TL;DR
- What is Corroborative Attribution? It is the process of finding evidence in a corpus that directly supports or entails a specific model behavior. Unlike contributive attribution, it does not estimate causal impact but instead asks: "Is there data that could plausibly explain this output?"
- Why Does It Matter? Corroboration is a practical, scalable tool for auditing models. It helps us detect benchmark contamination, identify sources of toxicity or private information, and understand data provenance, especially when internal model access or full training logs are unavailable.
- How to Do It At Scale: The What's In My Big Data? (WIMBD) project provides a concrete blueprint. By leveraging massive-scale "count and search" operations across over 35 terabytes of text, the authors uncovered high rates of duplication, PII, toxicity, and benchmark contamination in major pre-training corpora like RedPajama and C4.
- The Deeper Motivation: As argued in You Are What You Eat, a model's internal structure and its resulting behaviors are fundamentally shaped by its training data. Corroborative audits are a necessary first step toward understanding this data-to-behavior pipeline, forming a foundation for safer and more aligned AI systems
What is “Corroborative Attribution”?
Training Data Attribution (TDA) is a broad term for methods that connect a model's behavior back to its training data. Within this field, a critical distinction exists between two primary goals: corroboration and contribution.
Corroborative attribution aims to find evidence. Given a specific model behavior-such as generating a piece of text, making a factual claim, or exhibiting a toxic stereotype-the goal is to search a candidate corpus and identify examples that directly support, contain, or entail that behavior. The central question is one of provenance and support: “Can I find a document in this dataset that substantiates what the model is saying?”
This stands in contrast to contributive attribution (Training Data Attribution: Contributive Methods). Contributive methods, like influence functions or TracIn, seek to estimate the causal impact of a training example on a model's parameters or a specific prediction. Their question is counterfactual: “How much would this prediction have changed if the model had not been trained on this specific example?”
While contributive methods offer deep insights into model learning, they are often computationally expensive and require significant access to the model's internals (e.g., gradients, checkpoints), which is frequently infeasible for practitioners working with proprietary, third-party models.
Corroborative attribution, on the other hand, is a powerful and practical first-line-of-defense auditing tool. It enables:
- Data Provenance: Tracing model outputs to their likely sources for copyright, licensing, or fact-checking purposes.
- Leakage & Contamination Audits: Systematically checking if evaluation benchmarks or sensitive test sets are present in the training data, which would invalidate reported performance metrics.
- Safety Reviews: Identifying the sources of undesirable behaviors like toxicity, bias, or the memorization of personally identifiable information (PII).
- Policy & Deployment Decisions: Providing concrete evidence to inform decisions about model deployment, even when the model itself is a black box.
Background & Formalization
We can formalize the goal of corroborative attribution as follows. Let denote an observed model behavior, such as a generated sentence, a classification decision, or a factual claim. Let be a candidate corpus, which could be a known pre-training dataset (like The Pile) or a suspected source of information (like a crawl of a specific website).
A corroborative method, or a corroborator, is a process that returns a support set . For each example , we say that supports the behavior $B$, which we denote as
. This support relationship is established by an evidence relation and a threshold . Formally:
The evidence relation is the heart of the method and can take several forms, each with its own strengths and limitations:
- Exact Match (): This is the simplest relation, checking if the string representing behavior appears verbatim in document . It is precise but brittle; it fails to capture even minor variations like changes in punctuation or capitalization.
- Near-Duplicate Match (): This relation uses fuzzy matching techniques (e.g., n-gram overlap, MinHash) to identify documents that are nearly identical to . It is more robust than exact matching but can still miss paraphrases.
- Similarity Search (): Here, we map both the behavior and documents into a high-dimensional embedding space (e.g., using a sentence-transformer). The relation is typically cosine similarity, . This method is powerful for finding semantically related content but is sensitive to the choice of embedding model and the similarity threshold . A low threshold can lead to many false positives (spurious connections).
- Entailment Check (): This is a more sophisticated logical check. Using a Natural Language Inference (NLI) model, we determine if a candidate document textually entails the behavior . For instance, if is "Paris is the capital of France," a document stating "The French government is based in Paris" would entail it. This helps filter out spurious semantic matches but depends heavily on the quality of the NLI model.
Caveat: Corroboration is not proof of training. Finding a document in corpus that supports behavior demonstrates that the corpus contains information that could plausibly have led to that behavior. It does not definitively prove that the model used that specific document to produce the output. The same information could be present in many other documents or even in a different, unknown training corpus.
Paper 1 - What's In My Big Data? as a Corroborative Audit
The ICLR 2024 paper What's In My Big Data? (WIMBD) by Elazar et al. serves as a landmark example of a large-scale, systematic corroborative audit. Instead of focusing on a single model's behavior, the authors developed a platform to analyze the properties of the data itself, creating a foundation for countless future corroborative investigations.
Method: "Count + Search at Scale"
The core innovation of WIMBD is its ability to perform two fundamental operations-counting and searching-efficiently across massive text corpora. The authors analyzed ten major datasets, including C4, The Pile, RedPajama, and LAION-2B-en, totaling over 35 terabytes of text. By building specialized indices and using optimized search tools, they could execute complex queries on a standard compute node, making large-scale data audits accessible without requiring a supercomputer.
Key Findings as Corroborative Evidence
WIMBD's analyses directly enable corroborative workflows by characterizing the evidence available in these corpora. Their findings were striking:
- High Duplication: The study revealed massive levels of duplication. For example, they found that approximately 50% of the documents in both RedPajama and the English portion of LAION-2B are duplicates. This is a critical finding for attribution; a behavior corroborated by a document present thousands of times is more likely to be memorized or heavily weighted by a model.
- Benchmark Contamination: The authors systematically searched for test and evaluation data within the pre-training corpora. They found significant contamination for key benchmarks, including the Winograd Schema Challenge (WSC), and parts of the GLUE and SuperGLUE suites. This discovery corroborates the hypothesis that high performance on these benchmarks may be due to memorization rather than true generalization.
- PII and Toxicity Prevalence: The platform was used to search for patterns matching personally identifiable information (email addresses, phone numbers) and to score documents for toxicity. The widespread presence of this content provides the necessary substrate for corroborating model behaviors that leak PII or generate toxic language.
WIMBD is a quintessential example of corroborative auditing because it links potential model behaviors (high benchmark scores, PII leakage) directly to evidence at the corpus level. It does not measure the influence of any single document but rather characterizes the sea of data from which these behaviors could plausibly emerge.
Intuition: The analyses in WIMBD effectively transform the opaque concept of "pre-training data" into a searchable, queryable substrate. This move from an unknown blob of text to an indexed and analyzed corpus is the foundational step that makes corroborative attribution possible. It allows a researcher to move from "the model said something weird" to "the model said something weird, and here are 10,000 documents in its likely training data that say the same thing."
Paper 2 - Why Corroboration Matters (You Are What You Eat)
The position paper You Are What You Eat argues that a deep understanding of the relationship between training data, a model's internal structure, and its downstream generalization is necessary for AI alignment. It posits that merely evaluating a model's behavior on test sets is insufficient to guarantee safety, as different internal structures can produce identical outputs on a given dataset but generalize in dangerously different ways.
The central thesis is that data shapes structure, and structure determines behavior. This provides a powerful motivation for investing in robust corroborative audits. If we want to build safe, aligned AI, we cannot treat the training data as an afterthought. We must understand its contents, its flaws, and its latent structures, as these will inevitably be reflected in the models we train.
Corroborative attribution is the most direct method we have for drawing this line from data to behavior. When we corroborate a model's toxic output by finding toxic source documents, or corroborate a factual error by finding source documents containing the same misinformation, we are empirically verifying the "You Are What You Eat" principle.
Opinion: For practitioners working on the front lines of AI safety and deployment, especially with limited access to model internals, corroboration is often the only tractable audit lever available. While mechanistic interpretability and contributive attribution are vital research directions, the ability to quickly search a corpus for evidence supporting a harmful behavior is a practical, scalable, and indispensable tool for risk assessment today.
Method Families & Practical Protocols (Corroborative)
A practical corroborative audit follows a structured protocol, moving from a behavior of interest to a final report. This protocol typically combines several families of methods.
Method Families
- Exact & Near-Duplicate Matching: This is the go-to method for investigating suspected memorization, copyright infringement, or benchmark contamination. Using lexical tools (string matching) and fuzzy hashing (MinHash), one can quickly find documents that are verbatim or near-verbatim copies of the target behavior . WIMBD's contamination checks for benchmarks like GLUE relied heavily on this approach.
- Embedding & k-NN Retrieval: For finding semantic support, not just lexical copies, embedding-based retrieval is key. The process involves encoding the behavior $B$ into a vector and using an approximate nearest neighbor (k-NN) search index (like Faiss or ScaNN) to retrieve the top-k most similar documents from the corpus embeddings. The relevance of the results is then determined by applying a similarity threshold, .
- Textual Entailment Checks: Semantic similarity can be misleading. A document might be about the same topic as but contradict it. An entailment model can act as a crucial filter. After retrieving a set of candidates via embedding search, you can run an NLI model to check if a candidate document actually entails, contradicts, or is neutral with respect to the claim in .
- Corpus Health Metrics: Before investigating any specific behavior, it is useful to have global statistics about the corpus. The work of WIMBD exemplifies this: knowing the overall duplication rate, toxicity levels, and prevalence of PII helps prioritize which behaviors to investigate and provides context for the findings.
A Practical Protocol
A typical corroborative audit workflow can be structured as follows:
- Define Behavior $B$: Start with a clear, specific behavior to investigate. This could be a verbatim quote from a model, a factual claim it made, or a pattern of biased completions.
- Query Construction: Transform $B$ into one or more queries. For lexical search, this might be the string itself. For semantic search, it's the embedding of the string. For broader audits, it could be a regular expression (for PII) or a list of keywords.
- Tiered Search: Begin with the cheapest, most precise methods first. Run exact and near-duplicate searches. If no strong evidence is found, proceed to broader semantic search (embedding/k-NN retrieval).
- Filtering & Refinement: The output of a semantic search can be noisy. Filter the initial candidate set using a relevance threshold . For high-stakes audits, add a textual entailment () check to ensure the retrieved documents logically support the behavior.
- Human-in-the-Loop Review: Automated metrics are not enough. A human expert should review the final, filtered set of supporting documents to assess their quality and relevance, and to identify subtle issues that automated tools might miss.
- Reporting: The final report should be transparent. Disclose the corpora searched, the search methods used (, etc.), the thresholds () applied, and the final support set . Crucially, include caveats about the limitations of the audit.
Caveat: The efficacy of any corroborative audit is limited by the accessibility of the training corpus. When auditing a model trained on a closed-source, proprietary dataset, one must rely on open-source proxies (e.g., using RedPajama as a proxy for the Llama training set). In such cases, the report must clearly state this limitation and frame the findings as plausible evidence rather than definitive proof.
Evaluation & Reporting
A rigorous corroborative audit is not just about finding examples; it's about evaluating the process itself. If a ground-truth dataset exists (e.g., a set of known memorized sequences and their sources), the performance of a corroborator can be measured with standard metrics:
- Precision: What fraction of the retrieved support examples () are truly relevant?
- Recall: What fraction of all possible relevant examples in the corpus did the method successfully retrieve?
In practice, practitioners should perform ablations over the similarity threshold to understand the trade-off between precision and recall. Reporting should be standardized and reproducible, including:
- The exact corpora searched, with versioning information.
- The query templates or construction methods used.
- The software and models used for embedding, search, and entailment.
- For audits involving human review, inter-annotator agreement scores should be reported to quantify the subjectivity of the task.
Tools like dataset cards and datasheets should be used not just for the training data itself, but for the outputs of corroborative audits, providing a transparent record of what was searched for and what was found.
My View
Opinion: Every high-stakes audit of a powerful language model should begin with a corroborative analysis. It is the most direct, scalable, and empirically grounded way to assess data-related risks. Only when this foundation is established, and when access permits, should teams move to more complex and computationally intensive contributive methods. Corroboration provides the "what" and "where"; contribution can then explore the "how much."
Intuition: The core argument of You Are What You Eat-that data shapes structure which in turn shapes behavior-is deeply compelling. If this causal chain holds, then examining the source data is not just one of many options; it is an indispensable first step. Ignoring the properties of the training data is akin to a doctor diagnosing a patient without asking about their diet.
Caveat: Corroborative methods have blind spots. They are biased towards finding evidence that is lexically or semantically close to the target behavior. They can over-credit popular sources that are highly duplicated and may fail to identify support from a collection of diverse, long-tail documents that, in aggregate, teach the model a concept through paraphrase and analogy. An audit report must always be transparent about the types of evidence it is designed to find and the types it is likely to miss.
Limits & Open Questions
Despite its practical utility, corroborative attribution faces several significant challenges and open research questions:
- Coverage vs. Privacy: How can we conduct thorough audits when training corpora are increasingly proprietary and closed-source? Can we develop methods for privacy-preserving corroboration that allow model developers to answer queries about their data without revealing it?
- Bridging to Contribution: Finding a supporting document is the first step. The next is understanding its impact. Future research should focus on integrating corroborative search (to find candidates) with lightweight contributive estimation (to rank candidates by influence).
- Watermarking and Fingerprinting: Could we proactively embed invisible signals (watermarks) or unique phrases (fingerprints) into training corpora? This would transform corroboration from a search problem into a simple detection problem, making attribution far more reliable.
- The Cost of Scale: While WIMBD demonstrated feasibility on a single node, analyzing future trillion-token datasets will require continued innovation in efficient indexing and search algorithms.
Ultimately, corroborative methods are a vital part of the toolkit for ensuring AI systems are safe, transparent, and accountable. They ground our understanding of model behavior in the concrete reality of the data they consume, reminding us that, in the world of AI, you are what you eat.
References
- Pepin Lehalleur, S., Hoogland, J., Farrugia-Roberts, M., Wei, S., Gietelink Oldenziel, A., Wang, G., Carroll, L., & Murfet, D. (2025). You Are What You Eat -- AI Alignment Requires Understanding How Data Shapes Structure and Generalisation. arXiv preprint arXiv:2502.05475.
- Elazar, Y., Bhagia, A., Magnusson, I., Ravichander, A., Schwenk, D., Suhr, A., Walsh, P., Groeneveld, D., Soldaini, L., Singh, S., Hajishirzi, H., Smith, N., & Dodge, J. (2024). What's In My Big Data? Proceedings of the International Conference on Learning Representations (ICLR).
- Geva, M., Schuster, T., Berant, J., & Globerson, A. (2023). Connecting Pre-training and Fine-tuning with Attribution for T5. OpenReview.
- Cohen-Wang, C., Chuang, I. L., & Zhang, C. (2023). Unifying Corroborative and Contributive Attributions in Large Language Models. OpenReview.