As artificial intelligence becomes integrated into everyday life, UF researchers are working to ensure the technology learns safely. A new paper from the University of Florida and Visa Research presents a training method designed to prevent AI models from memorizing sensitive information – a growing privacy risk in modern machine learning systems.
The work, entitled “Deep Learning with Plausible Deniability”, was presented in early December at NeurIPS 2025one of the most prestigious AI conferences in the world. The paper is led by UF Ph.D. student Wenxuan Bao and UF associate professor Vincent Bindschaedler, Ph.D., in collaboration with Visa Research.
“We don’t want to design systems that might be the smartest, without taking into account how they handle sensitive data,” said Bindschaedler, based in UF Department of Computer, Information Sciences and Engineering. His work focuses on creating what he calls “trustworthy machine learning,” an area that includes privacy, security, and interpretability.
Why AI memorization is important
During training, AI models repeatedly analyze their data sets to improve performance. But sometimes they focus on specific details, like a phone number, medical records, or even a person’s name, instead of general patterns.
“It basically remembers very specific detailed information from its training corpus,” Bindschaedler said. “We actually have techniques to probe the AI to try to recover it.”
Since many models are publicly available, memorized data can potentially be extracted.
“If a widely used system allowed a person’s medical record to be stored and someone knew that that was the case, they could essentially pull it out,” Bindschaedler said. “That would be pretty catastrophic.”
A simple privacy test with big impact
The team’s new technique adds a quick “privacy check” during training. If an update could reveal information about an individual data point, the model simply wouldn’t use it.
“It’s a very simple natural thing,” Bindschaedler said. “We train the AI in the normal way, but we just have this kind of extra control that says, ‘Hey, could this potentially leak information?’ And if that’s the case, then you’re not updating.
This check is based on the idea of plausible deniability: the model must never perform an update that can be linked to a single record; it must be explainable by several different subsets of data. Otherwise, the update is rejected.
“It’s just going to start again,” he said. “He just throws it away and then moves on to the next batch.”
Increasing the visibility of UF in AI research
For Bindschaedler, the acceptance of NeurIPS signals both the scientific impact and growing presence of UF in the AI landscape.
“NeurIPS is truly the flagship place for academic AI research…where work like this will get the most visibility and the most impact,” he said.
He added that publishing in top venues is part of advancing UF’s strategic focus on AI.
“Given UF’s goal of advancing AI … it makes sense to emphasize these types of most visible flagship locations,” he said.
The team is currently exploring how the method can be extended to new applications and strengthened theoretically.
“This work introduced a new technique – there’s a lot we don’t know about it,” Bindschaedler said. “We think there are some interesting applications…that could be of practical use.” »