Scientific knowledge map · Paper #79
Can Composing Generative Models Avoid Hallucinations? Implications for Cybersecurity Use Cases
2026 · 10th International Symposium on Cyber Security, Cryptology and Machine Learning (CSCML 2026)
- Theory
- Foundations
- AI for security
Research question
What does the paper try to establish?
Does calibration—and therefore the Kalai–Vempala monofact hallucination lower bound—persist when fact-level generators are composed using deterministic semantic post-processing, Bayesian-compatible score aggregation, or routing to expert models?
Central answer
What is the proposed answer?
The author-supplied abstract reports that, under the paper’s closure conditions, calibration is preserved by all three operators, so the Kalai–Vempala hallucination floor persists for calibrated composites. Beating the floor requires final miscalibration, violation of a closure condition, or a changed evidence state such as a verified witness.
Author-supplied abstract
Abstract
Today’s AI-powered enterprise systems are increasingly combining multiple models with pre- and post-processing, score aggregation, routing to expert models, and model-as-judge mechanisms. This raises a natural theoretical question with immediate practical implications: can compositions of models and pre- and post-processing techniques reduce hallucination rates inherent in single models? We answer this question for the calibrated core of systems composing multiple models with pre- and post-processing techniques. Calibration in this context means that among all claims assigned score z, the average truth rate is z. Kalai and Vempala (KV) proved a limitation for a single calibrated fact-level generator: it must hallucinate monofacts (facts appearing once in training data) at a rate lower-bounded by the Good–Turing missing-mass estimate minus calibration error. We show that calibration is preserved by three natural and common composition operators: (1) deterministic semantic post-processing, (2) Bayesian-compatible score aggregation, and (3) routing to one of many expert models (sometimes called a mixture of experts). The KV hallucination floor thus survives compositions built from these operators. A combined system that beats this floor must therefore either be miscalibrated as a final composite or violate one of our closure theorems. We give two counterexamples showing that, when the conditions of our theorems are violated, the overall system may not be calibrated: marginally calibrated experts need not average to a calibrated ensemble, and globally calibrated expert models need not remain calibrated under routing to one of the expert models. We map our results to cybersecurity-relevant settings; in such settings, composed systems powered by generative models discover vulnerabilities, review code, generate code and test cases, analyze logs, triage alerts, and summarize incidents. In cybersecurity, “facts” are operational claims whose tail can be viewed as the monofact regime. Such claims can concern, for example, vulnerability existence, exploitability, patch safety, alert validity, or incident attribution. Vulnerability discovery also marks the theorem’s boundary: a model-generated claim that a rare bug exists is monofact-like when supported only by model confidence, while a concrete exploit, proof certificate, or execution trace is a checkable witness. Thus, our theorems apply to pre-verification composition; verified witnesses provide an escape by changing the evidence state. We conclude with an evaluation procedure for auditing composed systems powered by generative models acting as a cybersecurity AI assistant or automated pipeline addressing specific tasks in such settings. The evaluation procedure enables one to explain whether, and by which mechanism, an observed hallucination reduction is compatible with our analysis.
Provenance: Supplied by the author for this website; the manuscript and theorem proofs have not been independently audited.
Evidence profile
Six dimensions, kept separate
The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.
LowMediumHighN/A = not assessed
A smaller value means less documented support for that dimension, not that the paper is false or unimportant.
- Epistemic evidence Medium
-
The author-supplied abstract precisely reports the calibration definition, covered operators, closure results, counterexamples, cybersecurity boundary, and audit procedure. The formal statements, hypotheses, and proofs remain unaudited because the manuscript is not represented.
Author-supplied abstract - Auditability Low
-
The author-supplied abstract is inspectable, but no paper-specific official publication record, public archive, or author-hosted manuscript is represented; full-text assumptions, evidence, artifacts, and version identity cannot presently be audited from this map. Auditability is therefore low.
Author-supplied abstract CSCML 2026 venue website - Production provenance Medium
-
The record documents named authorship and the publication or review status of the paper, establishing a baseline human and lifecycle provenance trail. Contributor roles, revision and effort history, AI or tool use, artifact-version lineage, and explicit final approval have not yet been audited, so this provisional medium rating should not be read as complete production provenance.
Author-supplied metadata and editorial summary Author-supplied abstract - External scrutiny Low
-
Under-review status records a pending process. No acceptance, completed review outcome, public review report, independent reproduction, correction, or adversarial analysis is represented.
Author-supplied metadata and editorial summary - Reception Low
-
A dated exact-title scholarly-web search located 0 citations for this under-review manuscript. Under the author-defined rule, 0–8 located citations is Low, 9–10 is Medium, and 11 or more is High; this may change after dissemination.
Dated exact-title citation search - Contribution significance Medium
-
The abstract reports a theoretical closure limitation with direct cybersecurity implications, counterexamples, an evidence-state boundary, and an audit procedure. Novelty comparisons, formal proofs, and downstream impact remain unaudited, so this is a provisional significance assessment rather than a breakthrough claim.
Author-supplied abstract
Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.
Top-down and bottom-up view
Hierarchical knowledge map
Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.
Can Composing Generative Models Avoid Hallucinations? Implications for Cybersecurity Use Cases
The author-supplied abstract reports that a Kalai–Vempala hallucination lower bound persists under deterministic semantic post-processing, Bayesian-compatible score aggregation, and expert-model routing when the resulting system remains calibrated. It identifies counterexamples outside these closure conditions, connects the theory to cybersecurity workflows, distinguishes unverified model claims from checkable witnesses, and proposes an audit procedure for explaining apparent hallucination reductions.
Author-supplied abstract-
question Research question
reported in author abstract not independently auditedDoes calibration—and therefore the Kalai–Vempala monofact hallucination lower bound—persist when fact-level generators are composed using deterministic semantic post-processing, Bayesian-compatible score aggregation, or routing to expert models?
Author-supplied abstract -
contribution Reported contribution
reported in author abstract not independently auditedThe abstract reports three calibration-closure theorems for common composition operators, two counterexamples outside their conditions, a cybersecurity interpretation, and an evaluation procedure for explaining apparent hallucination reductions.
Author-supplied abstract -
method Method or construction reported in author abstract not independently audited
The abstract reports closure theorems, under the paper’s conditions, for deterministic semantic post-processing, Bayesian-compatible score aggregation, and expert routing. It also reports two calibration counterexamples and separates confidence-only claims from claims backed by checkable witnesses. Exact formal definitions and hypotheses remain unavailable without the manuscript.
Author-supplied abstract-
definition Calibration
defined in author abstractThe abstract defines calibration operationally: among claims assigned score z, the average truth rate is z. The manuscript's probability space, conditioning, claim granularity, and approximation conventions remain unaudited.
Author-supplied abstract -
prior result Kalai–Vempala single-generator floor
reported in author abstract not independently auditedThe abstract reports the prior result that a calibrated fact-level generator must hallucinate monofacts—facts occurring once in training—at a rate lower-bounded by the Good–Turing missing-mass estimate minus calibration error.
Author-supplied abstract -
theorem group Calibration closure under three operators reported in author abstract not independently audited
The abstract reports that calibration is preserved by three specified composition operators under the paper's conditions; exact theorem statements, domains, measurability assumptions, and error propagation require the manuscript.
Author-supplied abstract-
operator
Deterministic semantic post-processing
reported operatorThe first covered operator deterministically transforms generated semantic content. The abstract reports calibration closure but does not expose the formal semantic map or sufficient conditions.
Author-supplied abstract -
operator
Bayesian-compatible score aggregation
reported operatorThe second operator combines scores in a Bayesian-compatible way. This is narrower than arbitrary averaging; the abstract's first counterexample warns that marginal calibration alone does not make an averaged ensemble calibrated.
Author-supplied abstract -
operator
Routing to expert models
reported operatorThe third operator selects one of several expert models, sometimes described as a mixture of experts. The abstract reports a closure theorem under conditions and separately shows that global expert calibration alone is insufficient under arbitrary routing.
Author-supplied abstract
-
operator
-
theorem consequence Hallucination floor survives covered composition
reported in author abstract not independently auditedBecause the covered operators preserve calibration, the abstract concludes that the Kalai–Vempala monofact floor also applies to composites built from those operators.
Author-supplied abstract -
boundary Ways to fall outside the conclusion
reported in author abstract not independently auditedAn observed composite below the floor must, according to the abstract, be miscalibrated at its final output, violate a closure theorem's conditions, or operate after verification has changed the evidence state.
Author-supplied abstract -
counterexample group Two calibration counterexamples reported in author abstract not independently audited
The abstract reports examples showing that natural but weaker premises do not guarantee calibration of the composite.
Author-supplied abstract-
counterexample
Marginally calibrated experts may not average safely
reported in author abstract not independently auditedExperts that are each marginally calibrated need not yield a calibrated ensemble when their outputs are simply averaged.
Author-supplied abstract -
counterexample
Globally calibrated experts may fail under routing
reported in author abstract not independently auditedExperts that are globally calibrated need not remain calibrated after a router selectively sends different cases to them.
Author-supplied abstract
-
counterexample
-
scope boundary Model-as-judge is motivation, not a listed closure operator
abstract scope observationModel-as-judge mechanisms appear in the abstract's system motivation, but the three reported closure results are post-processing, Bayesian-compatible aggregation, and expert routing; the abstract does not claim a general model-as-judge closure theorem.
Author-supplied abstract
-
-
claim group Principal reported claims reported in author abstract not independently audited
The abstract reports that calibrated compositions built from the three covered operators retain the Kalai–Vempala monofact hallucination floor; a system that beats it must be finally miscalibrated, violate a closure condition, or change the evidence state through verification.
Author-supplied abstract-
application context Cybersecurity workflows
mapped in author abstractThe abstract maps the theory to vulnerability discovery, code review and generation, test generation, log analysis, alert triage, and incident summarization by generative systems.
Author-supplied abstract -
concept Operational claims as facts
mapped in author abstractCybersecurity 'facts' include claims about vulnerability existence, exploitability, patch safety, alert validity, and incident attribution; rare claims in their tail are treated as analogous to monofacts.
Author-supplied abstract -
boundary Verification changes the evidence state
explicitly reported boundaryA rare-bug claim supported only by model confidence remains monofact-like, while a concrete exploit, proof certificate, or execution trace is a checkable witness. The abstract places verified witnesses outside its pre-verification composition analysis.
Author-supplied abstract -
evaluation method Evaluation procedure for composed systems
reported in author abstract not independently auditedThe abstract reports a procedure for determining whether an observed hallucination reduction is compatible with the analysis and identifying whether calibration, operator conditions, or verification explain it; procedural steps and validation evidence require manuscript audit.
Author-supplied abstract
-
-
evidence group Reported evidence
source scope limitationThe author-supplied abstract identifies the operators, reported closure results, two counterexamples, cybersecurity boundary, and evaluation procedure. The manuscript, formal definitions, theorem statements, proofs, examples, and any evaluation results were not audited.
Author-supplied abstract -
limitation group Scope and limitations
author supplied abstract pending full text auditThe reported theorems concern the calibrated fact-level core, the three named operators, and pre-verification composition. They do not claim that every composition preserves calibration or that verified witnesses remain in the same evidence state; exact hypotheses, definitions, and theorem boundaries require manuscript audit.
Author-supplied abstract -
artifact group Artifacts and resources
linked not content auditedThe site represents an author-supplied abstract and the venue homepage, but no manuscript, formal proof, code, dataset, evaluation artifact, immutable version, or paper-specific public URL.
Author-supplied metadata and editorial summary Author-supplied abstract CSCML 2026 venue website -
scrutiny Scrutiny and status
publication status reported not independently auditedThe work is described as under review. That records a pending process, not acceptance, a completed review outcome, or validation; no review report, reproduction, correction, or adversarial analysis is represented.
Author-supplied metadata and editorial summary CSCML 2026 venue website
Audit trail
Source index
Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.
- Author-supplied metadata and editorial summary Website publication record. The title, authorship, status, venue, and topical characterization were supplied by the author; the concise summary is editorial.
- CSCML 2026 venue website Venue homepage only. It is not a paper-specific page, acceptance notice, manuscript, review record, or source for technical claims.
- Dated exact-title citation search No citing work was verifiably located for the under-review manuscript when searched 2026-07-11