Non-transferable Examples for AI Authorization
- Non-transferable Examples (NEs) are a model-specific authorization mechanism that recodes inputs to preserve performance for an authorized AI model while degrading usability for others.
- They leverage a training-free, data-agnostic recoding based on low-sensitivity subspaces of the model's first linear layer, using singular value decomposition.
- Empirical tests across vision and vision-language models show that NEs maintain nearly identical performance on the authorized model while causing unauthorized models to collapse.
Non-transferable Examples (NEs) are a model-specific authorization mechanism for AI systems in which an input-side recoding preserves usability for one authorized model while degrading usability for unauthorized models . In "Catch-Only-One: Non-Transferable Examples for Model-Specific Authorization," NEs are introduced as a training-free and data-agnostic method that recodes inputs within a model-specific low-sensitivity subspace of the authorized model’s first linear layer, so that the authorized model retains performance whereas non-target models fail because of subspace misalignment (Wang et al., 13 Oct 2025). The framework is motivated by the need for data that remain useful for innovation while resistant to misuse at the model level, and it differs from approaches that perturb data to make it unlearnable or retrain models to suppress transfer, because it acts at inference time and does not require control over training.
1. Problem formulation and core definition
The formal setting fixes an ambient input space , an authorized model , a family of models trained on the same domain, and a scalar task metric in which smaller values mean better usability. The goal is to construct a recoding such that, for , authorized-utility retention holds: while unauthorized-utility degradation holds: 0 This formulation makes NEs an input-side usage-control mechanism rather than a training-time defense (Wang et al., 13 Oct 2025).
The construction uses the first linear layer of the authorized model. Writing that layer as 1, with bias absorbed into 2 by homogeneously augmenting 3, one computes the singular value decomposition
4
For a threshold 5, the 6-insensitive subspace is
7
A perturbation 8 then satisfies 9. An NE is formed as
0
where 1 is obtained by zeroing coordinates 2 with 3 and sampling the remaining coordinates, for example 4, followed if needed by scaling to ensure 5 (Wang et al., 13 Oct 2025).
2. Recoding mechanism and model specificity
The same construction can be written as a projection. If 6 is the orthogonal projector onto the span of the 7 right singular vectors whose singular values satisfy 8, then
9
This emphasizes that NEs are created by restricting perturbations to directions that are low-sensitivity for the authorized model (Wang et al., 13 Oct 2025).
The method is explicitly training-free. It does not retrain 0 or any unauthorized model 1; instead, it probes 2’s first-layer SVD once on a small probe set and computes 3 and 4. It is also data-agnostic in the sense that the same projector 5 applies to any 6, including images and text tokens, without task-specific surrogate labels or losses. The private authorization information is therefore concentrated in the model-specific parameters 7, while the recoding function 8 can remain public (Wang et al., 13 Oct 2025).
The key structural hypothesis is subspace misalignment. Different models, whether due to different architectures or different random initializations, have distinct first-layer singular bases 9. Directions that are low-sensitivity for 0 typically correspond to moderate- or high-sensitivity directions in an unauthorized model 1. Under that condition, a perturbation that is nearly invisible to the authorized model can create a large first-layer feature shift for a non-target model (Wang et al., 13 Oct 2025).
3. Theoretical guarantees
The first guarantee concerns retention for the authorized model. If 2 is formed with 3 nonzero Gaussian entries of variance 4, then for any 5, with probability at least 6,
7
The proof sketch given in the paper uses
8
then bounds 9, and controls 0 with Chebyshev’s inequality because it is a chi-squared sum with mean 1 and variance 2. The paper further states that small first-layer changes are typically attenuated by ReLU or truncation and later layers, so 3, which realizes the retention constraint (Wang et al., 13 Oct 2025).
The second guarantee concerns degradation for unauthorized models. For another model 4 with first layer 5, a perturbation drawn from 6 will generally not lie in 7. The analysis invokes the Hoffman–Wielandt inequality on singular vectors. If 8, 9, and 0 uses the 1-th right singular direction with 2, and if
3
is the nearest gap between 4 and the singular values of 5, then for any 6,
7
The proof sketch decomposes 8 into a singular-vector difference term and a singular-value difference term, bounds 9, uses 0, and exploits 1. The paper then states that when 2 and 3 arise from different random initializations or architectures, 4 is 5 and 6 is 7, so the right-hand side can be large even if 8 itself is small, causing a substantial feature shift at layer 1 for the unauthorized model (Wang et al., 13 Oct 2025).
A plausible implication is that the theory is strongest at the interface between linearized first-layer geometry and practical model mismatch: the formal bounds are stated for first-layer feature deviation, while the downstream prediction failure is argued through propagation of that shift.
4. Empirical behavior across vision backbones and vision-LLMs
The empirical results are reported for image classification and vision-LLMs, with perturbations set to a 9 dB PSNR regime. The classification experiments use ResNet-50, ViT-B/p16, SwinV2-T, DeiT-B, and MambaVision-T on CIFAR-10 and ImageNet-1K; the vision-language evaluation uses InternVL3-1B as the authorized model and Qwen2.5-VL-3B as the unauthorized model on MMBench (Wang et al., 13 Oct 2025).
| Setting | Authorized model behavior | Unauthorized model behavior |
|---|---|---|
| ImageNet cross-architecture transfer | ResNet-50 retains 80.2% top-1 vs. 80.3% clean | All other models collapse to 0 top-1 |
| Weight-variant transfer | Target ResNet-50 remains usable | Second ResNet-50 with different random seed yields 1 accuracy |
| MMBench VLM evaluation | InternVL3 overall 72.7% 2 72.6% | Qwen2.5 overall 78.8% 3 18.3% |
For cross-architecture transfer on ImageNet, the paper reports that 4 generated for ResNet-50 retains 5 top-1 accuracy on ResNet-50, compared with 6 on clean inputs, while all other models collapse to approximately 7 top-1. It further states that similar behavior holds for each authorized target, with diagonal entries close to clean accuracy within 8 and off-diagonal transfer near chance. For weight-variant transfer, two ResNet-50 instances trained from different random seeds are sufficient for model specificity: NEs for one model yield approximately 9 accuracy on the other (Wang et al., 13 Oct 2025).
The baseline comparison in the same study positions NEs against Differential Privacy training, Fully Homomorphic Encryption, and AlgoSpec. The reported comparison is that Differential Privacy training with 0 drops authorized accuracy by 1–2 and is inapplicable to Transformers; Fully Homomorphic Encryption preserves accuracy but incurs 3–4 latency; AlgoSpec collapses authorized accuracy to near-zero. By contrast, NEs preserve authorized accuracy within 5, deny unauthorized models with 6–7 top-1, and incur zero inference overhead beyond one input-side matrix multiplication (Wang et al., 13 Oct 2025).
For vision-LLMs on MMBench, the reported metrics include AR, CP, FP-C, FP-S, LR, RR, and overall. The authorized InternVL3-1B changes from 8 to 9 overall, whereas unauthorized Qwen2.5-VL-3B changes from 00 to 01, with all sub-metrics collapsing into the teens. The paper also states that NEs survive standard resizing, cropping, JPEG, blurring, and the complex, model-specific preprocessing pipelines of modern VLMs (Wang et al., 13 Oct 2025).
5. Implementation details and operational limits
The implementation described in the paper is intentionally lightweight. Basis estimation uses a probe set of approximately 02 samples to compute the SVD of the first linear map, whether fully connected or im2col-unfolded convolution. A threshold 03 selects 04 insensitive directions. The vector 05 is i.i.d. Gaussian on those 06 coordinates and zero elsewhere. The perturbation is then scaled according to
07
so that 08 dB, corresponding to approximately 09–10 of the image norm. The recoding function 11 can be public, while the model-specific parameters 12 remain private (Wang et al., 13 Oct 2025).
The limitations are also explicit. A strong adaptive attacker might approximate 13 using massive queries or side-channels and then project 14 back onto its complement, partially restoring utility. Extremely aggressive preprocessing, including heavy cropping or extreme JPEG, can shrink the relative energy of 15. The formal analysis focuses on first-layer effects, and extending provable bounds through deeper nonlinear layers remains open. The paper notes that dynamic defenses such as randomized 16 and time-varying bases can raise attacker cost, but at the expense of occasional authorized jitter (Wang et al., 13 Oct 2025).
A common misconception is to treat NEs as a universal obfuscation mechanism. The paper does not claim that; the mechanism is model-specific, its strongest guarantees are first-layer guarantees, and its resistance to adaptive recovery is presented as conditional rather than absolute.
6. Relation to adjacent literatures and terminological ambiguity
The acronym “NEs” is not unique across the literature. In "Transferable Unlearnable Examples," the phrase “non-transferable” appears in a different sense: Error-Minimizing Noise perturbations are described as non-transferable because their unlearnable effect fails to transfer across training algorithms and across datasets. That paper introduces Classwise Separability Discriminant and a contrastive bi-level objective to produce Transferable Unlearnable Examples, with the goal of making perturbations transferable to multiple training settings and datasets (Ren et al., 2022). This is conceptually distinct from model-specific authorization, where non-transferability is the intended property and operates at inference rather than training.
The term also appears in an unrelated domain in "Targeting Without Transfers," where “non-transferable examples (NEs)” refers to canonical menu constructions in multidimensional screening without money, including pure options and, in the two-good symmetric case, at most one mixed bundle (Tokarski, 31 Jan 2026). This usage belongs to mechanism design rather than machine learning.
Within AI security and data governance, the significance of the 2025 NEs proposal is therefore specific: it reframes non-transferability as a desirable authorization primitive. Instead of making data globally unusable, it makes data selectively usable by exactly one authorized model. The paper’s own summary states that NEs leverage model-specific low-sensitivity subspaces of the first linear layer to produce a simple, training-free, data-agnostic recoding that “ciphers” data for exactly one authorized model while rendering it unusable for any other (Wang et al., 13 Oct 2025).