Back to blog

Research Note · Assurance · Verification

What InvarLock Actually Claims

Ink/charcoal doodle: weight-edit evaluation stays inside the claim box while broader AI-safety language sits outside it.

A narrow claim can be stronger than a broad one. InvarLock is about auditable regression risk from weight edits, not general model safety.

6 min read
InvarLock Team

Research Note: scope is part of the method

Highlights

  • InvarLock evaluates regression risk from weight edits relative to a chosen baseline under a specific configuration.
  • Its public claim rests on paired metrics, a guard chain, and deterministic provenance, not on broad promises about model safety.
  • The report and verifier matter because they turn that narrow claim into something another person can inspect and re-check.

InvarLock's strongest public claim is not that an edited model is safe in the abstract. It is that, for a defined class of weight edits and a fixed evaluation setup, the system can produce a reviewable record of whether the edited subject stayed within declared bounds relative to a baseline.

Projects in this category usually get weaker when they borrow broad words like safety, trust, or reliability for a surface the evidence does not actually cover. The rhetoric expands. The verification surface does not.

InvarLock reads better when that boundary stays tight.

Its public promise is narrow: if you quantize, prune, or otherwise edit a model's weights, InvarLock can evaluate the edited subject against a fixed baseline with paired windows, run a defined guard chain, and emit an auditable report. That is not a claim about general model safety. It is a bounded claim about regression risk from a specific class of model changes.

That narrowness is not a branding compromise. It is what makes the evidence defensible.

What InvarLock Is Actually For

The shortest accurate description today is this:

InvarLock is an evidence system for weight-edit evaluation.

That means three things.

First, it is comparative. The subject model is not judged in the abstract. It is judged relative to a baseline checkpoint under a specified evaluation setup.

Second, it is artifact-producing. The output is not just a console verdict. The system emits evaluation.report.json, and attested evaluation flows also emit runtime.manifest.json.

Third, it is designed to be checked after the fact. The point is not only to produce a PASS or FAIL result, but to make the reasoning behind that result reviewable.

This is why the public README emphasizes paired evaluation windows, the canonical guard chain, machine-readable reports, and proof packs. Those are not side features. They are the actual product surface.

What The Public Evidence Covers

The assurance case makes the current scope unusually explicit.

The positive claim includes:

  • paired primary metrics with bootstrap confidence intervals
  • the canonical guard chain: invariants, spectral, RMT, variance, then post-edit invariants
  • deterministic provenance for seeds, datasets, tokenizers, pairing schedules, and policy configuration

The report reference shows the same design from the artifact side. The report surface is organized around evaluation outcome, quality gates, guard details, primary metric behavior, resolved policy, and provenance. The verifier then checks schema, pairing, ratio math, measurement contracts, and runtime-manifest attestation.

That structure matters because it narrows the room for hand-waving. If a claim is real, it should map to a field, a contract, a test, or a verifier rule.

What The Public Evidence Does Not Cover

This is the part many tool projects avoid stating clearly.

InvarLock does not claim to:

  • prevent or detect general content harms such as toxicity, bias, jailbreaks, or alignment failures
  • guarantee safety for unrelated training changes, arbitrary new architectures, or unsupported environments
  • replace infrastructure or deployment hardening concerns such as authz, governance, or access control
  • provide a universal statement about model quality independent of baseline, dataset, and configuration

This is a feature, not an omission to apologize for.

If a system says it measures only what it can actually instrument, test, and verify, readers know where to trust it and where not to.

Why The Narrow Scope Is Stronger

A narrow claim is easier to audit.

In InvarLock's case, that audit path is visible:

  1. baseline and subject runs produce structured reports
  2. those reports are combined into evaluation.report.json
  3. the verifier checks the report against explicit contracts
  4. attested flows add runtime.manifest.json so execution provenance travels with the result

That path is much stronger than a blog post saying a model edit "looked stable" or "did not seem to harm quality." The claim is anchored to paired windows, explicit metrics, guard outputs, policy digests, and a verifier that can fail closed.

This is also why proof packs matter. They are not decorative packaging. They are the transport format for re-checkable evidence.

Where Readers Still Need To Be Careful

The boundary also creates real limits.

The current public assurance case is narrower than the broader runnable surface visible in the public support matrix. That means readers should not confuse "the repo can run here" with "the published assurance case already covers this lane at the same level."

It also means a positive InvarLock result is always conditional. It says something about a weight edit relative to a baseline under a given setup. It does not say the edited model is good in every context, nor that broader safety risks disappear.

That distinction will keep recurring in future posts because it is one of the most important habits in this space: keep the claim line tight enough that the evidence can actually carry it.

Claim Map

This is the practical shape of the current public claim:

  • input: a baseline, an edited subject, and a specific evaluation setup
  • method: paired windows, guarded evaluation, deterministic provenance
  • artifact: evaluation.report.json, and for attested flows, runtime.manifest.json
  • checkability: invarlock verify can re-check the result against public contracts
  • boundary: no claim about general model safety, alignment, or deployment security

That is a smaller promise than many AI tools make. It is also a more durable one.

The Small Claim Worth Making

So what does InvarLock actually claim?

It does not claim to solve AI safety.

It does not claim to certify a model in the abstract.

It does not claim to replace human judgment.

It claims something smaller and more useful: for a specific class of weight edits, it can produce a reviewable, machine-verifiable record of whether the edited subject stayed within defined bounds relative to a baseline.

That is a narrower story than the market usually tells. It is also a more credible one.

Limitations

  • This note is about the current public claim surface, not a new experiment.
  • The published assurance basis is still narrower than the full runnable surface.
  • Nothing here should be read as a claim about content safety, alignment, or deployment security.

Sources

More from the blog

Continue through recent releases and implementation notes.

Release

Gemma 4 pilot lanes with a clearer assurance contract

InvarLock 0.6.0 adds a shipped Gemma 4 E2B text lane, phase-1 multimodal evaluation, and a unified `--assurance attested|trusted-local` workflow.

Release

Attested smoke lanes with package-native proof-pack signing

InvarLock 0.5.1 adds a push-gated tiny attested smoke lane, a scheduled GPT-2 canary lane, and package-native Ed25519 proof-pack signatures.

Release

Offline release verification with a slimmer public CLI

InvarLock 0.5.0 adds offline release-verification bundles, package-native proof-pack verification, and a simplified public CLI centered on evaluate, verify, and report.