Papers
Topics
Authors
Recent
Search
2000 character limit reached

Same Weights, Different Robot: A Deployment Safety View of VLA Policies

Published 2 Jun 2026 in cs.CR | (2606.03724v1)

Abstract: Vision-language-action (VLA) policies are often treated as checkpoint-defined objects: if the weights, prompt, and benchmark suite match, the deployment is assumed to be the same policy. Robot execution breaks this assumption because the same normalized model output can become a different physical action after action unnormalization and controller conventions are applied. This creates a deployment-safety gap: safety review can certify the checkpoint while missing the executable robot policy that reaches the controller. We formalize this gap as an executable policy specification problem: a VLA policy includes the learned model, action representation, metadata-selected unnormalizer, and controller-facing conventions. Under this view, identical checkpoints can be executable-inequivalent. For quantile-style action normalization, we derive a closed-form metadata mismatch transform and an ExecSpec certificate that measures action-space semantic drift without model inference or rollout. On LIBERO-Goal replay, substituting a plausible sibling metadata key yields mean drift 0.199 over six non-gripper action dimensions and reduces success from 28/28 to 2/28 under full substitution. On LIBERO-Spatial replay, the same substituted key reduces success from 26/26 to 0/26. The same full-substitution protocol gives 0/28 success for all four Object substitutions and 0/23 or 1/23 success on Long. Identity-key, replay-validity, no-op filtering, raw-vs-correct replay, mask/gripper, synthetic upper-bound, and OpenVLA-style unnormalizer interface checks rule out several simpler explanations. These results do not certify closed-loop or hardware safety. They support a narrower deployment-safety view: action-space metadata is part of the executable policy and should be checked before rollout.

Authors (1)

Summary

  • The paper introduces the notion of executable policy equivalence by formalizing a tuple that includes post-network metadata essential to physical control.
  • The paper provides a closed-form ExecSpec certificate to statically detect metadata mismatches that cause significant action drift and task failure.
  • The paper empirically validates its framework using the LIBERO suite, showing that even slight unnormalizer mismatches lead to drastic performance drops.

Deployment-Safety Specification for VLA Policies: Formalizing Executable Policy Identity

Motivation and Problem Formulation

The deployment of vision-language-action (VLA) policies in robotic systems is typically conducted with a checkpoint-centric paradigm: model weights, prompt templates, and benchmark configuration are considered definitive of policy identity. This paradigm, however, is insufficient for robotic deployments, where the physical realization of an action is mediated by a sequence of post-network operations such as action unnormalization, decoding, gripper conventions, and controller-specific mappings. The paper explicitly demonstrates that relying solely on the checkpoint and prompt omits critical deployment-time artifacts that determine the true physical control law executed by the robot.

The crux is the action normalization and unnormalization interface, where models emit normalized action representations but the eventual controller acts in the unnormalized, physical action space. Metadata—typically treated as non-essential configuration—selects the quantile statistics for converting normalized actions to physical actions. The salient claim in the paper is that policy identity must include selection of the unnormalization metadata and all controller-facing conventions: policy weights are insufficient for defining deployment behavior. This is formalized through the notion of "executable policy equivalence": two policies are only equivalent if, for all interaction histories, they induce identical distributions over physical actions at the controller interface.

Formalization: Executable Policy Specification

An executable VLA policy is defined as a tuple

(fθ,I,Z,Uk,C)(f_\theta,\mathcal I,\mathcal Z,\mathcal U_k,\mathcal C)

where fθf_\theta is the learned model, I\mathcal I the observation encoder, Z\mathcal Z the normalized action representation, Uk\mathcal U_k the action unnormalizer (parameterized by metadata key kk), and C\mathcal C the set of deployment-time controller conventions. The physical action actually executed by the robot is

at=C(Uk(zt))a_t = \mathcal C(\mathcal U_k(z_t))

where ztz_t is the normalized action emitted by the model. Executable equivalence between two deployments only holds if all downstream processing and conventions produce identical physical trajectories given identical normalized action sequences.

The paper underscores that checkpoint equality (same fθf_\theta, fθf_\theta0, fθf_\theta1, and fθf_\theta2) is a necessary but far-from-sufficient condition for executable equivalence; unnormalizer selection is a load-bearing part of the policy. Substitution of plausible sibling metadata keys—e.g., from a similar task or suite—can yield deterministic per-dimension affine transformations in action space, yielding non-equivalence before the system even interacts with the environment.

Closed-Form Certification of Metadata Mismatch

For quantile-style action normalization, the unnormalizer fθf_\theta3 maps normalized action fθf_\theta4 to physical action via per-dimension quantile interpolation: fθf_\theta5 where fθf_\theta6 and fθf_\theta7 are per-dimension quantiles, and the metadata key determines which quantile set is used. The metadata mismatch transform is then a closed-form affine shift,

fθf_\theta8

which precisely characterizes the semantic drift induced by deploying the same model weights with incorrect or mismatched metadata.

The ExecSpec certificate is constructed as the mean and tail (above-threshold) drift statistics computed over a calibration set of normalized actions. This certificate is evaluated statically—no need for model inference or interaction—yielding pre-rollout detection of executable non-equivalence.

Empirical Validation and Deployment Consequences

The paper provides exhaustive empirical evidence using the LIBERO suite, including Goal, Spatial, Object, and Long, under plausible sibling metadata substitutions. The protocol fixes normalized trajectories and recorded initial states, then decodes and replays them under alternate unnormalizer metadata:

  • On LIBERO-Goal, substituting goal-B with long-v2 yields mean action drift of 0.199 (over six non-gripper dimensions), with 43.5% of calibration frames exceeding 0.2 in L2 drift. This substitution reduces replayed demonstration success from 28/28 to 2/28.
  • On LIBERO-Spatial, substituting spatial-v2 with long-v2 yields mean drift of 0.172 and reduces success from 26/26 to 0/26.
  • On LIBERO-Object and LIBERO-Long, multiple plausible key substitutions drive replay success to 0/28 and 0/23, respectively.

The paper systematically rules out alternative explanations (gripper convention, mask mismatch, no-op filtering, raw-vs-decoded replay artifacts, etc.) for the observed failures, verifying that failure aligns with nonzero non-gripper action drift induced only by metadata mismatch.

The dose-response protocol demonstrates monotonic decline in task success as the unnormalizer statistics are interpolated between the intended and substituted keys, reinforcing the causal relationship between metadata-induced drift and task failure.

Crucially, the certificate is not a task-success predictor but an interface-level equivalence check. Large certified drift indicates non-equivalence; small certificate values do not guarantee safe or successful deployment, as physical and dynamical margins vary by task and robot system.

Broader Implications and Future Directions

The executable-policy formalism and the static ExecSpec certificate challenge the prevailing paradigm in robotics ML, where checkpoints are treated as atomic units of reproducibility and safety. If action unnormalization statistics are not versioned, checked, and included in deployment manifests, then "reproduction" by checkpoint is not well-founded scientifically or operationally.

This work motivates a manifest discipline: at minimum, deployable policy artifacts must version and hash unnormalization keys, normalization masks, action conventions (absolute/relative, gripper semantics), control frequency, action/chunking protocols, and all controller-facing interfaces. Executable policy identity cannot be dissociated from these deployment-time parameters.

Practically, pre-rollout interface checks such as ExecSpec are necessary for audit and safety. Such checks are asymmetric: a failed certificate is strong evidence of deployment non-equivalence (and should block rollout), but a passed certificate only conditionally clears one axis of equivalence.

Theoretically, the approach points to the need for a richer taxonomy of deployment semantics in embodied policy learning. Beyond unnormalization, other controller conventions (frame alignment, image pre-processing, action token decoding, etc.) must be elevated to first-class, auditable status. Future work should formalize static certificates for more interface components, calibrate certificate magnitudes to system-specific task margins, and extend evaluation to closed-loop and real-hardware deployments.

Conclusion

This paper advances the understanding of policy deployment for VLA models by formalizing executable policy identity and demonstrating that checkpoint equality is insufficient for physical policy equivalence. The closed-form certificate for quantile-style action normalization reveals that plausible metadata mismatches undetectable by checkpoint audits can yield complete task failure. This necessitates migration from checkpoint-centric to manifest-centric deployment in robot learning, with auditable, versioned specification of all controller-facing semantic fields. This shift is essential for reproducibility, safety, and meaningful policy comparison in embodied AI systems (2606.03724).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.