Verifiable inference (TOPLOC) lets a buyer confirm a rented GPU really ran their model, which is what lets a network safely use unapproved supply.
A receipt for work done on a machine you don't own, and why it widens the pool of supply you can actually use.
Disclosure: we're building a venture in this category. The analysis below sticks to public figures and named sources, and we flag our own stake where it's relevant.
Send an inference job to a GPU you don't control and you're making a quiet act of faith. You're trusting that the machine ran your model, not a smaller one that costs the host less power. That it computed a fresh answer, instead of replaying a cached one. That it did the work at all, rather than returning plausible noise and pocketing the fee.
For most of the rented-GPU market, that faith rests on reputation and a refund policy. Which is fine until the job is one where a wrong answer is expensive, or invisible.
The structural problem sits one layer down. A network knows which machines signed up. By default it does not know whether a returned result was genuinely computed on the hardware claimed. When a network also pays providers for participation, that gap gets exploited: results get faked to collect the reward.
This isn't hypothetical. One large decentralized network's own January 2026 review reported roughly 2,752 verified GPUs against a registered base it has put north of 327,000, under 1% verified (a leading decentralized GPU network, 2025 year-in-review, Jan 2026). A separate scar is on record too: a 2024 Sybil incident in which a single machine was split to present as roughly 1.8 million virtual GPUs (per Messari's report, summarized in our competitive file). The headline machine count climbed. The trustworthy supply did not.
We dug into the supply-versus-verified gap itself in the flagship piece, The sub-1% problem in decentralized compute. This piece is about the mechanism that closes it.
The technique has a name in the research literature: TOPLOC, a method, presented at ICML 2025, for cheaply checking that a node actually performed the inference it claims. The mechanics are statistical rather than brute-force: the verifier takes a locality-sensitive hash of the model's internal activations and samples a fraction of the work, so it can flag a result that didn't come from the model and hardware claimed, without re-running the whole job.
That last clause is the part that matters commercially. Full re-computation would erase the cost advantage of renting cheap hardware in the first place. Sampling a few percent does not.
A registration count tells you how many machines signed up. A verification result tells you which ones did the work. You pay for the second number, not the first.
The networks pulling real, paid workloads today mostly solve the trust problem by hand: whitelists, closed supplier lists, manual vetting. It works. It also doesn't scale, and it quietly excludes the largest pool of idle hardware on earth: consumer machines nobody has hand-approved.
Automatic, cryptographic-grade verification flips that. If a buyer can trust a result without trusting the operator personally, the network can safely admit machines it never met. The verification layer becomes the thing that lets open supply behave like curated supply.
That's not a small distinction. It's the difference between a network that stays small because it must vet everyone, and one that can grow because it doesn't have to.
Verification proves the computation. It does not, by itself, prove the machine was available when you needed it, or that the host couldn't observe your data. Those are separate problems with separate fixes (network isolation, attestation, availability scoring). And no sampling method is free; there's a real engineering cost to running it at scale, which is precisely why most networks haven't.
So treat "verifiable inference" as one pillar, not the whole building. The privacy pillar beside it is its own argument, the one we make in The data you can't send to the cloud is the data most worth computing on. But verification is the pillar that decides whether the building can have more than a hand-picked dozen tenants.
Full disclosure on where we land: Griddly, the AI venture we're building, treats automatic cryptographic verification as the load-bearing wall, the thing that lets a buyer trust a machine no human pre-approved. Not more GPUs on a homepage. Provable ones.
Nothing here is an offer to sell a security or investment advice.
Field notes on venture building, AI, and capital. No spam, unsubscribe anytime.
By subscribing you agree to receive AOS Insights e-mails. We use your address only for this newsletter - see our Privacy Policy.