Karim Eldefrawy

Cryptography, Cybersecurity, Privacy

Co-founder and CTO at Confidencial.io
2017-2021: SRI
2011-2016: HRL Laboratories
2006-2010: PhD@UC Irvine

Scientific curiosity

Scientific knowledge map · Paper #79

Can Composing Generative Models Avoid Hallucinations? Implications for Cybersecurity Use Cases

Karim Eldefrawy

2026 · 10th International Symposium on Cyber Security, Cryptology and Machine Learning (CSCML 2026)

  • Theory
  • Foundations
  • AI for security

What does the paper try to establish?

Does calibration—and therefore the Kalai–Vempala monofact hallucination lower bound—persist when fact-level generators are composed using deterministic semantic post-processing, Bayesian-compatible score aggregation, or routing to expert models?

What is the proposed answer?

The author-supplied abstract reports that, under the paper’s closure conditions, calibration is preserved by all three operators, so the Kalai–Vempala hallucination floor persists for calibrated composites. Beating the floor requires final miscalibration, violation of a closure condition, or a changed evidence state such as a verified witness.

Abstract

Today’s AI-powered enterprise systems are increasingly combining multiple models with pre- and post-processing, score aggregation, routing to expert models, and model-as-judge mechanisms. This raises a natural theoretical question with immediate practical implications: can compositions of models and pre- and post-processing techniques reduce hallucination rates inherent in single models? We answer this question for the calibrated core of systems composing multiple models with pre- and post-processing techniques. Calibration in this context means that among all claims assigned score z, the average truth rate is z. Kalai and Vempala (KV) proved a limitation for a single calibrated fact-level generator: it must hallucinate monofacts (facts appearing once in training data) at a rate lower-bounded by the Good–Turing missing-mass estimate minus calibration error. We show that calibration is preserved by three natural and common composition operators: (1) deterministic semantic post-processing, (2) Bayesian-compatible score aggregation, and (3) routing to one of many expert models (sometimes called a mixture of experts). The KV hallucination floor thus survives compositions built from these operators. A combined system that beats this floor must therefore either be miscalibrated as a final composite or violate one of our closure theorems. We give two counterexamples showing that, when the conditions of our theorems are violated, the overall system may not be calibrated: marginally calibrated experts need not average to a calibrated ensemble, and globally calibrated expert models need not remain calibrated under routing to one of the expert models. We map our results to cybersecurity-relevant settings; in such settings, composed systems powered by generative models discover vulnerabilities, review code, generate code and test cases, analyze logs, triage alerts, and summarize incidents. In cybersecurity, “facts” are operational claims whose tail can be viewed as the monofact regime. Such claims can concern, for example, vulnerability existence, exploitability, patch safety, alert validity, or incident attribution. Vulnerability discovery also marks the theorem’s boundary: a model-generated claim that a rare bug exists is monofact-like when supported only by model confidence, while a concrete exploit, proof certificate, or execution trace is a checkable witness. Thus, our theorems apply to pre-verification composition; verified witnesses provide an escape by changing the evidence state. We conclude with an evaluation procedure for auditing composed systems powered by generative models acting as a cybersecurity AI assistant or automated pipeline addressing specific tasks in such settings. The evaluation procedure enables one to explain whether, and by which mechanism, an observed hallucination reduction is compatible with our analysis.

Provenance: Supplied by the author for this website; the manuscript and theorem proofs have not been independently audited.

Six dimensions, kept separate

The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.

The visual spider chart requires JavaScript. The complete values and rationales follow in text.

LowMediumHighN/A = not assessed

A smaller value means less documented support for that dimension, not that the paper is false or unimportant.

Epistemic evidence Medium

The author-supplied abstract precisely reports the calibration definition, covered operators, closure results, counterexamples, cybersecurity boundary, and audit procedure. The formal statements, hypotheses, and proofs remain unaudited because the manuscript is not represented.

Author-supplied abstract
Auditability Low

The author-supplied abstract is inspectable, but no paper-specific official publication record, public archive, or author-hosted manuscript is represented; full-text assumptions, evidence, artifacts, and version identity cannot presently be audited from this map. Auditability is therefore low.

Author-supplied abstract CSCML 2026 venue website
Production provenance Medium

The record documents named authorship and the publication or review status of the paper, establishing a baseline human and lifecycle provenance trail. Contributor roles, revision and effort history, AI or tool use, artifact-version lineage, and explicit final approval have not yet been audited, so this provisional medium rating should not be read as complete production provenance.

Author-supplied metadata and editorial summary Author-supplied abstract
External scrutiny Low

Under-review status records a pending process. No acceptance, completed review outcome, public review report, independent reproduction, correction, or adversarial analysis is represented.

Author-supplied metadata and editorial summary
Reception Low

A dated exact-title scholarly-web search located 0 citations for this under-review manuscript. Under the author-defined rule, 0–8 located citations is Low, 9–10 is Medium, and 11 or more is High; this may change after dissemination.

Dated exact-title citation search
Contribution significance Medium

The abstract reports a theoretical closure limitation with direct cybersecurity implications, counterexamples, an evidence-state boundary, and an audit procedure. Novelty comparisons, formal proofs, and downstream impact remain unaudited, so this is a provisional significance assessment rather than a breakthrough claim.

Author-supplied abstract

Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.

Hierarchical knowledge map

Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.

paper

Can Composing Generative Models Avoid Hallucinations? Implications for Cybersecurity Use Cases

The author-supplied abstract reports that a Kalai–Vempala hallucination lower bound persists under deterministic semantic post-processing, Bayesian-compatible score aggregation, and expert-model routing when the resulting system remains calibrated. It identifies counterexamples outside these closure conditions, connects the theory to cybersecurity workflows, distinguishes unverified model claims from checkable witnesses, and proposes an audit procedure for explaining apparent hallucination reductions.

Author-supplied abstract
  1. question

    Research question

    reported in author abstract not independently audited

    Does calibration—and therefore the Kalai–Vempala monofact hallucination lower bound—persist when fact-level generators are composed using deterministic semantic post-processing, Bayesian-compatible score aggregation, or routing to expert models?

    Author-supplied abstract
  2. contribution

    Reported contribution

    reported in author abstract not independently audited

    The abstract reports three calibration-closure theorems for common composition operators, two counterexamples outside their conditions, a cybersecurity interpretation, and an evaluation procedure for explaining apparent hallucination reductions.

    Author-supplied abstract
  3. method Method or construction reported in author abstract not independently audited

    The abstract reports closure theorems, under the paper’s conditions, for deterministic semantic post-processing, Bayesian-compatible score aggregation, and expert routing. It also reports two calibration counterexamples and separates confidence-only claims from claims backed by checkable witnesses. Exact formal definitions and hypotheses remain unavailable without the manuscript.

    Author-supplied abstract
    1. definition

      Calibration

      defined in author abstract

      The abstract defines calibration operationally: among claims assigned score z, the average truth rate is z. The manuscript's probability space, conditioning, claim granularity, and approximation conventions remain unaudited.

      Author-supplied abstract
    2. prior result

      Kalai–Vempala single-generator floor

      reported in author abstract not independently audited

      The abstract reports the prior result that a calibrated fact-level generator must hallucinate monofacts—facts occurring once in training—at a rate lower-bounded by the Good–Turing missing-mass estimate minus calibration error.

      Author-supplied abstract
    3. theorem group Calibration closure under three operators reported in author abstract not independently audited

      The abstract reports that calibration is preserved by three specified composition operators under the paper's conditions; exact theorem statements, domains, measurability assumptions, and error propagation require the manuscript.

      Author-supplied abstract
      1. operator

        Deterministic semantic post-processing

        reported operator

        The first covered operator deterministically transforms generated semantic content. The abstract reports calibration closure but does not expose the formal semantic map or sufficient conditions.

        Author-supplied abstract
      2. operator

        Bayesian-compatible score aggregation

        reported operator

        The second operator combines scores in a Bayesian-compatible way. This is narrower than arbitrary averaging; the abstract's first counterexample warns that marginal calibration alone does not make an averaged ensemble calibrated.

        Author-supplied abstract
      3. operator

        Routing to expert models

        reported operator

        The third operator selects one of several expert models, sometimes described as a mixture of experts. The abstract reports a closure theorem under conditions and separately shows that global expert calibration alone is insufficient under arbitrary routing.

        Author-supplied abstract
    4. theorem consequence

      Hallucination floor survives covered composition

      reported in author abstract not independently audited

      Because the covered operators preserve calibration, the abstract concludes that the Kalai–Vempala monofact floor also applies to composites built from those operators.

      Author-supplied abstract
    5. boundary

      Ways to fall outside the conclusion

      reported in author abstract not independently audited

      An observed composite below the floor must, according to the abstract, be miscalibrated at its final output, violate a closure theorem's conditions, or operate after verification has changed the evidence state.

      Author-supplied abstract
    6. counterexample group Two calibration counterexamples reported in author abstract not independently audited

      The abstract reports examples showing that natural but weaker premises do not guarantee calibration of the composite.

      Author-supplied abstract
      1. counterexample

        Marginally calibrated experts may not average safely

        reported in author abstract not independently audited

        Experts that are each marginally calibrated need not yield a calibrated ensemble when their outputs are simply averaged.

        Author-supplied abstract
      2. counterexample

        Globally calibrated experts may fail under routing

        reported in author abstract not independently audited

        Experts that are globally calibrated need not remain calibrated after a router selectively sends different cases to them.

        Author-supplied abstract
    7. scope boundary

      Model-as-judge is motivation, not a listed closure operator

      abstract scope observation

      Model-as-judge mechanisms appear in the abstract's system motivation, but the three reported closure results are post-processing, Bayesian-compatible aggregation, and expert routing; the abstract does not claim a general model-as-judge closure theorem.

      Author-supplied abstract
  4. claim group Principal reported claims reported in author abstract not independently audited

    The abstract reports that calibrated compositions built from the three covered operators retain the Kalai–Vempala monofact hallucination floor; a system that beats it must be finally miscalibrated, violate a closure condition, or change the evidence state through verification.

    Author-supplied abstract
    1. application context

      Cybersecurity workflows

      mapped in author abstract

      The abstract maps the theory to vulnerability discovery, code review and generation, test generation, log analysis, alert triage, and incident summarization by generative systems.

      Author-supplied abstract
    2. concept

      Operational claims as facts

      mapped in author abstract

      Cybersecurity 'facts' include claims about vulnerability existence, exploitability, patch safety, alert validity, and incident attribution; rare claims in their tail are treated as analogous to monofacts.

      Author-supplied abstract
    3. boundary

      Verification changes the evidence state

      explicitly reported boundary

      A rare-bug claim supported only by model confidence remains monofact-like, while a concrete exploit, proof certificate, or execution trace is a checkable witness. The abstract places verified witnesses outside its pre-verification composition analysis.

      Author-supplied abstract
    4. evaluation method

      Evaluation procedure for composed systems

      reported in author abstract not independently audited

      The abstract reports a procedure for determining whether an observed hallucination reduction is compatible with the analysis and identifying whether calibration, operator conditions, or verification explain it; procedural steps and validation evidence require manuscript audit.

      Author-supplied abstract
  5. evidence group

    Reported evidence

    source scope limitation

    The author-supplied abstract identifies the operators, reported closure results, two counterexamples, cybersecurity boundary, and evaluation procedure. The manuscript, formal definitions, theorem statements, proofs, examples, and any evaluation results were not audited.

    Author-supplied abstract
  6. limitation group

    Scope and limitations

    author supplied abstract pending full text audit

    The reported theorems concern the calibrated fact-level core, the three named operators, and pre-verification composition. They do not claim that every composition preserves calibration or that verified witnesses remain in the same evidence state; exact hypotheses, definitions, and theorem boundaries require manuscript audit.

    Author-supplied abstract
  7. scrutiny

    Scrutiny and status

    publication status reported not independently audited

    The work is described as under review. That records a pending process, not acceptance, a completed review outcome, or validation; no review report, reproduction, correction, or adversarial analysis is represented.

    Author-supplied metadata and editorial summary CSCML 2026 venue website

Source index

Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.

  1. Author-supplied metadata and editorial summary Website publication record. The title, authorship, status, venue, and topical characterization were supplied by the author; the concise summary is editorial.
  2. Author-supplied abstract Full abstract rendered on the Paper #79 knowledge-map landing page. The manuscript, formal theorem statements, hypotheses, and proofs were not inspected.
  3. CSCML 2026 venue website Venue homepage only. It is not a paper-specific page, acceptance notice, manuscript, review record, or source for technical claims.
  4. Dated exact-title citation search No citing work was verifiably located for the under-review manuscript when searched 2026-07-11