View PDF

Abstract:AI systems are increasingly deployed for credit assessment and investment advisory in global financial markets, yet the integrity of their inference pipelines remains insufficiently addressed by existing regulatory frameworks. This paper identifies and empirically validates an invisible manipulation channel operating at the sampling layer of LLM inference--a vulnerability that allows adversaries to systematically bias AI-generated financial opinions while preserving full compliance with output-based audit mechanisms, including statistical watermarking. We show that this inference-stage manipulation is statistically hard to detect: the Kullback-Leibler divergence between manipulated and normal output distributions can be made arbitrarily small, so that any output-based detection scheme requires impractically large sample sizes to achieve reliable detection power. Empirical experiments across credit rating and investment advisory scenarios show that directional bias keywords can be amplified by 1.8-1.9x under stealth-preserving (aware) manipulation while triggering zero of six black-box detectors and preserving watermark integrity. The vulnerability generalizes across three mainstream watermarking schemes and three heterogeneous model architectures, establishing it as a systemic financial infrastructure risk. Software-based defenses including cryptographically secure pseudorandom number generators are entirely ineffective, while QRNG combined with TEE hardware isolation achieves 100% attack blocking--reducing the target rate to the natural baseline--by replacing the predictable hash key with quantum-derived entropy that renders all pre-computed manipulation targets invalid. We propose four regulatory amendments centered on mandatory QRNG certification for high-risk financial AI systems under NIST SP 800-90B, inference-layer supply chain audits, and output provenance mechanisms.

Submission history

From: Ziyang You [view email]
[v1] Mon, 15 Jun 2026 02:27:42 UTC (573 KB)