On May 5 – 7, ELSA will host its final General Assembly. On the last day, May 7th, we invite all participants to join us for our workshops! Here’s what is in for you.
Workshop Topic
Machine learning systems are increasingly deployed in high-stakes contexts, yet “trustworthy AI” remains fragmented into separate research and governance areas such as fairness, robustness, privacy, and explainability. These properties are typically studied and evaluated independently, despite the fact that real systems must satisfy them simultaneously. As a result, improvements along one dimension frequently degrade another, and accuracy or performance of the systems.
This workshop proposes an integrated perspective on trustworthy AI: rather than treating its properties as independent requirements, we frame them as interacting objectives. The goal is to develop shared conceptual tools for understanding tensions between dimensions (e.g., privacy vs. fairness, robustness vs. accuracy) and to identify directions towards improving trade-offs in trustworthy AI. The questions that we aim to address include:
- Which trade-offs in trustworthy AI are inevitable vs. which can be softened or eliminated?
- What technical or governance approaches should be prioritized for integrated trustworthy AI.
- At what stage of the lifecycle (data collection, model training, deployment, monitoring) can conflicts between objectives most effectively be addressed?
- What evaluation practices and metrics are needed to measure relations between multiple dimensions of trustworthy AI?
- What institutional barriers should be overcome for interdisciplinary research in integrated trustworthy AI?
- How can community artifacts (benchmarks, audits, standards, or checklists) evolve to reflect interacting objectives rather than independent requirements?
- How can we better design and evaluate multiple dimensions in trustworthy AI in practice?
The workshop will include short introductions of the trustworthy AI disciplines, keynotes covering the pathways towards the integrated approaches, and a poster session. In addition, we foresee structured interactive sessions with the audience. The outcomes of the discussions will be synthesized into a community white paper outlining open problems, common terminology, and practical guidelines for developing and evaluating trustworthy AI systems.
Speakers
Ruta Binkyte-Sadauskiene (Speaker & Organizer), CISPA
Ruta Binkyte-Sadauskiene is a postdoctoral researcher in AI Ethics and Safety at the Helmholtz Centre for Information Security (CISPA). Her background includes Social Anthropology and Computer Science, which helps her to tackle complex socio-technical trade-offs in AI.
Antoine Gautier, QuantPi
Antoine Gautier is chief scientist and co-founder at QuantPi. He has been working on technical assessments of AI systems for more than ten years. Antoine is a Mathematician by training and did his PhD in a Machine Learning group at Saarland University. He is an active contributor to multiple standardization committees in context of quality assurance for AI systems. As part of responsibilities at QuantPi, Antoine serves as principal investigator for various grant and tender projects and German national and European level.
Talk: “Building Trust Chains in the Agentic Era”
Advances in foundation models and multi-agent systems have accelerated the use of AI to test AI. While this offers a unique opportunity to scale AI testing in industry, it also increases the risk of relying on inaccurate and misleading results. This session explores this trade-off, providing practical examples and mitigation strategies.
Dr. Ana-Maria Cretu, CISPA
Dr. Ana-Maria Cretu is a faculty at CISPA, where she develops private and secure data systems by building tools to systematically reason about the trade-offs between general-purpose capabilities in these systems and their privacy and security requirements, with a focus on generative AI, synthetic data, and anonymization.
Talk: “Evaluating Concept Filtering Defenses against Child Sexual Abuse Material Generation by Text-to-Image Models”
Text-to-image models such as Stable Diffusion enable the creation of AI-generated child sexual abuse material (AIG-CSAM) on an unprecedented scale. In the context of disabling unwanted capabilities, training data filtering has been called the “gold standard” approach. In particular, to prevent AIG-CSAM generation, several organizations recommend that model developers filter images of children from training datasets. In this talk, I will describe results of our evaluation of the effectiveness of child filtering to disable AIG-CSAM. First, I will describe how we can capture the difficulty of preventing AIG-CSAM generation using a game-based security definition. Second, I will show that current detection methods cannot remove all children from a dataset. Third, using an ethical proxy for CSAM, I will present results of our evaluation of the difficulty to generate the proxy using a range of adversaries. Our results show that current child filtering methods offer limited protection to closed-weight models and no protection to open-weight models, while reducing the generality of the model. I will conclude by outlining challenges in conducting evaluations that establish robust evidence on the impact of training data filtering defenses for CSAM.
Prof. Dr. Catuscia Palamidessi, Inria Saclay
Catuscia Palamidessi is Director of Research at Inria Saclay (since 2002), where she leads the team COMETE. She has been Full Professor at the University of Genova, Italy (1994-1997) and at Penn State University, USA (1998-2002). Palamidessi’s research interests include Privacy, Machine Learning, Fairness, Secure Information Flow, Formal Methods, and Concurrency.
Talk: “Privacy-preserving Federated Distribution Estimation: Local Differential Privacy Strikes Back”
The differential privacy literature consistently reports that, for any fixed privacy budget, the central model always provides superior utility than the local model. In this work, we challenge this prevailing view in the setting of federated distribution estimation, where multiple independent parties, each holding their own dataset protected with differential privacy (possibly with different parameters $\epsilon_j$), aim to jointly obtain a more accurate estimate of the underlying data distribution without exposing their raw data to one another.
We compare the standard federated central DP approach with a protocol consisting of two components: a local DP mechanism ($k$-RR) applied to each data point of each party, and the Generalized Iterative Bayesian Update (GIBU) estimator applied by the aggregator to infer the global distribution. We provide a rigorous theoretical analysis of the Mean Squared Error (MSE) for both approaches.
Our findings reveal a striking result: when the number of datasets is large, and the data from different parties can be shuffled together, the local DP approach can significantly outperform central DP in terms of the privacy-utility trade-off. The reason is that the estimation error in the central model is approximately proportional to the sum of the variances of the noise added by each server, which relates to the sum of the inverse of the squared privacy parameters, $\sum_j (1/\epsilon_j^2)$. In contrast, in our local DP approach using GIBU, the error is approximately proportional to the inverse of the sum of the squared privacy parameters, $1/(\sum_j \epsilon_j^2)$.
Consequently, the central model is crippled by the parties with very small $\epsilon_j$, while the GIBU-based local model leverages the aggregate privacy of the entire federation. Extensive experimental evaluations confirm our theoretical results, showing that local differential privacy “strikes back” in federated settings, providing a more robust and accurate estimation than traditional central mechanisms.
Prof. Dr. Plamen Angelov, Lancaster University
Prof. Angelov holds a Chair in Intelligent Systems and leads AI group at the School of Computing and Communications, Lancaster University, UK, co-Director of one of the funded programmes by ELLIS (on Human-centred machine learning) and founding Director of the Lancaster Intelligent, Robotic and Autonomous systems (LIRA) Centre. He is also a Visiting Professor at the PI School of Φ-Lab of the European Space Agency (ESA) and a Fellow of the IEEE, of ELLIS, of the IET and of AAIA.
Talk: “Bringing Learning from Data and Reasoning Closer to Facilitate Human Agency and Oversight“
The success of deep learning fuelled by the Large Language Models (LLMs), Transformers such as ViT and Foundation Models combined with the abundance of digital data led to the temptation to short-cut from Data to Predictions bypassing the deeper insight, reasoning, semantics, causality and logic which are traditionally related to the model structure or architecture. Deep Learning the way we know it offers unparallel accuracy and generalisation, and class separability, but this comes at the cost of opaque and amorphous internal structure offering little to the increasing demands for human agency and oversight and interpretability in regards to the way the decisions are being made.
In this talk, deep learning pipeline will be re-examined and compared to the traditional machine learning pipeline on one hand and to Cognitive Sciences and Agentic AI pipeline on the other, some parallels with the Brain and the way humans make decisions will also be sketched. This analysis identifies Decision Making as the Achilles heel of the contemporary solutions while the Feature Extraction and hyperparametric optimisation are the backbone of the efficiency and impressive performance. Based on this, an alternative to the so called “end-to-end” mantra will be discussed offering a modular approach centred at prototype-based knowledge representation (KR). The alternative architectural solutions provide more degrees of freedom in regard to interpretability, human agency and oversight and, interestingly, in regard to adaptivity and continual learning. While traditionally, adaptivity (not only in deep learning) is being addressed by additive updates (only) in this talk this is being critically analysed and considered as one of the reasons for the so called “catastrophic forgetting”. An alternative is considered instead – adaptation of atomic KR in the form of prototypes and clusters. Interpretability of images in considered as compositional with semantically meaningful primitive concepts being automatically derived based on clustering embeddings/tokens and their graph representation in the image space. Such KR are considered more adequate than the trivial assumption of weights representing the knowledge. Furthermore, it can be demonstrated that such atomic KR are practically invariant to the latent space transformations and further adaptation during a continual learning process.
Some examples and applications are used mostly as a proof of the concept
Timings
| 8:45 – 9:00 | Registration |
| 9:00 – 9:15 | Introduction, Logistics and Interactive Exercise: Trade-Offs in Trustworthy AI – Ruta Binkyte-Sadauskiene |
| 9:15 – 10:00 | Privacy-preserving Federated Distribution Estimation: Local Differential Privacy Strikes Back – Catuscia Palamidessi |
| 10:00 – 10:45 | Bringing Learning from Data and Reasoning closer in the Foundation Models Era – Plamen Angelov |
| 10:45 – 11:15 | Coffee Break |
| 11:15 – 12:45 | Contributed Talks |
| 12:45 – 14:00 | Lunch Break |
| 14:00 – 14:45 | Building Trust Chains in the Agentic Era – Antoine Gautier |
| 14:45 – 15:45 | Interactive Work, Presentations of the Interactive Work, Discussion |
| 15:45 – 16:00 | Workshop Closing |
| 16:00 – 17:00 | Coffee Break & Poster Session |
Registration
Please register by April 30, 2026, and join us for the workshop on day three of the Final ELSA General Assembly.
We are excited to welcome you to Saarbrücken!
Mobility Funding
We support travels to the General Assembly with our mobility fund. Before applying, please read the terms and conditions carefully. Submit your mobility application before the event.
Experienced Researchers
PhDs and Postdocs