Skip to main content
University of Florida

UF researchers develop new training method to help AI tools learn safely


As artificial intelligence becomes woven into everyday life, UF researchers are working to make sure the technology learns safely. A new paper from the University of Florida and Visa Research introduces a training method designed to prevent AI models from memorizing sensitive information — a growing privacy risk in modern machine learning systems.

The work, titled “Deep Learning with Plausible Deniability,” was showcased in early December at NeurIPS 2025, one of the world’s most prestigious AI conferences. The paper is led by UF Ph.D. student Wenxuan Bao and UF associate professor Vincent Bindschaedler, Ph.D., in collaboration with Visa Research.

“We don’t want to design systems that maybe are the most intelligent systems without regard to how they process sensitive data,” said Bindschaedler, who is based in the UF Department of Computer & Information Science & Engineering. His work focuses on building what he calls “trustworthy machine learning,” a field that includes privacy, security and interpretability. 

Why AI memorization matters

During training, AI models repeatedly scan their datasets to improve performance. But sometimes they latch onto specific details, like a phone number, a medical record or even a person’s name, instead of general patterns. 

“It essentially just remembers very specific detailed information from its training corpus,” Bindschaedler said. “We actually have techniques that can probe the AI to try to recover it.”

Because many models are publicly accessible, that memorized data can potentially be extracted. 

“If a system that’s broadly used was to have memorized somebody’s medical record and somebody knew that’s the case, they could basically get that out of it,” Bindschaedler said. “That would be fairly catastrophic.”

A simple privacy test with a big impact

The team’s new technique adds a quick “privacy check” during training. If an update could reveal information about an individual datapoint, the model simply would not use it.

“It’s a very simple kind of natural thing,” Bindschaedler said. “We train the AI in a normal way, but we just have this additional kind of check that says, ‘Hey, could this potentially leak information?’ And if so, then you don’t go ahead and do the update.”

This check is powered by the idea of plausible deniability: the model should never make an update that can be tied to a single record — it must be explainable by multiple, different subsets of data. If not, the update is rejected. 

“It will just start over,” he said. “It just discards it and then moves on to the next batch.”

Raising UF’s visibility in AI research

For Bindschaedler, acceptance into NeurIPS signals both scholarly impact and UF’s growing presence in the AI landscape. 

“NeurIPS is really the flagship venue for AI academic research…where work like this will get the most exposure and the most impact,” he said.

He added that publishing in top venues is part of advancing UF’s strategic focus on AI. 

“Given the focus of UF on pushing AI forward…it makes sense to emphasize these kinds of most visible flagship venues,” he said.

The team is now exploring how the method can be extended to new applications and strengthened theoretically. 

“This work introduced a new technique — there’s much we don’t know about it,” Bindschaedler said. “We think there are some interesting applications…that could be of practical relevance.”