LLMs Can Leak Training Data But Do They Want To? A Propensity-Aware Evaluation of Memorization in LLMs
Abstract
PropMe framework evaluates language model memorization by distinguishing between forced reproduction capabilities and natural propensity, using SimpleTrace for deterministic attribution and propensity-transformed metrics across open models and datasets.
Large language models can reproduce training data, but existing memorization evaluations mostly measure whether models can be forced to do so, rather than whether they do so under ordinary use. We introduce PropMe, a propensity-aware framework for memorization evaluation that contrasts prefix-based capability attacks with non-adversarial evaluations. We propose a metric transformation that, applied to existing functions, allows to create propensity metrics. We further introduce SimpleTrace, a lightweight tracing pipeline built on infini-gram that deterministically attributes model generations to large-scale training corpora and computes verbatim, near-verbatim, and propensity-transformed memorization metrics. Evaluating two fully-open models: Comma and DFM Decoder on two datasets: Common Pile and Dynaword in two languages, we find a consistent gap between capability and propensity: prefix attacks elicit substantially stronger memorization signals than generic or dataset-specific prompts, while propensity scores remain low overall. Thus, the models can reveal training data when directly elicited, but rarely do so in more common non-adversarial settings. We also find that DFM Decoder, which is continually pre-trained from Comma, exhibits reduced memorization and memorization propensity for Common Pile, confirming that memorization capability can decrease when later training emphasizes partially different data. Our results suggest, and we encourage, that memorization audits should report both worst-case extractability and ordinary leakage propensity in order to have a more comprehensive view of this phenomenon.
Community
We introduced PropMe and SimpleTrace to prove that while AI can be forced to leak training data under attack, its natural propensity to do so during everyday use is remarkably low. We also found that continuous training helps models naturally dilute and forget these old memories over time, confirming previous work. Ultimately, we argue that AI safety audits must evolve to measure real-world leakage propensity, not just worst-case hacks, to give us a true, comprehensive picture of this phenomenon.
This is an automated message from the Librarian Bot. I found the following papers similar to this paper.
The following papers were recommended by the Semantic Scholar API
- Not All Synthetic Data Is Yours to Learn From (2026)
- Probing Privacy Leaks in LLM-based Code Generation via Test Generation (2026)
- From Anchors to Supervision: Memory-Graph Guided Corpus-Free Unlearning for Large Language Models (2026)
- MixSD: Mixed Contextual Self-Distillation for Knowledge Injection (2026)
- Model Organisms Are Leaky: Perplexity Differencing Often Reveals Finetuning Objectives (2026)
- Led to Mislead: Adversarial Content Injection for Attacks on Neural Ranking Models (2026)
- ContinuousBench: Can Differentially Private Synthetic Text Improve Capabilities? (2026)
Please give a thumbs up to this comment if you found it helpful!
If you want recommendations for any Paper on Hugging Face checkout this Space
You can directly ask Librarian Bot for paper recommendations by tagging it in a comment: @librarian-bot recommend
Get this paper in your agent:
hf papers read 2606.06286 Don't have the latest CLI?
curl -LsSf https://hf.co/cli/install.sh | bash Models citing this paper 0
No model linking this paper
Datasets citing this paper 0
No dataset linking this paper
Spaces citing this paper 0
No Space linking this paper