of data and compute access and productivity.

6+ OOM: Underutilized Training Compute Productivity

The AI industry’s computational requirements have driven significant economic and geopolitical consequences, including NVIDIA’s rise to become the world’s most valuable company, U.S. export restrictions on AI chips to China, and intense competition for latest-generation hardware among startups, enterprises, and major technology firms (Kaye 2025; Kachwala and Bajwa 2025; Howley 2023). However, recent evidence suggests that current AI training and inference processes utilize less than 0.0002% of available compute productivity, indicating that perceived compute scarcity may reflect inefficiency rather than absolute resource limits. To evaluate this claim, this section estimates computational waste in two key activities: inference (forward propagation) and learning (backpropagation and gradient descent).

2-3 OOM: Inefficient AI inference

Due to its role in commercial deployments, analysts estimate that AI firms spend billions of dollars annually on inference (You 2025). However, while these costs might appear to reflect fundamental requirements for achieving high performance, a growing body of empirical work indicates substantial inefficiency in current inference practices.

AI models store information within their weights. General-purpose models (e.g., Gemini, ChatGPT, Claude, Llama) encode substantial portions of their training corpora (often representing significant fractions of publicly available internet data) in these parameters. However, when models like GPT-3 generate predictions, they forward propagate through every non-embedding parameter in the network, regardless of query relevance. This constitutes a form of exhaustive computation wherein all stored knowledge is activated for each inference, analogous to searching an entire corpus rather than querying relevant subsets.

From an information-theoretic perspective, this practice is inefficient; the relevant question concerns the magnitude of this inefficiency. A comprehensive answer would require empirically measuring the maximum percentage of model weights that can be excluded from inference without degrading accuracy. While such systematic measurement remains incomplete, existing work provides lower bounds on potential efficiency gains.

DeepMind’s RETRO achieves comparable performance to GPT-3 while using 1/25th of the parameters through retrieval from a large-scale vector database (Borgeaud et al., 2022). Similarly, Meta’s ATLAS demonstrates that models can be reduced to 1/50th their original size while maintaining or exceeding baseline performance through database-augmented inference (Izacard et al., 2023).

We adopt RETRO/ATLAS-style parameter efficiency as a conservative lower bound on current compute waste, noting that these approaches have not been widely adopted in either the sparsity literature (Lederer 2024) or frontier AI deployments, nor have comparable efficiency gains been demonstrated through alternative methods (cf. the persistent redundancy problem in Mixture of Experts models (Dai et al., 2024)). These results suggest that at least 96-98% of parameters activated during dense inference are unnecessary for individual queries.

This estimate is likely conservative, as it implies that 2-4% of a model’s knowledge base is relevant to any individual query. ¹ However, parameter overuse during forward propagation represents only one source of computational waste. A second form of inefficiency arises in how models store and access information.

Recent work demonstrates that current architectures contain redundant and underutilized parameters. Guo et al. achieve 5-10x reduction in parameter count through lossless compression while maintaining accuracy: ”Notably, we distill CIFAR-10 and CIFAR-100 to 1/5 and Tiny ImageNet to 1/10 of their original sizes without any performance loss on ConvNet, offering the first lossless method of dataset distillation” (Guo et al., 2023). This compression has been demonstrated across multiple standard architectures, as shown in Table 2.1.

Table 2.1: Table and caption from (Guo et al., 2023) (see paper for additional detailed descriptions). ”Comparison with previous dataset distillation methods on CIFAR-10, CIFAR-100 and Tiny ImageNet... Highlighted results indicate we achieve lossless distillation.” - (Guo et al., 2023)

Dataset	CIFAR-10					CIFAR-100				Tiny ImageNet
IPC	1 0.02	10 0.2	50 1	500 10	1000 20	1 0.2	10 2	50 10	100 20	1 0.2	10 2	50 10
Random	15.4±0.3	31.0±0.5	50.6±0.3	73.2±0.3	78.4±0.2	4.2±0.3	14.6±0.5	33.4±0.4	42.8±0.3	1.4±0.1	5.0±0.2	15.0±0.4
DC	28.3±0.5	44.9±0.5	53.9±0.5	72.1±0.4	76.6±0.3	12.8±0.3	25.2±0.3	-	-	-	-	-
DM	26.0±0.8	48.9±0.6	63.0±0.4	75.1±0.3	78.8±0.1	11.4±0.3	29.7±0.3	43.6±0.4	-	3.9±0.2	12.9±0.4	24.1±0.3
DSA	28.8±0.7	52.1±0.5	60.6±0.5	73.6±0.3	78.7±0.3	13.9±0.3	32.3±0.3	42.8±0.4	-	-	-	-
CAFE	30.3±1.1	46.3±0.6	55.5±0.6	-	-	12.9±0.3	27.8±0.3	37.9±0.3	-	-	-	-
KIP1	49.9±0.2	62.7±0.3	68.6±0.2	-	-	15.7±0.2	28.3±0.1	37.9±0.3	-	-	-	-
FRePo1	46.8±0.7	65.5±0.4	71.7±0.2	-	-	28.7±0.1	42.5±0.2	44.3±0.2	-	15.4±0.3	25.4±0.2	-
RCIG1	53.9±1.0	69.1±0.4	73.5±0.3	-	-	39.3±0.4	44.1±0.4	46.7±0.3	-	25.6±0.3	29.4±0.2	-
MTT2	46.2±0.8	65.4±0.7	71.6±0.2			24.3±0.3	39.7±0.4	47.7±0.2	49.2±0.4	8.8±0.3	23.2±0.2	28.0±0.3
TESLA2	48.5±0.8	66.4±0.8	72.6±0.7			24.8±0.4	41.7±0.3	47.9±0.3	49.2±0.4	-	-	-
FTD2,3	46.0±0.4	65.3±0.4	73.2±0.2			24.4±0.4	42.5±0.2	48.5±0.3	49.7±0.4	10.5±0.2	23.4±0.3	28.2±0.4
DATM (Ours)	46.9±0.5	66.8±0.2	76.1±0.3	83.5±0.2	85.5±0.4	27.9±0.2	47.2±0.4	55.0±0.2	57.5±0.2	17.1±0.3	31.1±0.3	39.7±0.3
Full Dataset	84.8±0.1					56.2±0.3				37.6±0.4

Because they account for information waste in different ways, these inefficiencies compound multiplicatively: irrelevant parameters (25-50x+) and redundant parameters (5-10x+) suggest a 125-500x+ lower-bound to inference inefficiency. And while these are estimates, both bounds come from working implementations that maintain model performance, using techniques which are not widely popular, suggesting this waste is common in frontier AI systems, and that this waste stems from architectural choices rather than fundamental limitations

6 OOM: Underutilized and Inefficient Compute in AI Learning

AI firms famously spend immense amounts of money training their AI models, a point which features heavily in their marketing (Meta AI 2024; Brown et al., 2020; Wiggers 2024). However, despite widespread hype around AI training spend, a theoretical inefficiency is backed by an increasingly large body of empirical observations, suggesting that the compute requirements for training AI models are largely misunderstood. To introduce the theory, consider an analogy.

AI models store information within their weights. To acquire this information, models are trained on large corpora at substantial computational cost (e.g., significant portions of the public internet) (Epoch AI 2025). However, when models require substantial updates (either incorporating new information or removing outdated content) current practice involves retraining from scratch (Goodfellow et al., 2016). This approach discards all previously computed parameters and repeats the entire training process, even when the majority of learned representations remain valid.

From an information-theoretic perspective, this practice is inefficient; the question concerns its magnitude. Comprehensive quantification would require detailed documentation of compute allocation within leading AI firms, information that is not publicly available. However, public disclosures and industry analysis provide sufficient data to establish lower bounds on this inefficiency.

Analysis of the largest AI firms reveals that pre-training their most capable models consumes less than 1% of quarterly compute budgets (see Table 2.2; methodology detailed in Appendices I and II). Yet these same firms continue expanding computational infrastructure to support larger models (Mehta 2024; OpenAI 2024; Sevilla and Roldan 2024), suggesting that remaining compute capacity is allocated to other training activities rather than final model production.

The contrast between frontier models consuming a small fraction of quarterly compute budgets and ongoing infrastructure expansion suggests that leading AI firms train numerous experimental models beyond their final deployments. This interpretation aligns with widely documented practices in frontier AI laboratories. Major labs employ hundreds to thousands of researchers who routinely train models during development. Standard optimization procedures, such as hyperparameter sweeps, involve training single model architectures tens to hundreds of times to identify optimal configurations (Weights & Biases 2025).

Taken together, producing a final frontier model requires training hundreds to thousands of intermediate models during the R&D process. While hyperparameter optimization is essential to model development, current approaches necessarily involve complete retraining for each configuration. This contrasts with modular systems where components can be incrementally optimized without discarding the entire structure. Recent work on targeted model modification (e.g., LLM surgery (Veldanda et al., 2024)) suggests alternatives to full retraining, but such techniques have not been widely adopted in frontier model development, necessitating substantial computational expenditure during optimization.

Consider the magnitude of this inefficiency. If frontier labs aim to produce general-purpose models, then computational resources allocated to intermediate experimental models represent overhead that does not directly contribute to final model capability. Based on Table 2.2, approximately 98.53% of annual training budgets are allocated to models other than the final deployment (calculated as 100% − (0.22%/15%), where 15% represents the estimated fraction of total compute dedicated to training (Bratt 2025)). Under the objective of producing a generalpurpose model, this implies that the vast majority of training compute is allocated to parameters that are ultimately discarded during the optimization process.

This annual estimate may understate total inefficiency, as it assumes frontier labs must train at least one model from scratch annually. If model parameters could be efficiently reused across generations (as RETRO/ATLAS demonstrate through their retrieval databases, where up to 98% of knowledge can be transferred between model versions (Borgeaud et al., 2022; Izacard et al., 2023)) the efficiency gap would be larger. However, retraining overhead represents only one source of computational waste. A second source arises from how models process information during training. To observe the theory behind this phenomena, consider the following analogy.

The question concerns the magnitude of this inefficiency. The RETRO and ATLAS results previously discussed demonstrate that models can achieve comparable performance while being 25-50x smaller in parameter count. This parameter reduction translates directly to reduced training costs: fewer parameters require proportionally fewer FLOPs during both forward and backward propagation. The compression results further indicate that models can be trained with 5-10x fewer parameters without performance degradation, compounding the potential efficiency gains.

Yet, these three sources of training inefficiency (retraining overhead, dense forward propagation, and parameter redundancy) do not exhaust the potential efficiency gains. A fourth source arises from how models organize information during the training process itself.

AI models store information within their weights. General-purpose models encode substantial portions of publicly available internet data through training on large, overlapping corpora. Multiple organizations train models on similar or identical datasets, often drawn from common sources such as web scrapes and public repositories. This results in redundant encoding of the same information across independently trained models.

From an information-theoretic perspective, this redundancy is inefficient; the question is: how much? Comprehensive measurement would require documenting the overlap in training data and model capabilities across organizations, information that is not systematically available.

However, industry analysis provides order-of-magnitude estimates of aggregate underutilization. The largest AI firm controls less than 5.57% of global computing capacity (Table 2.3). If training resources could be pooled across organizations (analogous to libraries participating in a global network rather than maintaining independent collections) available compute would increase by a factor of approximately 100/5.57 ≈ 17.95x relative to any single firm’s capacity. This represents the theoretical gain from distributed training architectures that enable collaborative model development across organizational boundaries.

Yet, even these four training inefficiencies may not fully describe the inefficiency present in modern AI. To observe the theory behind this next problem, consider the following analogy.

Quantifying the computational cost of catastrophic forgetting remains challenging due to limited empirical work on information segmentation during training. RETRO and ATLAS provide partial evidence, as does work on curriculum learning and knowledge distillation. Kemker et al. observe that avoiding catastrophic forgetting requires approximately 40x larger model capacity (Kemker et al., 2018), though this estimate is not especially recent. Multiple sources of training inefficiency compound: full model retraining during updates, dense forward propagation through all parameters, parameter redundancy from insufficient compression, and capacity overhead to prevent catastrophic forgetting during sequential training.

These inefficiencies compound multiplicatively in terms of FLOPs. Parameter reuse across model generations could increase compute productivity by a factor of 100/(100 − 98.53%) ≈ 68x. RETRO/ATLAS-demonstrated parameter efficiency provides 25-50x gains. Lossless compression techniques offer an additional 5-10x reduction. Catastrophic forgetting avoidance inflates model sizes by approximately 40x. Combined multiplicatively, these factors suggest potential efficiency gains ranging from (68 × 25 × 5 × 17.95) ≈ 153,000x to (68 × 50 × 10 × 17.95 × 40) ≈ 24,400,000x, representing approximately 5-7 orders of magnitude of potential compute productivity improvement.

Taken together, these estimates suggest that current inference practices exhibit inefficiency factors of approximately 5,000-20,000x, while training practices exhibit inefficiency factors of approximately 150,000-24,000,000x. These bounds support the conclusion that at least six orders of magnitude of compute productivity remains unexploited in current AI systems.

Yet even these estimates contain within them one especially conservative estimate, the 25-50x inefficiency from dense forward propagation. While RETRO/ATLAS provides the only concrete lower bound on this inefficiency, the true sparsity opportunity is almost certainly significantly more. To return to the library analogy, what percentage of the world’s collective library is needed to answer a particular question? If one believes that 2-4 percent of all human knowledge is needed for every question, then perhaps the RETRO/ATLAS estimate is accurate.

While systematic measurement is lacking, the assumption that any query requires more than one-millionth of a model’s knowledge base (> 10−6 ) appears conservative, suggesting these efficiency estimates may understate potential gains by an additional 4 orders of magnitude (although this is merely conjecture... future empirical work is needed).

The contrast between these approaches illuminates a critical insight about current AI systems. They operate with a level of inefficiency that we’ve somehow normalized within the field. In essence, what we’ve built is a global network of millions of librarians who must read their entire library just to fetch a single book, read it again to add a new book, and then read it countless more times to relocate all the books they displaced in the process. And when they’re not doing this trillions of times over, they’re burning their buildings to the ground, destroying their entire collections, and starting over from scratch. And as the world’s AI compute costs approach the level of a small nation, this practice, despite being ubiquitous within AI research, represents perhaps the greatest inefficiency in the history of information processing. And via this chapter, this thesis will describe existing innovations which could alleviate much of this inefficiency.

6+ OOM: Siloed Data

Following growing rumors across the AI research community that data is becoming a major bottleneck, OpenAI’s former chief scientist, Ilya Sutskever, announced during his test of time award speech at NeurIPS 2024 that data for training AI has peaked, ”We’ve achieved peak data and there’ll be no more” (Robison 2024). However, while this may be true for the AI industry, and Ilya (being recent Chief Scientist at OpenAI) is perhaps one of the best people in the world to know, Ilya’s statement does not reflect the reality of what data exists in the world.

2-4 Orders of Magnitude: Text Humans Create By Hand

Dataset sizes for frontier AI models range from publicly disclosed values to industry estimates. GPT-4 was trained on approximately 6.5 trillion tokens, while Alibaba’s Qwen2.5-72B used 18 trillion tokens. The largest reported text dataset, used for Meta’s Llama 4, contains 30 trillion tokens (Epoch AI 2025). Using RedPajama as a reference (Together 2023), each trillion tokens requires less than 6TB of storage, implying that the largest known training dataset (Llama 4) occupies less than 180TB.

The scale of untapped data is staggering. As shown in Tables 2.5 and 2.6, stored email and instant messages alone contain over 1,850 trillion tokens, approximately 60 times the largest known training dataset (Cummins 2024). Daily human communication generates approximately 150 trillion tokens, accumulating to roughly 55 quadrillion tokens annually (approximately 1,750 times the scale of frontier training sets).

6+ Orders of Magnitude: Multi-media data broadly

Yet even this vast sea of text represents merely a drop in the ocean of total digital data. While frontier AI models train on curated web scrapes such as Common Crawl (454 TB as of December 2023) (Wikipedia contributors 2024), the Internet Archive’s Wayback Machine alone stores approximately 100 petabytes (Kahle 2024). Meanwhile, global digital data is projected to reach 180 zettabytes by 2025 (Mider 2024; Taylor 2024), six orders of magnitude larger than The Internet Archive and nine orders of magnitude larger than the largest known training datasets.

The magnitude of this disparity is difficult to comprehend. While the largest known AI dataset (to the awareness of this researcher) is roughly 180 TB of information, and may be derived from a dataset as big as common crawl (450 TBs of information), or if we were very, very conservative, might be as big as the full history of the entire publicly indexable internet (and other data the Internet Archive keeps) 100 PBs, even this number is 6+ orders of magnitude smaller than the amount of digital data in the world. Taken together, even under highly conservative estimates, it is very likely that AI has not yet trained on even one millionth of the amount of data that humanity has digitized. And beyond what humanity has digitized lies the vast amounts of information which is not yet encoded into a computer.

Consider the 150 trillion tokens humans create every day, the zettabytes-worth of yet-to-bevideoed information going on across the planet and all of its inhabitants which (despite helping living creatures get smarter day-in-and-day-out) is completely inaccessible to systems which only read digital information. This striking disparity between used and available data raises a crucial question: why, in an era of unprecedented digital abundance, do AI systems train on such a microscopic fraction of all knowledge? The answer lies not in easily observable symptoms like data availability, but in fundamental problems underpinned by insufficient ABC.

The Search for Root Causes (Three "Whys")

The previous section revealed a paradox: despite widespread beliefs of data and compute scarcity, AI systems access less than one millionth of digital resources, and an untold microfraction of the world’s information broadly. This under-utilization raises a critical question: if more data and compute directly improves AI capabilities through scaling laws, why do AI systems use such a tiny fraction of what’s available? The answer lies in a cascade of technical and institutional barriers, each revealing a deeper ”why” that must be understood:

• First Why: Attribution-based Control
• Second Why: Deep Learning's Feature Mixing Precludes Partitioning
• Third Why (Root Cause): Addition of Source-Separable Concepts

As we follow this chain of questions, we’ll see how each answer reveals a deeper technical challenge. More importantly, we’ll discover how recent breakthroughs in cryptography, deep learning, and distributed systems have already created solutions to these challenges (solutions which remain largely unrecognized by the AI community).

First Why: Attribution-based Control

The previous section revealed significant inefficiencies in the training of AI systems: 6+ orders of magnitude in underutilized data and compute. While there may be multiple contributing factors to these constraints, this thesis and chapter examines one particular root cause: AI’s inability to provide attribution-based control (ABC). An AI model possesses attribution-based control when two properties are true: data sources control which AI predictions they support, AI users control which data sources they rely upon for an AI prediction. Following this definition (Definition 1.1.1), ABC implies certain architectural properties as novel requirements:

• Source-Partitionable Representations: Knowledge within an AI system is partition-able by source, otherwise sources lose control when their information is mixed, requiring:
  • Source-Partitionable Inference: Partitions are independently usable at inference, otherwise users can’t select specific sources and sources can’t participate irrespective of the decisions of other sources
  • Source-Partitionable Training: Partitions are independently trainable, otherwise sources can’t update their contributions without requiring other sources to do so.
• Rapid Partition Synthesis: Partitions are rapidly synthesize-able during inference, otherwise collective insights which are only learnable via information from multiple sources cannot be realized in production AI systems.

Frontier AI systems lack these properties. Yet, if these properties were achieved, attribution would be achieved and aforementioned problems regarding data and compute productivity would be impacted. Let’s examine each in detail, linking each problem to attribution-based control.

ABC and Compute Productivity (6+ OOM)

ABC would address compute productivity issues along two dimensions: access and learning structure. Regarding structure, successful ABC would necessarily provide a means to structure the learning and representation process, reducing re-training, forward propagation, redundancy, and catastrophic forgetting. Regarding access, ABC would provide a means to overcome incentive issues presently siloing the world’s compute resources. Let us consider these claims in the context of inference and learning.

2-3 OOM: Inefficient AI inference

Recall that current AI models must activate vast numbers of parameters for every prediction because they struggle to pre-identify which parameters are storing relevant information to the present query; they struggle with sparse forward propagation. While various approaches to sparse AI exist, successful ABC would necessarily enable one particularly compelling form of sparsity: source-based sparsity (i.e. source-based partitioning). Consequently, if an AI model could forward predict based on a relevant subset (i.e., the top 10) of many (i.e. billions) of sources, then it is very likely to also greatly reduce the computational complexity involved in forward propagating, because it would be forward propagating through vastly less information.

RETRO and ATLAS demonstrate the minimum scale of such a breakthrough. By maintaining source-based partitions through their database architecture, they achieve equal performance while activating only 2-4% of the parameters of similarly performant dense models (Borgeaud et al., 2022; Izacard et al., 2023).

Similarly, recall how current models process some combination of redundant copies of knowledge and empty regions of parameter space during inference. While there are many approaches to reducing these forms of waste (e.g., distillation, compression, etc.), successful ABC would necessarily enable one particularly compelling way to avoid copies or empty space: source-based partitioning. If an AI model could forward predict based on a relevant subset (i.e., the top 10) of many (i.e., billions) of sources, then tuning the number of sources being relied upon could also tune the redundancy being used in forward propagation. Meanwhile, ensuring that the partitions being leveraged for forward propagation were relevant to the query would combat the risk of forward propagating empty space ².

RETRO and ATLAS demonstrate these principles through their database architecture, showing how source-based organization can naturally eliminate redundant processing and avoid computation on irrelevant parameters while maintaining model capability. They also demonstrate the ability for such partitioning to increase the number of samples being used against a dense (i.e. non-partitioned) section of the network, reducing empty space. Yet as significant as these inference inefficiencies are, they pale in comparison to the waste in how AI systems learn.

6+ OOM: Underutilized and Inefficient Compute in AI Learning

Recall that current AI models must retrain entirely from scratch when updating their knowledge, because of problems such as catastrophic forgetting (Kemker et al., 2018). While various approaches to incremental training exist, successful ABC would necessitate one particular solution: source-partitioned retraining. Consequently, if an AI model can train source-separated subsections of its weights, it can re-train them as well, and it is very likely to also greatly reduce the computational complexity involved in the re-training process, because it would be re-training vastly fewer parameters at a time. RETRO/ATLAS demonstrate one such approach, wherein re-training can be done with the computational complexity involved in adding or removing vector-embeddings from a database.

Similarly, recall how current training processes waste compute in multiple ways: through redundant copies of the same knowledge, through activation of irrelevant parameters, and through inefficient parameter density. While various approaches to training efficiency exist, successful ABC would necessarily enable compelling means to overcome these problems (as already described in the previous section describing ABC’s impacts on inference).

Additionally, these ABC opportunities further compound when we consider how compute is distributed across organizations. Consider our library analogy once more: libraries don’t each maintain copies of every book ever written; they form networks to share resources efficiently. In contrast, frontier AI models are created by a host of organizations around the world, each re-paying the cost of creating an AI model (most of which are trained on largely the same data).

Successful ABC may activate an economic incentive addressing this waste ³ . At the present moment, frontier AI models are economic bundles, marketed under a story which itself is an economic bundle: artificial general intelligence. Because of this, if one AI company re-trains the capabilities of another company (e.g. spending $200M on compute) and then adds a bit more to it (e.g., another $10M in data and compute), an end user must then choose between that full economic bundle and another full economic bundle. This creates a situation wherein companies effectively have to pay the minimum amount to catch up to the leading position and then extend some beyond it.

However, successful ABC would modularize the initial capability, such that some percentage of the original $200M could be inherited from previous models and then extended with new capabilities. Given the immense costs involved, such a modularization breakthrough would constitute an enormous economic pressure. If firms pedantically chose to re-pay the cost to train their own from scratch, recreating 90% of the modules which already exist in the market, they would incur very high costs which must correspond with very high prices to recoup those costs. Inversely, a startup which came along and inherited the 90% produced by others, paying only for their specialization, would (all else equal) be able to charge lower prices, and win in the market.

From a compute efficiency standpoint, the prospect of cross-market weight-reuse translates directly into the sharing of compute costs for training AI systems. Industry analysis reveals the potential impact: no single AI provider controls more than 5.57% of global compute capacity. Thus, since source-based partitioning could unlock this siloed compute by enabling controlled sharing of specialized knowledge, it could increase effective compute by 17.95x (100/5.57) or more because organizations would waste fewer resources re-computing features which are already commoditized in the market. Taken together, economic unbundling would plausibly drive specialization and more efficient use of compute resources in the market.

While various approaches to these inefficiencies exist, solving ABC would necessarily enable one comprehensive solution path. Note that this is not saying that ABC is the solution, merely that ABC is difficult because it would involve solving these other difficult challenges... because ABC requires that sources maintain control over their contributions while enabling rapid synthesis. Taken together, any solution to ABC solution must provide:

• Selective retraining instead of full rebuilding (68x+ improvement)
• Efficient computation during training (25-50x+ improvement)
• Reduced parameter redundancy through source-based organization (5-10x+ improvement)
• Specialization with controlled sharing (17.95x+ improvement)
• Organization averting catastrophic forgetting (17.95x+ improvement)

Industry analysis and empirical results suggest the combined impact could be dramatic. When these improvements compound multiplicatively, they point to potential training efficiency gains of 6+ orders of magnitude. Yet these numbers, as striking as they are, point to something more fundamental: our failure to maintain attribution in AI systems coincides with a broader acceptance of wasteful practices as inevitable. More than a technical issue, the inefficiency of AI training is a symptom of how we’ve structured AI computation. While other solutions may exist, attribution-based control offers one path to reimagining how AI systems learn and compute, potentially unlocking orders of magnitude more efficiency in the process.

How Failing ABC Siloes Data (6 OOM)

Recall that current AI models can only train on data they can access, which is dominated by data available to the public over the internet. Consequently, AI models almost certainly train on less than 1/1,000,000th of the digitized information in the world because they cannot access the other 99.9999%, which remains hidden amongst the world’s 360 million companies, 8+ billion citizens, etc. (Bogwasi 2025).

While various approaches to data access exist, successful ABC would necessarily enable one compelling solution: controlled data sharing. We take as an assumption that the world’s data owners have some uses in the world they would support (for which their data could be useful). We take as a second assumption that a significant portion of those sources are hidden because the incentives are not sufficient for them to support — or more crucially because the negative consequences would be too great, that their data might not just activate the uses they wish to support, but that it would also activate mis-uses (concerns regarding privacy, security, IP, competition, legal risks, etc.).

Successful ABC would necessarily enable one particularly compelling form of data sharing. The ability for a data source to decide which AI predictions to support is (almost tautologically) the ability for a data source to enable uses while averting mis-uses. Consequently, AI empowered by ABC may activate vastly more data than is presently available. One could argue that truly successful ABC would constitute an incentive shift attracting all of the world’s data to be pulled into at least some AI predictions.

The potential impact is staggering. While frontier AI models train on carefully curated web scrapes on the order of 180 TBs (and the public web plausibly less than common crawl’s largest copy, 450 TBs) the world’s total digital data is estimated to reach 180 zettabytes by 2025. This six-to-nine orders of magnitude difference represents all the data locked behind organizational boundaries, including some data of immense value (e.g. financial data, health data, environmental data, etc.).

RETRO and ATLAS demonstrate part of potential path forward, demonstrating a type of partial ABC at scale by training AI models which query from a database. Certain extensions (such as those suggested in this thesis) could take this further to enable full attribution-based control, and the shifting of incentives around data sharing.

Synthesis: Attribution as a Path Forward

The previous sections revealed two significant inefficiencies in current AI systems: 6+ orders of magnitude waste in compute and 6+ orders of magnitude in untapped data. While there may be many approaches to addressing these inefficiencies, this thesis focuses on attribution-based control as one solution path. As we’ve seen, solving ABC (if such a solution exists) would necessarily enable both efficient compute through source-based partitioning and broad data access through attribution preservation.

Yet this raises a deeper question: if ABC offers such compelling benefits, why don’t current AI systems maintain attribution? The answer, as we’ll see in the next section, lies in how neural networks fundamentally process information. The unconstrained mixing of features during training makes it impossible to partition knowledge by source, revealing our second ”why”: deep learning’s feature mixing precludes the very partitioning that ABC requires.

Second Why: Deep Learning's Feature Mixing Precludes Partitioning

The previous section revealed how solving attribution-based control would necessarily enable massive data and compute gains in AI systems. Yet this raises a deeper question: why do current AI systems fail to maintain attribution in the first place? The answer lies in deep learning’s foundational premise: algorithms should learn everything from scratch through layers of (largely) unrestricted feature mixing on raw data (Goodfellow et al., 2016).

This commitment to unrestricted learning manifests in how neural networks fundamentally process information. Through operations that combine and mix information at every step (from layer computations to weight updates to knowledge accumulation) neural networks create increasingly complex representations of patterns in their training data. While this flexibility enables powerful pattern recognition, it creates a fundamental problem: features become stored in a disorganized, obfuscated way within the deep learning model... a black box.

Consider what happens when a neural network learns to recognize cats. Rather than storing clear, interpretable features like ”pointy ears” or ”whiskers”, the network distributes this knowledge across its weights in complex, entangled patterns (Le 2013). This unrestricted mixing of features makes post-hoc source-based partitioning impossible (at the present moment):

• Features can’t be attributed to specific sources (preventing data control)
• Knowledge can’t be updated independently (requiring full retraining)
• Computation can’t be selectively activated (forcing dense inference)
• Resources can’t be efficiently shared (blocking specialization)

The research community has made extensive efforts to address these limitations. Recent work has attempted to trace predictions back to training data through influence functions, remove specific datapoints’ influence through machine unlearning, and develop various attribution methods to reverse engineer the source-prediction relationship (Nguyen et al., 2024). Yet despite these attempts, both influence functions and unlearning remain unsolved challenges in the literature. So far, the relationship between sources and predictions has been irreversibly compressed during training, and no amount of post-training intervention has successfully restored these lost connections.

The consequences are severe. New models like GPT-5 cannot inherit features from predecessors like GPT-4... they must relearn basic patterns from scratch. Even during inference, models must activate vast parameter spaces for every prediction, unable to pre-identify which features are relevant (and only forward propagate those features). These inefficiencies aren’t mere implementation details that clever algorithms might solve. They stem from something more fundamental about how deep learning processes information.

Yet this raises an even deeper question: why does feature mixing obfuscate attribution-based control? The answer, as we’ll see in the next section, traces back to deep learning’s most basic mathematical operation and how it fundamentally precludes the partitioning that ABC requires.

Third Why (Root Cause): Addition of Source-Separable Concepts

The previous section revealed how deep learning’s feature mixing precludes the partitioning required for attribution-based control. Yet this raises our final ”why”: what makes this mixing fundamentally irreversible? The answer lies in deep learning’s most basic mathematical operation: addition.

Addition might seem like an implementation detail, but it fundamentally prevents recovering source information. When values combine through addition, the result does not uniquely determine its inputs—multiple distinct source combinations produce identical outputs:

This non-injectivity means that observing the sum provides no information about which specific sources contributed. Consider the contrast with concatenation:

When partitions are known, concatenation of numbers is injective; different inputs produce different outputs, allowing source recovery. Addition is not; the output 7 could arise from 1 + 6, 2 + 5, 3 + 4, 0 + 7, or infinitely many other combinations. This non-injectivity is the mechanism through which deep neural networks erase attribution information: once gradients from different sources are summed into shared parameters, no function of those parameters can recover which sources contributed what information.

And neural networks use addition extensively: combining features between layers, aggregating gradients during backpropagation, and updating weights during training. Each addition irreversibly combines information, destroying the provenance of where that information came from and how it was interpreted.

A natural solution might seem possible: why not just track every operation during training ... while also doing these additions? Unfortunately, this approach fails for three fundamental reasons:

First, in models like GPT-3, through forward and backward propagation, each example’s information eventually touches every weight in the network. Even tiny weight changes alter how future examples flow through the network, creating cascading effects that can amplify initially small influences (related: vanishing and exploding gradients (Hochreiter 1998; Hanin 2018)).

Second, these influences compound exponentially and recursively, creating higher order all-to-all relationships between inputs and weights as they do. Consider the mathematics of weight updates for a weight update function g, weights and data at time t as w _t and x _t :

w _t+1 = g(w_t, x_t)
w _t+2 = g(g(w_t, x_t), x_t+1)
w _t+3 = g(g(g(w_t, x_t), x_t+1), x_t+2)

The number of potential attribution paths grows as Ω(w · n)^t , where w is the number of weights, n is the number of examples, and t is the number of steps.

Third, this exponential growth makes exact attribution computationally intractable. The most capable language models frequently leverage just under 1% of their parent organization’s AI training budget (see Appendix I and II for details). Thus, tracking the full web of dependencies (every interaction, every update, every influence path) would require many orders of magnitude more compute than is available to the largest tech firms.

These three barriers (information loss through addition, exponential propagation of influences, and computational intractability) combine to create a fundamental limitation. No amount of clever engineering can fully recover what addition has destroyed. This mathematical reality explains why attempts at machine unlearning and influence functions remain fundamentally limited: they try to reconstruct what addition has already erased.

The Root Problem: The implications are significant. Without the ability to track sources through training, we cannot provide the attribution that ABC requires. Without attribution, we cannot enable the partitioned sharing and use of data and compute that could unlock orders of magnitude more AI resources. Addition itself blocks the very data and compute gains described earlier in this chapter, and holds up the many problems described in Chapter 1.

Third Hypothesis (Root Solution): Concatenating Along Natural Boundaries in Data Sources Enables Attribution

We now continue by constructing a hypothesis (the “Third Hypothesis”) which corresponds to the Third Why, which will support the Second Hypothesis addressing the Second Why and so forth. The previous sections revealed how addition in deep learning creates a fundamental barrier to attribution. Yet examining why addition fails suggests a testable hypothesis: can we significantly reduce the use of addition, perhaps swapping it with concatenation?

Deep learning’s central hypothesis would suggest we can’t, that features need to densely mix (using addition) in order to learn the powerful correlations and representations that give deep learning its predictive capability. However, presumably deep learning maps multiple distinct concepts into a shared feature when those two concepts are related (Krizhevsky et al., 2012). For example, a deep learning model which classifies images might have features which detect ears, fur, and eyes — features which would be useful for modeling many different animals which possess these related concepts (Zeiler and Fergus 2014). However, as these features are not laid out in advance, deep learning needs to densely mix its features in order to discover these related patterns across training datapoints. That is to say, perhaps over-zealous dense feature mixing is more about training than inference

Yet, perhaps deep learning is over-zealous in its feature mixing, opening itself to representation power which could mix any feature with any other when in the real-world not all concepts are closely related. That is to say, not all concepts require that level of general representation power. Perhaps some concepts are actually unrelated to one another, such that some proportion of dense feature mixing in deep learning is superfluous

That said, some concepts are densely mixed, while others are clearly less so. Some information patterns appear ubiquitously: basic rules of grammar that structure language, logical operations that appear in reasoning, morphological patterns which make up words, edges and corners in images, etc. Elements like these are frequently reused across almost every data point, appearing in many billions of documents, images, audio, and videos. Such dense patterns suggest unrestricted mixing through addition may be appropriate for a core subset of features. Their ubiquity also makes attribution less critical; they represent shared computational tools rather than source-specific claims about the world. While perhaps not formally stated, noted researcher Andrej Karpathy recently suggested a similar concept when referring to a future LLM “cognitive core”:

In contrast, perhaps most information is encyclopedic and appears sparsely: specific facts about the world, domain expertise in particular fields, claims made by individual sources, etc. The capital of France, the rules of chess, statistics about pizza... each appears in distinct contexts with limited overlap. As Chomsky noted in linguistics (Chomsky 2014), while we use common patterns to express all knowledge, the knowledge itself often remains naturally partitioned by topic, and when documents are topic specific... by source.

Let us assume for a moment that this is true. If so, then in theory some section of a neural network could be made sparse, namely the part of the neural network which stores concepts which are largely decoupled from the rest of a neural network’s knowledge (facts, domain expertise, semantic information, etc.). Perhaps this section could use less addition (and more concatenation), enabling sparsity which could drive attribution. Meanwhile, another part of the neural network might need to remain dense, storing and synthesizing concepts which are ubiquitous across a statistical distribution (logic, reasoning, syntax, etc.).

The key question: how would one go about training a neural network which successfully partitioned information into sparse and dense sections?

A key insight of this chapter is that techniques from privacy-preserving machine learning, particularly differential privacy (DP) (Dwork et al., 2006), provide a principled way to measure and control which features benefit from dense mixing versus sparse representation. Differential privacy quantifies how much a model’s outputs depend on any individual training example:

The parameter ε provides a quantitative measure of individual example influence on outputs. This same measure can serve three distinct control objectives:

These three regimes serve different stakeholder needs. Data owners might seek differential privacy (ensuring their data cannot be identified in model outputs), differential measurement (understanding their data’s contribution), or differential attribution (guaranteeing their data influences predictions). Users might seek privacy (preventing their queries from revealing information) or attribution (ensuring they can identify which sources influenced their results). The same mathematical framework (DP’s ϵ parameter) enables each form of control.

Given differential privacy’s use in deep learning (e.g., (Abadi et al., 2016)), this framework suggests an architectural insight: a neural network serving diverse stakeholders requires the capability to enforce different ϵ regimes for different information. Information requiring privacy (small ϵ) can pass through privacy-constrained layers with dense mixing via addition. Information requiring attribution (large ϵ) must route through pathways preserving source identity via sparse concatenation. Information requiring measurement sits between these extremes, with ϵ tracked but not bounded. The model’s optimization pressure, when constrained to respect these different ϵ regimes, might naturally partition information accordingly. This framework suggests two testable predictions:

First, features with high source-specific attribution should cluster naturally by source, while features with low attribution should appear consistently across sources. Recent work with RETRO and ATLAS provides initial evidence for this prediction, showing how knowledge naturally separates into general computational patterns (the Transformer reading from a database of vectors, similar to Karpathy’s “cognitive core”) and source-specific information (the database of vectors).

Second, respecting these natural boundaries through architectural choices might enable more efficient computation. If most information is sparsely distributed, then forcing it through dense addition operations wastes significant compute. Models that preserve sparse patterns through concatenation while sharing dense patterns through addition should achieve better computational efficiency. Again RETRO and ATLAS provide early evidence of this ability, wherein information within their vector database is concatenated (i.e. in different rows of the database), while information in the neural network consuming from the database is densely stored within Transformer weights.

The next section builds on this hypothesis, suggesting how these natural boundaries in information usage could enable new approaches to AI development. If correct, this could resolve the tension between deep learning’s powerful pattern recognition and the need for attribution-based control in AI systems.

Second Hypothesis: From Deep Learning to Deep Voting with AI Recycling and Src-specific Intelligence Budgets

The previous section revealed how privacy mechanisms might naturally separate dense from sparse information patterns. Yet this theoretical insight raises a practical question: how do we actually implement the measurement and control regimes we defined? The definitions in the previous section assumed worst-case bounds (requiring that ϵ constraints hold for all pairs of neighboring datasets). But attribution-based control requires the opposite: not uniform bounds across all sources, but source-specific control where each source can have different influence levels matching different stakeholder needs.

From Worst-Case to Individual Differential Privacy

Standard differential privacy enforces worst-case bounds across all possible pairs of neighboring datasets. Consider a dataset where most individuals’ data appears in common patterns, but one individual has highly unique data. Worst-case differential privacy must constrain the entire mechanism based on that one outlier, reducing utility for everyone—even though the mechanism only ever operates on the actual dataset, not all possible datasets. Individual differential privacy (Soria-Comas et al., 2016) provides a more nuanced approach by focusing privacy guarantees on the actual dataset rather than all possible datasets:

The crucial difference from standard DP: $D$ refers to the actual dataset being protected, while $D'$ ranges over $D$'s neighbors. Standard DP requires indistinguishability for any pair of neighbors; individual DP requires indistinguishability only between the actual dataset and its neighbors. This asymmetry allows the mechanism to adjust noise based on properties of the actual dataset (such as its local sensitivity) rather than worst-case properties across all possible datasets.

This enables tighter privacy guarantees in practice. When the actual dataset has low local sensitivity (changing any individual barely affects outputs), individual DP requires minimal noise. When the actual dataset has high local sensitivity (some individuals significantly affect outputs), individual DP adds proportionate noise. Standard DP must always assume worst-case sensitivity regardless of the actual dataset’s properties.

From Individual Privacy to Individual Attribution

Just as we extended standard differential privacy to define attribution regimes in the previous section, we can extend individual differential privacy to define individual attribution. The key insight remains the same: privacy and attribution are opposite ends of the same ϵ spectrum, now applied to the actual dataset rather than worst-case bounds.

From Examples to Sources: Group Differential Privacy

But attribution-based control requires more than individual-level bounds, it requires source-level control. Individual differential privacy protects single examples in the actual dataset, but data sources typically contribute many examples. Consider a medical AI trained on data from 100 hospitals: each hospital contributes thousands of patient records. ABC needs to measure and control influence at the hospital level, not just the individual patient level. The differential privacy literature addresses this through group differential privacy (Dwork et al., 2014), which extends privacy guarantees from individuals to groups of records:

We can combine group differential privacy with individual differential privacy to obtain source-level control calibrated to the actual dataset. When we partition a dataset by sources $D = \bigcup_{s \in S} D_s$, we treat each source as a group and apply individual DP at the group level:

Standard differential privacy automatically provides group privacy through composition: if a mechanism satisfies $ϵ$-DP for individuals, it satisfies $kϵ$-DP for groups of size $k$. However, this is a worst-case bound that assumes all $k$ individuals have maximal independent influence. Group differential privacy makes group protection explicit, enabling tighter analysis when group members have correlated data or when mechanisms can exploit group structure.

We can combine group differential privacy with individual differential privacy to obtain source-level control calibrated to the actual dataset. When we partition a dataset by sources \( D = \bigcup_{s \in S} D_s \), we treat each source as a group and apply individual DP at the group level:

This combines group DP’s extension to multiple records with individual DP’s calibration to the actual dataset. Each source s receives its own privacy parameter \( \epsilon_s \) measuring influence on the actual dataset $D$, not worst-case influence across all possible datasets. A hospital contributing highly unique medical data might have large \( \epsilon_s \) for the actual dataset, while a hospital contributing common patterns might have small \( \epsilon_s \) (without forcing all hospitals to share worst-case bounds).

From Source-Level Privacy to Source-Level Attribution

Just as individual DP extends to attribution regimes (privacy, measurement, attribution), sourcelevel individual DP extends to source-level attribution. We can quantitatively measure each source’s influence on the actual dataset:

This measures each source’s attribution relative to the actual dataset \( D \) by quantifying how predictions change when that specific source is included versus excluded. Unlike standard group DP (which provides worst-case \( k\epsilon \) bounds for all groups of size \( k \)), source-level individual attribution calibrates to actual dataset properties: a medical research paper might have high attribution for predictions in its domain (large divergence from \( D_{-s} \)) but negligible attribution for unrelated queries (small divergence).

This enables the diverse source-level control ABC requires. Consider the medical AI trained on 100 hospitals: some hospitals can demand privacy (enforce small \( \epsilon_s \) calibrated to their actual data), others can guarantee attribution (enforce large ϵs ensuring measurable influence), others can simply track their contribution (measure \( \epsilon_s \) without bounds). Worst-case group DP cannot accommodate this diversity; it forces uniform \( k\epsilon \) bounds across all groups of size \( k \). Source-level individual attribution provides per-source control adjusted to the actual dataset, precisely what attribution-based control requires.

Intelligence Budgets: Implementing Individual Source Control

This source-level individual attribution measure enables a practical control mechanism: intelligence budgets. Rather than simply measuring influence after the fact, we can actively control how much each source influences predictions through architectural routing decisions.

Each \( g_s \) can be an arbitrary neural network (e.g., a deep learning model) with parameters \( \Theta_{\text{semantic}}[s] \) specific to source \( s \). The syntactic function \( f \) can also be an arbitrary neural network (e.g., a Transformer) with shared parameters \( \Theta_{\text{syntactic}} \). The function \( f \) receives all raw inputs and all scaled semantic outputs concatenated together, and can mix them however it wants. The parameter \( \gamma[s] \) directly controls source \( s \)’s intelligence budget by scaling how much of its semantic output \( s_s = g_s(x_s) \) contributes to the final prediction.

When \( \gamma[s] = 0 \), source \( s \) contributes only through its raw input \( x_s \) concatenated with others. The syntactic function \( f \) can mix these raw inputs however it wants. Differential privacy constraints on \( f \) ensure this mixing prevents source identification, enforcing the privacy regime. When \( \gamma[s] = 1 \), source \( s \) contributes its full semantic representation \( s_s \) with identity preserved through concatenation, enabling attribution tracking and enforcing the attribution regime. Intermediate values of \( \gamma[s] \) enable the measurement regime.

This budgeting mechanism provides flexible, context-dependent control matching diverse stakeholder needs. A source demanding privacy sets \( \gamma[s] = 0 \). A source guaranteeing attribution sets \( \gamma[s] = 1 \). A source tracking contribution uses intermediate \( \gamma[s] \) and measures resulting influence. The model simultaneously satisfies all these requirements by setting different \( \gamma[s] \) values for different sources.

From Concatenation and IDP to Deep Voting

The deep voting framework reveals a two-dimensional spectrum in machine learning architectures by introducing a second control parameter $\lambda \in [0,1]$ that governs the overall balance between semantic and syntactic capacity:

With these mechanisms in place, we can return to the implications of such a system for providing attribution-based control: the potential to dramatically increase the amount of data and compute available for training AI systems. By providing clear mechanisms for measuring source influence ($\text{Attribution}_\alpha(s, h)$), bounding influence when needed ($\gamma[s] = 0$ for privacy), and guaranteeing influence when required ($\gamma[s] = 1$ for attribution), deep voting might enable the safe use of orders of magnitude more training data.

First Hypothesis: ABC and 6+ Orders of Magnitude more Data/Compute

The deep voting framework reveals a two-dimensional spectrum in machine learning architectures. Consider how different parameter settings affect the model’s behavior:

At (λ,γ) = (1, 0), we find pure deep learning with maximum compression. These systems, like GPT-4, use only shared parameters with basic bounds on attribution. They achieve powerful feature learning but sacrifice attribution clarity. At (λ,γ) = (0, 1), we find pure partition-based learning, like federated systems, which maintain group privacy but limit cross-source learning. At (λ,γ) = (0, 0), we find pure source-specific learning systems like k-nearest neighbors, providing perfect attribution through direct tracking but losing the benefits of parameter sharing.

Far from being theoretical abstractions, these points represent real systems in production today, each making explicit tradeoffs between learning power (as measured by model performance), attribution clarity (as measured by influence tracking), and computational efficiency (as measured by FLOP counts).

Current systems tend to choose a fixed point on this spectrum, making an explicit tradeoff between these competing forces. Deep voting formalizes a more continuous alternative: dynamic adjustment of these parameters (perhaps based on empirical information). When data shows high redundancy across sources (like common language patterns), higher λ values enable efficient parameter sharing. When sources contain unique information (like proprietary research), lower values maintain clearer attribution and better reward data owners for their novelty and innovation.

The empirical evidence presented earlier in this chapter paints a stark picture of current limitations. AI systems today access less than one millionth of the world’s digital data, 180 zettabytes versus roughly 180 terabytes for the largest known training sets. Even the largest AI firms utilize less than 5.57% of available compute capacity. Meanwhile, techniques like RETRO/ATLAS have demonstrated 25-50x parameter efficiency gains while maintaining performance, recent compression research shows 5-10x reduction in parameter counts without accuracy loss, and catastrophic forgetting work suggests a 40x drop in model size is attainable.

This tension yields our central empirical question: Can deep voting meaningfully shift the Pareto frontier between learning power, attribution clarity, and computational efficiency? Success could mean unlocking orders of magnitude more training data through clear attribution mechanisms. Success would enable dramatic reductions in computational waste through dynamic parameter sharing. Perhaps most importantly, success would create a path toward safe compute sharing through reliable influence tracking; the sparse, concatenated section could be distributed across multiple computers.

The stakes are significant. If deep voting succeeds, it could unlock another 6+ orders of magnitude of training data and compute productivity. If it fails, we may remain constrained by the fundamental limitations of current architectures. The next section examines the empirical evidence, providing an early view of whether deep voting might achieve the theoretical benefits suggested by its mathematical framework.

Empirical Evidence: Does the Pareto-Tradeoff Move?

To evaluate whether deep voting can shift the fundamental tradeoffs between capability and attribution, we must first establish clear empirical baselines. Deep learning’s conventional wisdom around end-to-end training suggests a stark choice: systems can either achieve state-ofthe-art performance through dense feature mixing or maintain clear attribution, but not both. Yet recent results challenge this assumption. Consider the performance comparison between GPT-3 and RETRO, as described in Table 2.7 below.

The result demands explanation. RETRO matches GPT-3’s performance while using 25x fewer parameters and maintaining clear paths for attribution through its retrieval mechanism. If the tradeoffs between attribution and capability were truly fundamental, such a result should not be possible.

Pure Architectures: The Baseline Tradeoff

Conventional architectures exhibit clear tradeoffs between attribution, efficiency, and performance. We examine three points on this spectrum:

Traditional deep learning systems (λ = 1) achieve state-of-the-art performance through unrestricted parameter sharing. On MNIST, non-private models reach 98.3% accuracy, while an identically parameterized model with differential privacy constraints drops to 90% (Abadi et al., 2016). This performance advantage comes at a cost: unrestricted parameter mixing during training erases mappings between sources and predictions, making attribution impossible.

Group-based federated systems (λ = 0, γ = 1) maintain clear attribution boundaries by partitioning data within institutional silos. When data is independently and identically distributed (IID) across clients, this partitioning incurs no performance cost. However, when data is non-IID

across clients, MNIST accuracy drops from 98.69% to 96.29% (Zhao et al., 2018)—a 2.4% degradation relative to joint training. This reflects a tension between attribution boundaries and cross-source pattern learning.

Pure memory-based approaches (λ = 0,γ = 0) such as k-NN provide perfect attribution by directly linking predictions to source examples. These systems achieve 97.2% accuracy on MNIST (Grover and Toghi 2018) but cannot generalize beyond patterns explicitly present in their memory banks.

These results establish baseline tradeoffs: dense architectures sacrifice attribution for performance, and federated/memory-based architectures sacrifice performance (on non-IID data) but gain attribution. The six orders of magnitude of inaccessible data and underutilized compute identified earlier remain siloed behind institutional boundaries because organizations cannot share data without relinquishing control. If these tradeoffs reflect fundamental constraints rather than architectural limitations, they would permanently restrict AI systems’ access to real-world resources

The First Crack: RETRO and ATLAS

However, recent architectures challenge these baseline tradeoffs. RETRO outperforms GPT-3 on the Pile (0.670 vs 0.811 bits-per-byte) while using only 7.5B parameters compared to GPT-3’s 175B. This constitutes a 25x reduction in parameter count while achieving superior performance and maintaining clear attribution paths through its retrieval mechanism (Borgeaud et al., 2022).

ATLAS demonstrates similar gains: 25-50x parameter efficiency improvements while maintaining or exceeding baseline performance (Izacard et al., 2023). Both systems achieve these results through a fundamental architectural shift: rather than compressing all knowledge into dense parameters, they maintain explicit connections to source documents through retrieval.

These results demonstrate that the tradeoff between attribution and capability reflects architectural choices rather than fundamental machine learning constraints. Systems maintaining explicit source separation through retrieval mechanisms achieve competitive performance with dense models while preserving attribution.

Converging Evidence Across Architectures

RETRO and ATLAS represent a broader pattern. Multiple architectural innovations demonstrate that explicit information paths enable simultaneous optimization of attribution and performance.

PATE (Private Aggregation of Teacher Ensembles) demonstrates this pattern in privacypreserving machine learning. Traditional privacy-preserving approaches incur 10-20% performance degradation. PATE reduces this gap to 0.7% on MNIST (98.5% accuracy versus 99.2% non-private baseline) while maintaining differential privacy guarantees through source-separated teacher ensembles (Papernot et al., 2018).

Federated RAG systems demonstrate concurrent improvements in attribution and performance. Recent work shows that federated RAG improves both attribution clarity and model accuracy simultaneously (Table 2.8) (Hou and Wang 2024).

Git Re-Basin demonstrates that independently trained models can be merged with minimal performance loss through weight permutation alignment (Ainsworth et al., 2022). This extends previous model merging results (Zhao et al., 2018) by enabling merging across models trained on separate dataset partitions from similar distributions. The technique identifies and corrects for arbitrary permutations of hidden layer neurons that occur during independent training, effectively aligning equivalent features across models before merging.

Deep Voting: Formalizing the Pattern

These architectures (RETRO, ATLAS, PATE, federated RAG, and Git Re-Basin) share a common technical mechanism: they replace addition operations during training with concatenation, deferring synthesis until inference time. We formalize this pattern as deep voting.

Traditional deep learning architectures synthesize knowledge during training by adding gradient updates into shared parameters. This pre-synthesis creates the documented tradeoffs: compressed representations lose attribution, strict partitioning loses cross-source patterns, and explicit storage loses efficiency. Deep voting defers this synthesis. Source-specific knowledge remains concatenated (partitioned) during training. At inference time, relevant partitions are selectively synthesized through weighted addition, with synthesis scope bounded by intelligence budgets (Section 2.7).

This architectural choice enables three simultaneous optimizations that conventional architectures trade off:

Attribution through source partitioning. Concatenated representations preserve source identity. RETRO and ATLAS maintain explicit mappings to source documents, enabling the source-level control required to unlock 6+ orders of magnitude of inaccessible data.

Efficiency through selective synthesis. Inference-time synthesis activates only relevant partitions. RETRO’s 25x parameter reduction and PATE’s 0.7% privacy-performance gap demonstrate that selective synthesis substantially reduces computational requirements.

Performance through shared computation. Shared syntactic components learn crosssource patterns without full parameter mixing. Git Re-Basin’s successful merging and federated RAG’s accuracy improvements demonstrate that partitioned training with shared components achieves competitive performance, avoiding the 2.4% degradation of pure federated approaches on non-IID data.

The convergent results across these architectures (operating in different domains with different implementations e.g. language modeling, privacy preservation, retrieval, model merging) indicate that this mechanism represents a fundamental alternative to dense parameter mixing rather than domain-specific engineering. Deep voting shifts the Pareto frontier between attribution, efficiency, and performance by preserving source mappings that addition destroys

These systems demonstrate that the architecture of deferred synthesis is sound. Whether it remains sound when assets are independently owned, when per-source privacy guarantees impose real constraints on how predictions are synthesized, requires a setting where these constraints actually bind. The next section explores an approximation of that scenario.

Empirical Prototype: Private Ensemble Aggregation with Intelligence Budgets

In this prototype, five frontier language models, each trained independently by a different organization on its own data and compute, are ensembled under a mechanism that enforces formal per-source influence bounds. The deep voting mechanism described above is instantiated in its simplest form through weighted voting: each model serves as a source-specific function \(g_s\), and the syntactic function \(f\) synthesizes their predictions at inference time. Differential privacy machinery (specifically, Rényi differential privacy Mironov, 2017 and the exponential mechanism McSherry and Talwar, 2007) implements the intelligence budget framework of Definition 2.7, yielding per-source influence bounds that operate in all three regimes (privacy, measurement, and attribution) simultaneously.

Experimental Setup

The prototype evaluates five frontier language models on a multiple-choice subset of the Humanity’s Last Exam (HLE) benchmark Phan et al., 2025. HLE is a dataset of 2,500 expert-crafted questions contributed by nearly 1,000 subject-matter experts across more than 500 institutions, spanning mathematics, physics, biology, chemistry, computer science, philosophy, and other domains. Approximately 76% of HLE questions require short exact-match answers; the remaining ~600 are multiple-choice. The evaluation is restricted to the 513 multiple-choice questions for which all five models produced valid responses, as the one-hot prediction format required by the weighted voting mechanism (Equation \(\eqref{eq:weighted_votes}\)) naturally applies to discrete choice among labeled alternatives.⁵ Each model is queried through the OpenRouter API, and its predicted answer is recorded as a one-hot vector \(p_s \in \{0,1\}^{C_q}\) for each question \(q\) with cardinality \(C_q\) (the number of answer choices). The models and their individual accuracies are:

Each model serves as a source-specific function \(g_s\) in the deep voting framework. The prediction vector \(p_{s,q} = g_s(x_q)\) represents model \(s\)’s one-hot prediction for question \(q\). The syntactic function \(f\) is implemented as weighted voting:

where \(\gamma[s] \in [\gamma_{\min}[s], \gamma_{\max}[s]]\) is the intelligence budget for source \(s\), and the ensemble prediction is \(\hat{y}(q) = \arg\max_j v_j(q)\).

Baseline: Non-Private Hedge Ensembling

The central challenge of deep voting is choosing the weights \(\gamma[s]\). If we knew in advance which models would perform well on which questions, we could assign optimal weights from the start. But we do not have access to future outcomes, so the weights must be learned from experience as queries arrive. This is a classic online learning problem: at each round, the ensemble must commit to a weighting before observing the correct answer, then update its beliefs based on the outcome. The literature on online convex optimization provides algorithms with strong regret guarantees for exactly this setting (Freund and Schapire, 1997; Kalai and Vempala, 2005).

Before introducing privacy mechanisms, it is useful to establish the performance of non-private ensemble aggregation using the Hedge algorithm (multiplicative weights update) Freund and Schapire, 1997. Hedge maintains weights \(w_s^{(t)}\) for each model \(s\) at round \(t\), updating them multiplicatively based on observed losses:

where \(\eta = 0.1\) is the learning rate and \(\ell_s^{(t)}\) is the 0-1 loss of model \(s\) on question \(q_t\). With 513 online rounds, the Hedge ensemble achieves 50.29% accuracy (258/513), exceeding the best individual model (Gemini 3.1 Pro, 44.4%) by 5.9 percentage points. This establishes the accuracy ceiling for any private variant, and the central question becomes what accuracy cost, if any, formal intelligence budgeting guarantees impose.

Private Aggregation: The Two-Phase FTPL Mechanism

Releasing either the Hedge weights or the full vote counts \(v(q)\) at each round would leak information about individual models’ predictions. The goal is to implement the intelligence budgets: each source \(s\) contributes with bounded influence \(\gamma[s] \in [\gamma_{\min}[s], \gamma_{\max}[s]]\), and the per-source cost of participation is quantified by the differential attribution. To build this mechanism, the prototype draws on two core primitives: the exponential mechanism for weight selection, and the Gaussian Noisy Max (GNMax) mechanism for private output release (Papernot et al., 2018). The DP machinery provides the formal accounting that makes intelligence budgets verifiable: each source’s \(\epsilon\) is precisely the differential attribution cost of its participation.

Differential Privacy: Definitions and Intuition. The formal guarantees rest on differential privacy (DP), introduced by Dwork, McSherry, Nissim, and Smith.⁶

The parameter \(\epsilon\) bounds how much any single record can affect the output distribution. An observer who sees the mechanism’s output cannot reliably determine whether any particular record was present in the input, because the output distributions with and without that record are nearly indistinguishable. Smaller \(\epsilon\) means stronger privacy; \(\epsilon = 0\) would mean the output reveals nothing about any individual record (although it may still release information which is consistently present in a sufficiently large number of records; e.g. “what causes cancer” but not “does patient X have cancer?”).

In the ensemble setting, “neighboring datasets” correspond to changing one model’s prediction on one question. The goal is to ensure that the ensemble’s published outputs (the predicted answers) do not reveal too much about any individual model’s contribution.

Phase 1: Weight Calibration via Follow the Perturbed Leader. The mechanism replaces Hedge with Follow the Perturbed Leader (FTPL) Kalai and Vempala, 2005, an online learning algorithm that selects actions by perturbing cumulative utilities with random noise. At each calibration round \(t\), a model is selected by:

where \(L_m^{(t)} = \sum_{\tau=1}^{t} \ell_m^{(\tau)}\) is the cumulative loss of model \(m\) through round \(t\) and \(\eta > 0\) is the learning rate. Here \(\text{Gumbel}(0,1)\) denotes the standard Gumbel distribution with CDF \(F(z) = e^{-e^{-z}}\), sampled via the inverse CDF as \(Z = -\ln(-\ln(U))\) for \(U \sim \text{Uniform}(0,1)\).

Why Gumbel noise? The choice of Gumbel perturbations is not arbitrary. By the Gumbel-max trick,⁷ when each \(Z_m\) is an independent \(\text{Gumbel}(0,1)\) draw, the probability of selecting model \(m\) follows a Gibbs (softmax) distribution:

This distribution concentrates probability mass on models with low cumulative loss (strong past performance), with \(\eta\) controlling the concentration: larger \(\eta\) produces sharper distributions that favor the current leader, while smaller \(\eta\) produces more uniform distributions.

The exponential mechanism connection. The distribution in Equation \(\eqref{eq:ftpl_gibbs}\) is precisely the exponential mechanism of McSherry and Talwar.⁸ The exponential mechanism selects an option with probability proportional to \(\exp(\epsilon \cdot u(D, r) / (2\Delta u))\), where \(u(D, r)\) is the utility of option \(r\) on dataset \(D\) and \(\Delta u\) is the sensitivity. In the FTPL setting:

• Utility: \(u(D, m) = -L_m\), assigning higher utility to models with lower cumulative loss.
• Sensitivity: \(\Delta u = 1\), because changing one question’s outcome changes one model’s cumulative loss by at most 1.
• Matching terms: FTPL selects \(m\) with probability \(\propto \exp(-\eta \cdot L_m) = \exp(\eta \cdot u(D,m))\). The exponential mechanism selects with probability \(\propto \exp(\epsilon \cdot u(D,m) / 2)\). Equating \(\eta = \epsilon / 2\) gives \(\epsilon = 2\eta\).

The Gumbel perturbation that FTPL adds for online learning (to explore alternatives and achieve low regret) turns out to be exactly the noise that differential privacy requires. There is no additional privacy cost beyond what the learning algorithm already uses. With \(\eta = 0.1\), each calibration round costs only \(\epsilon = 0.2\) in pure differential privacy.

To compute smooth ensemble weights rather than selecting a single model per round, the mechanism averages over \(N = 2{,}000\) independent Gumbel draws, obtaining \(\gamma[s] = \frac{1}{N} \sum_{i=1}^{N} \mathbf{1}[m^*_i = s]\). After \(T\) calibration questions, weights are frozen: \(\gamma_{\text{frozen}}[s] = \gamma[s]^{(T)}\). All subsequent computations using frozen weights incur no additional privacy cost from the FTPL mechanism, by the post-processing theorem of differential privacy.⁹

Phase 2: Deployment via Confident-GNMax. During deployment (after calibration), the frozen weights define the ensemble. The remaining privacy question is how to release predictions without revealing too much about individual models’ votes. The Gaussian Noisy Max (GNMax) mechanism addresses this by releasing only the index of the highest noisy vote, rather than the full vote vector:

where \(v_j(q)\) is the weighted vote count from Equation \(\eqref{eq:weighted_votes}\) and \(\sigma > 0\) controls the noise scale. To further reduce privacy expenditure on queries where the ensemble has low confidence, the prototype applies the Confident-GNMax thresholding mechanism (Papernot et al., 2018):

where \(\mathcal{T} \geq 0\) is the confidence threshold and \(\bot\) denotes refusal to answer. Refused queries contribute zero privacy cost: the system reveals only that the ensemble was not sufficiently confident, which (because the confidence check itself uses noisy counts) leaks minimal information about any individual model.

Privacy Accounting via Rényi Differential Privacy. The full mechanism involves multiple private operations: \(T\) rounds of FTPL weight selection (each satisfying \(0.2\)-DP) and up to \(Q\) rounds of GNMax during deployment. Rényi differential privacy (RDP) provides substantially tighter composition by tracking privacy loss through Rényi divergences, a family of information-theoretic measures parameterized by an order \(\alpha > 1\).¹⁰

While standard DP bounds the worst-case multiplicative change in output probabilities (by \(e^{\epsilon}\)), RDP bounds a soft average of these changes, parameterized by \(\alpha\). The practical advantage of tracking RDP at multiple orders simultaneously is that composition remains additive: if mechanism \(\mathcal{M}_1\) satisfies \((\alpha, \epsilon_1)\)-RDP and \(\mathcal{M}_2\) satisfies \((\alpha, \epsilon_2)\)-RDP, their sequential composition satisfies \((\alpha, \epsilon_1 + \epsilon_2)\)-RDP.

Data-dependent GNMax bound. For the GNMax mechanism, the RDP cost per query depends on the margin between the top two vote counts. Let \(\Delta(q) = v_{(1)}(q) - v_{(2)}(q)\) be this margin. The \((\alpha, \hat{\epsilon}_\alpha(q))\)-RDP cost satisfies:¹¹

The practical consequence is that when the ensemble strongly agrees (\(\Delta(q)\) large relative to \(\sigma\)), the privacy cost per query decreases exponentially with the squared margin. In a well-calibrated ensemble where the majority of queries have large margins, most deployment queries contribute near-zero privacy cost.

Full composition. The total system RDP across \(T\) calibration rounds and the answered deployment queries composes additively at each order \(\alpha\):

The final \((\epsilon, \delta)\)-DP guarantee is obtained by converting the composed RDP bound to standard differential privacy, optimizing over the Rényi order \(\alpha\):

The prototype evaluates this expression at 13 values of \(\alpha \in \{1.5, 2, 3, 4, 5, 8, 10, 16, 20, 32, 50, 64, 100\}\) and reports the minimum.

Individual Intelligence Budgets: Per-Source Privacy Accounting

The mechanism above provides a system-level privacy guarantee. To implement intelligence budgets, this section extends it to per-source privacy accounting that controls each model’s individual influence on the ensemble output.

Under the Gaussian mechanism with noise \(\mathcal{N}(0, \sigma^2 I)\), the standard RDP bound for \(\ell_2\)-sensitivity \(\Delta_s\) gives the per-source RDP cost at order \(\alpha\):

The intelligence budget \(\gamma[s]\) therefore directly controls the per-query privacy cost. The weight \(\gamma[s]\) simultaneously determines how much source \(s\) contributes to the prediction (the attribution semantics) and how much privacy source \(s\) expends (the privacy semantics), which is exactly the coupling that attribution-based control requires. The relationship is quadratic: doubling a source’s influence quadruples its per-query privacy cost.

This mechanism exhibits all three ABC regimes simultaneously across different sources within the same ensemble:

• Privacy regime (\(\gamma_{\max}[s]\) small, \(B(s)\) tight): Source \(s\) has minimal influence per query and may exhaust its budget, collapsing to \(\gamma_{\min}[s]\). This provides strong privacy guarantees.
• Measurement regime (\(\gamma_{\max}[s]\) moderate, \(B(s)\) moderate): Source \(s\) contributes meaningfully but with tracked spend. The system can report exactly how much influence source \(s\) had on each prediction.
• Attribution regime (\(\gamma_{\max}[s]\) large, \(B(s)\) generous): Source \(s\) dominates the ensemble while its influence remains bounded and auditable.

Experimental Results

Per-Source Privacy–Accuracy Tradeoff. All privacy costs below are reported per source: the \(\epsilon\) that each data owner pays for participating in the ensemble, not a system-wide total. This is the metric that matters for a data owner deciding whether to contribute.

A sweep across four ensemble sizes (top-2 through top-5 models by individual accuracy), calibration lengths \(T \in \{10, 25, 50, 75, 100, 200\}\), noise scales \(\sigma \in \{1, 2, 5, 10, 20\}\), and confidence thresholds \(\mathcal{T} \in \{0.0, 0.15, 0.30, 0.50\}\) produces 480 configurations.

Three findings emerge. First, even the smallest ensemble (top-2) matches the non-private Hedge exactly (51.07%) at just \(\epsilon_{\max} = 4.3\) per source. Second, the per-source cost varies with weight: Gemini 3.1 Pro (the highest-weighted model) consistently pays the most, while lower-ranked models join at 15–30% lower cost. Third, a data owner can choose its operating point on the Pareto frontier: the top-3 ensemble beats the best individual model at \(\epsilon_{\max} = 3.4\) per source (+4.3pp accuracy gain), or matches the Hedge at \(\epsilon_{\max} = 8.4\).

Coverage Tradeoff. The Confident-GNMax threshold \(\mathcal{T}\) controls a coverage–privacy tradeoff: by refusing to answer queries where the ensemble lacks consensus, the mechanism reduces privacy spend while improving accuracy on answered queries.

Per-Source Cost Structure. The pattern is consistent: privacy cost tracks influence. The highest-weighted model (Gemini 3.1 Pro) always pays the most, while each additional lower-ranked model joins at progressively lower cost. This is the mechanism working as designed: a source that contributes more influence expends more of its privacy budget, and a source seeking minimal privacy exposure can participate with a low weight and pay commensurately less.

This cost structure has a natural economic interpretation. The per-source \(\epsilon\) is effectively the price a data owner pays for a given level of influence over predictions. A data owner deciding whether to contribute its model to an ensemble can choose where on this tradeoff to sit: higher weight buys more influence (and thus more credit, compensation, or attribution) at the cost of more privacy exposure, while lower weight preserves privacy at the cost of reduced influence.

Individual Budget Demonstration. To demonstrate the intelligence budget mechanism, heterogeneous budgets are assigned reflecting diverse stakeholder preferences:

With \(T = 100\) calibration questions and \(\sigma = 1.0\), the individual DP mechanism produces the following dynamics:

1. Calibration (Q1–Q100): FTPL learns optimal weights within each model’s \([\gamma_{\min}, \gamma_{\max}]\) band. Gemini 3.1 Pro quickly rises to its ceiling (\(\gamma \approx 0.63\) after normalization), reflecting its superior accuracy. Lower-performing models settle near their floors.
2. Budget exhaustion (Q100–Q300): Models with tight budgets progressively exhaust their spend. Kimi K2.5 exhausts at Q149 (spent 5.0/5.0), collapsing to \(\gamma_{\min} = 0.02\). Gemini 3.1 Pro, despite having the largest budget, exhausts at Q186 because its high weight (\(\gamma \approx 0.63\)) costs \(0.79\epsilon\) per query.
3. Graceful degradation: As each model collapses to \(\gamma_{\min}\), remaining active models’ weights increase through renormalization. Rather than failing catastrophically, the ensemble smoothly transitions from optimal weighting toward more uniform weighting as budgets deplete.

The ensemble achieves 49.12% accuracy under these individual constraints, only 1.17 percentage points below the unconstrained Hedge, while providing per-source influence guarantees that no source exceeds its allocated budget.

Discussion

The constraints bind, and the architecture holds. Combining independently trained AI assets under formal per-source influence control produces an ensemble that exceeds the accuracy of every individual contributor, at a per-source privacy cost that is moderate and transparent.

Dual-purpose noise. FTPL’s Gumbel perturbation simultaneously provides regret-minimizing exploration (Kalai and Vempala, 2005) and \(\epsilon\)-differential privacy (McSherry and Talwar, 2007), avoiding the typical cost of adding privacy to online learning algorithms. This duality reflects a deeper alignment between the information-theoretic requirements of exploration and privacy: both require that the mechanism’s output cannot be too sensitive to any single data point.

Data-dependent accounting. The GNMax RDP bound ensures that high-consensus queries (which predominate when the ensemble is well-calibrated) cost exponentially less than worst-case bounds predict. In these experiments, the majority of deployment queries have near-zero RDP cost because the ensemble’s margin \(\Delta(q)\) is large relative to \(\sigma\).

Influence bands. The \([\gamma_{\min}, \gamma_{\max}]\) mechanism provides simultaneous upper and lower bounds on each source’s influence, implementing ABC’s core requirement of per-source control. The lower bound \(\gamma_{\min}\) guarantees attribution; the upper bound \(\gamma_{\max}\) constrains privacy exposure; and the budget \(B(s)\) limits total cumulative influence over time.

Scaling considerations. The prototype is limited by its small ensemble size (\(|\mathcal{S}| = 5\)). In the PATE literature (Papernot et al., 2018), per-source costs decrease further as the number of teachers grows, because margins \(\Delta(q)\) increase with more agreeing voters while the sensitivity per teacher decreases. With hundreds of model slices, per-query costs would decrease by orders of magnitude, enabling per-source budgets of \(\epsilon < 1\) while answering thousands of queries.

Connection to the deep voting thesis. Each of the five models in this prototype was trained independently on its own data, using its own compute infrastructure. Ensembling them is, in effect, combining their data and compute. The private ensemble achieves 50.1–51.3% accuracy on HLE’s multiple-choice subset, surpassing all five constituent models. At the per-source level, this accuracy gain costs the worst-case data owner \(\epsilon = 4.3\) (top-2 ensemble) to \(\epsilon = 14.5\) (top-5 ensemble).

These five models were trained on substantially overlapping subsets of publicly available internet data, and they represent a vanishingly small fraction of the 6+ orders of magnitude of siloed data and underutilized compute documented in Section 2.2. The fact that ensembling even five models with overlapping training data already yields a +5.9 percentage point accuracy gain over the best individual model, while respecting per-source privacy bounds, suggests that the returns from accessing genuinely diverse, non-overlapping data through these budgeting mechanisms would be substantially greater.

From differential privacy to intelligence budgets. The per-source \(\epsilon\) values reported throughout this section are not merely privacy parameters. They are the differential attribution costs, measured on the actual dataset: each source’s \(\epsilon_s\) quantifies how much the ensemble’s output distribution changes when that source is included versus excluded. This is the intelligence budget framework made concrete. A data owner considering whether to contribute a model to a deep voting ensemble can inspect these bounds in advance, calibrate the influence they are willing to spend, and verify after the fact that the mechanism honored the contract.

Deep Voting: A Path to 6+ Orders of Magnitude

Deep voting addresses the addition problem that blocks access to 6+ orders of magnitude of data and compute. By preserving source attribution through concatenated representations while enabling cross-source learning through shared components, deep voting architectures demonstrate that the baseline tradeoffs between attribution, efficiency, and performance reflect architectural choices rather than fundamental constraints. Empirically, RETRO and ATLAS achieve 25–50x parameter efficiency while maintaining performance. PATE reduces privacy-performance gaps from 10–20% to 0.7%. Git Re-Basin enables merging of independently trained models. Federated RAG improves both attribution and accuracy simultaneously. These systems operate at scale today, processing real workloads with working implementations.

The implications for data access are direct. Current LLM training sets use approximately 180TB of text data. Global digital data reaches 180 zettabytes (6–9 orders of magnitude larger). Vast institutional repositories remain inaccessible primarily due to attribution and control concerns (Youssef et al., 2023). Deep voting’s source-partitioned architecture provides the attribution mechanism these institutions require, establishing a viable technical path to unlock this siloed data. Similarly, the implications for compute efficiency are substantial. The 6+ orders of magnitude of training inefficiency documented in Section 2.2.1 stems from retraining overhead, dense forward propagation, parameter redundancy, and catastrophic forgetting. Deep voting’s deferred synthesis architecture addresses each source: partitioned training enables selective retraining, inference-time synthesis enables sparse activation, source separation reduces redundancy, and explicit organization prevents catastrophic forgetting.

Deep voting addresses the addition problem. Source-partitioned representations preserve attribution. Deferred synthesis enables efficiency. Shared components enable performance. The architecture has been demonstrated at scale across multiple systems and domains.

The empirical prototype in the preceding section offers a concrete illustration of these dynamics. Five frontier language models, each trained independently by a different organization on its own data and compute, were ensembled under a mechanism that enforces per-source influence bounds through individual differential privacy budgets. The resulting ensemble exceeded the accuracy of every constituent model on the HLE benchmark by up to 6.9 percentage points, with per-source privacy costs of \(\epsilon = 3\)–\(15\) depending on influence level. The overhead imposed by influence management was measurably smaller than the accuracy gained from aggregation.

The prototype operates at the very bottom of the scaling curve. These five models were trained on overlapping subsets of publicly available data, collectively representing a tiny fraction of the resources documented in Section 2.2: the 6+ orders of magnitude of siloed training data (180 zettabytes vs. the ~180 TB consumed by current frontier models) and the orders-of-magnitude compute inefficiency from retraining, dense propagation, and catastrophic forgetting. If formal influence control over five sources with largely overlapping data already yields a considerable accuracy gain (+5.9pp even under per-source privacy constraints), the potential gains from hundreds or thousands of genuinely diverse sources (medical records, proprietary research, institutional archives, specialized sensor data), drawing on these 6+ orders of magnitude of untapped resources, would be far greater.

The per-source cost structure also has a direct economic implication. Because each source’s privacy cost is proportional to its influence weight, the intelligence budget mechanism creates a natural market in which data owners can calibrate across many ensembles how much influence they wish to contribute, treating their privacy budget as a resource to be allocated strategically. The fact that each source can see exactly what participation costs is precisely the kind of guarantee that would enable the institutional data holders documented in Section 2.2 to participate where they currently cannot.

However, solving the addition problem reveals a deeper challenge: the copy problem. Even if one achieved perfect attribution through deep voting, data sources cannot enforce how their contributions are used because whoever possesses a copy of the model retains unilateral control. Chapter 3 addresses this challenge, introducing techniques that enable attribution-based control rather than mere attribution-based suggestions.