What happens when you organize a machine learning security conference together with a bunch of security experts who have widely varying degrees of machine learning experience? Fun and games!

The [un]prompted conference has a program committee reading like a who’s who of security, stretching from Bruce Schneier on one end to Halvar Flake on the other. BIML is proud and honored to have two people representing on the committee. (But we will say that we are legitimately surprised at how many people claim to have deep knowledge of machine learning security all lickety split like. Damn they must be fast readers.)

Ultimately all the experts had to slog through the 461 submissions, boiling the pile down to 25 or 30 actual talks. Did the law of averages descend in all its glory? Why yes, yes it did.

I have served on some impressive and diligent academic program committees over the decades (especially Usenix Security, NDSS, and Oakland). The [un]prompted approach is apparently more like Blackhat or DEFCON than that, with lots of inside baseball, big personalities, seemingly-arbitrary process, really smart people who actually do stuff, and much much more fun. And honestly the conference is going to be great—wide and deep and very real with a huge bias towards demos. ALL of the talks will be excellent.

I took it on myself to review everything submitted to my track (TRACK 1: Building Secure AI Systems) and also track 5 (TRACK 5: Strategy, Governance & Organizational Reality). Though I did get track 1 done (three times no less), I did not get through everything that came in during the deadline tidal wave. Lets just say A&A for Agents is over-subscribed and under-depth, prompt injection is the dead horse that still gets beaten, MCP and other operations fun at scale is the state of the practice, and wonky government types still like to talk about policy (wake me up when it’s over). If you want to see what’s next in building security in for ML, well it is only very slimly represented by two “lets get in there and see what the network is actually doing” proposals (one from Starseer and one from Realm labs). Yeah, submissions were “anonymous,” but everybody knows who is doing what at this end of the security field, so that’s just pretend.

Not only do we desperately need more whitebox work (leveraging the ideas behind transformer circuits you can find here), we also need to stop and think in MLsec. Where does recursive pollution (our #1 risk is BIML) fit in [un]prompted? Nowhere. How about model collapse? Nope. Data poisoning a la Carlini? Not even. Anything at all about data curation and cleaning (and its relationship to security)? Nah. Representation issues and security engineering? Well, there was one proposal about tokens…

Hats off to the outside–>in ops guys, they’re grabbing hold of the megaphone again! Just raw hacker sex appeal I guess.

Anyway, if you’re looking for a reason that BIML exists in all of our philosophical glory, it’s to peer as far into the MLsec future as possible. Somewhat ironically, we can do that by remembering the past. This [un]prompted experience feels so much like early software security (everyone was talking about buffer overflows in 1998 and penetration testing was an absolute wild west blast) that we can confidently predict MLsec is going to evolve from blackbox outside->in malicious input stuff, through intrusion detection, monitoring and sandboxing, eventually discovering that networks have lots of actual stuff you can try to make sense of inside the black box. Meanwhile the ops guys will paint a little number on each agentic ant, not thinking once about what the ant colony might be up to.

Do you remember when we decided to start looking at code to find bugs before it was even compiled? Because I do…it was my DARPA project. It will happen again. Not through static analysis…but through understanding just what the heck is going on INSIDE the networks we are building as fast as we can.