English

Differentially Private Auditing Under Strategic Response

Computer Science and Game Theory 2026-05-11 v1 Cryptography and Security Machine Learning

Abstract

Regulatory audits of AI systems increasingly rely on differential privacy (DP) to protect training data and model internals. We study audit design when the audited developer can strategically respond to the privacy-constrained audit interface. We formalize privacy-constrained auditing as a bilevel Stackelberg game, in which an auditor commits to a query policy and DP budget allocation across harm dimensions, and a strategic developer reallocates mitigation efforts in response. We introduce the welfare-weighted under-detection gap BwB_w, the welfare-weighted true residual harm the audit fails to detect at the developer's strategic best response, and prove that naive DP auditing (uniform or harm-proportional allocation) induces a strictly larger BwB_w than any non-strategic mitigation baseline whenever effective detectability is heterogeneous, the welfare weights are not comonotone with detectability, and the developer's optimum is interior. We characterize the optimal auditor allocation as a four-factor balance of welfare weight, audit miss-probability, detectability elasticity, and mitigation-cost curvature, and provide a single-level reformulation of the bilevel problem via the developer's KKT system. We propose Strategic Private Audit Design (SPAD), a projected-gradient algorithm with hypergradients computed through the developer's best response.

Keywords

Cite

@article{arxiv.2605.07674,
  title  = {Differentially Private Auditing Under Strategic Response},
  author = {Florian A. D. Burnat},
  journal= {arXiv preprint arXiv:2605.07674},
  year   = {2026}
}
R2 v1 2026-07-01T12:57:39.857Z