Papers
Topics
Authors
Recent
Search
2000 character limit reached

Auditing Training Data in Domain-adapted LLMs: LoRA-MINT

Published 5 Jun 2026 in cs.CL and cs.AI | (2606.06946v1)

Abstract: We present LoRA-MINT, a new methodology for Membership Inference Test (MINT) applied to recent LLMs fine-tuned for specific NLP tasks through Low-Rank Adaptation (LoRA). The primary goal is to assess whether individual samples were part of the training data of these adapted models, providing a useful auditing tool for the management of intellectual property and sensitive data. Our analysis explores the relationship between model perplexity and membership status, providing a systematic framework for estimating data exposure in fine-tuned LLMs. We conducted experiments on four models and three benchmark datasets, obtaining precision values in determining if given data were used for training ranging from 0.77 to 0.92, which outperform state-of-the-art baselines and demonstrate the robustness and generality of the proposed method. In general, our findings underscore the potential of LoRA-MINT as an effective and scalable framework for auditing LLMs, improving transparency, and fostering the ethical and responsible deployment of AI and NLP technologies. For the sake of concreteness and current relevance, our discussion and experiments are centered on LoRAadjusted LLMs, but note that most of the presented methodology is easily applicable for auditing training data given any other technique for adapting LLMs or, more generally, any other domain-adapted AI models.

Summary

  • The paper presents LoRA-MINT, a framework that uses perplexity metrics and synthetic in-domain samples to audit training data membership in LoRA-adapted LLMs.
  • It demonstrates high audit precision (0.77–0.92) across multiple models and domains, emphasizing the importance of fully adapting both attention and MLP pathways.
  • The methodology addresses regulatory, privacy, and model design concerns by offering a robust, model-agnostic approach for membership inference in parameter-efficient fine-tuning.

Auditing Training Data in LoRA-Adapted LLMs: The LoRA-MINT Framework

Introduction

The proliferation of parameter-efficient fine-tuning (PEFT) methods, especially Low-Rank Adaptation (LoRA), for adapting LLMs has created considerable challenges for privacy, transparency, and regulatory compliance. LoRA-based workflows facilitate rapid, domain-specific LLM specialization while minimizing computational demands. However, this customization heightens concerns over the inadvertent memorization and subsequent exposure of sensitive training data, particularly in regulated sectors such as healthcare, finance, and law. The paper "Auditing Training Data in Domain-adapted LLMs: LoRA-MINT" (2606.06946) introduces LoRA-MINT, a model-agnostic and efficient framework for systematically auditing training data membership in LoRA-fine-tuned LLMs.

Context and Motivation

Recent legislative and regulatory frameworks (e.g., EU AI Act, US initiatives) require robust auditing and traceability of AI models concerning their training data provenance and possible privacy violations. Membership inference tests (MINT) have become crucial tools for model accountability, extending attack-style privacy analyses into structured audit protocols. However, most existing works on MINT target either generic ML models or do not address the nuanced separation of training and non-training information in PEFT-adapted LLMs. As LoRA dominates real-world domain adaptation pipelines, auditing the provenance of data in such settings is both a technical and legal imperative.

Methodology: The LoRA-MINT Framework

LoRA-MINT is based on the hypothesis that LLMs exhibit distinct perplexity patterns for member (training) and non-member (non-training) samples, even after only a small fraction of weights are updated via LoRA. The framework consists of the following principal components:

  1. Perplexity-Based Membership Audit: For each candidate sample, the model’s token-level probability assignments are aggregated via the standard perplexity metric. Lower perplexity is strongly correlated with training membership, as fine-tuning induces overfitting on the training set.
  2. Synthetic In-Domain Reference Distributions: To establish a robust baseline for non-member perplexity, LoRA-MINT generates a reference set of synthetic, in-domain samples (via LLMs such as GPT-4), curated to be topically and structurally aligned but guaranteed to be outside the training distribution.
  3. Distributional Filtering and Calibration: Extreme percentiles of the synthetic distribution are excluded to minimize variance. The filtered mean is further adjusted by a scaled standard deviation (μ′=μ−σ/k\mu' = \mu - \sigma / k) to best match the empirical characteristics of true non-member data, with hyperparameters selected for optimal discrimination.
  4. Binary Classification Rule: Candidate samples are classified as members if their perplexity is below the calibrated reference mean, and as non-members otherwise.

The entire audit process for LoRA-MINT is outlined in the following schematic. Figure 1

Figure 1: Overview of LoRA-MINT. The base LLM is fine-tuned with LoRA using the training set Dtrain\mathcal{D}_{\text{train}}. Synthetic in-domain samples are used to build a reference perplexity distribution, against which the perplexity of each candidate sample cic_i is compared to determine whether it belongs to the training set.

The principal objective for LoRA-MINT can be summarized as the determination of training set membership for a candidate sample cc given a LoRA-fine-tuned model MLoRA\mathcal{M}_{\text{LoRA}}: Figure 2

Figure 2: The objective of LoRA-MINT is to determine whether a given sample cc belongs to the training set of a LoRA-fine-tuned model by comparing its perplexity to a reference distribution.

Distributional filtering is crucial for the robustness of the approach: Figure 3

Figure 3: Filtered distribution S′\mathcal{S}' of synthetic in-domain samples, obtained by removing extremes below θlow\theta_{\text{low}} and above θhigh\theta_{\text{high}}.

Experimental Evaluation and Key Results

The paper conducts evaluations across four LLMs (Qwen3-4B-Thinking-2507, DeepSeek-R1-Distill-Llama-8B, Phi-4-14B, Llama-3.2-3B) and three domain-specific datasets (CAMELMaths Instruction, Maths-College, Medical-o1-SFT), each fine-tuned using LoRA under standardized protocols. The synthetic in-domain reference distributions are generated (via GPT-4) and curated for non-overlap with training sets, ensuring valid baselines.

Strong empirical performance is demonstrated, with precision values in audit (identifying training membership) ranging from 0.77 to 0.92. For the MistralSmall model, area under the curve (AUC) and TPR/FPR metrics show significant improvements over state-of-the-art baselines, indicating a high efficacy for LoRA-MINT in discriminating member and non-member samples—with minimal false positive rates.

An ablation study on the effect of LoRA injection points in the transformer architecture (attention modules and MLPs) reveals that the optimal detection performance is realized when both attention and MLP pathways are adapted. Partial adaptation (e.g., only attention or only MLP) leads to significantly degraded membership inference accuracy; thus, the parameterization strategy for LoRA is directly tied to auditability and potential privacy leakage.

Implications and Prospects in AI Governance, Privacy, and Model Design

The results of LoRA-MINT have direct consequences for AI ethics, intellectual property management, and compliance auditing, particularly in scenarios involving regulated and proprietary data. The method’s model- and architecture-agnostic design makes it suitable for emerging PEFT techniques beyond LoRA, with trivial extension to alternative adaptation strategies (e.g., QLoRA, adapters).

Prominent practical implications include:

  • Regulatory Compliance: LoRA-MINT can serve as a technical foundation for organizations to demonstrate adherence to auditability mandates (e.g., the EU AI Act), supporting forensic analysis in case of data breach or unauthorized memorization.
  • Privacy Risk Assessment: The quantitative framework provides organizations with a direct measure of memorization and potential data leakage, supporting the development of mitigation strategies (e.g., differential privacy or regularization).
  • Model Development Feedback: The strong dependence of auditability on LoRA module placement indicates that model design and adaptation protocols can be proactively chosen to balance performance and privacy/traceability.

On the theoretical side, the findings substantiate that PEFT techniques—though parameter-minimal—are not immune to privacy risks, as significant memorization and detectability of training data persists.

Conclusion

"Auditing Training Data in Domain-adapted LLMs: LoRA-MINT" (2606.06946) formalizes a principled, efficient, and interpretable approach to membership auditing in LoRA-adapted LLMs. The perplexity-based audit procedure, supported by careful construction of synthetic in-domain baselines and rigorous filtering/calibration, achieves high membership inference accuracy across diverse model families and application domains. Through its ablation analysis and empirical results, the paper demonstrates that PEFT methods do not fundamentally resolve the privacy risks associated with LLM fine-tuning. LoRA-MINT stands out as a compelling technical tool for responsible deployment and transparent governance of LLMs in sensitive and regulated environments. Future directions include extension to other PEFT mechanisms and integration with privacy-preserving model training protocols.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.