Standard audits for federated learning security have a blind spot, and researchers just mapped it.
Federated learning lets many clients train a shared model without sharing raw data — but that openness to outside contributors also opens the door to backdoor attacks, where a compromised client poisons the model to misbehave on specific inputs. The typical audit checks clean accuracy and a single known-trigger attack success rate. Researchers introduced FLAT, a stress-testing framework that separates the attacker's target intent from the specific trigger used, then samples across many trigger variations to see how the hidden behavior actually shifts. On three standard image benchmarks, FLAT achieved attack success rates above 94% while keeping the model's normal performance intact.
The more uncomfortable finding is what FLAT reveals about defenses: a server-side rule that suppresses one attack mode can leave a different target label fully exposed. That means passing a standard audit says less than it looks like — a model could be clean against the one trigger you tested and compromised against a dozen you didn't.
Federated learning has been pitched heavily as a privacy-preserving solution for healthcare and finance, sectors where a silent backdoor is not a theoretical concern. The research community has produced a steady stream of defenses, but FLAT's findings suggest the audit methodology hasn't kept pace — measuring one trigger and calling it done is closer to security theater than a real reliability check.