Ongoing AI compliance audits open persistent gaming channels that simple static auditors cannot fully close; periodic sample-aware rules and history-conditioned escalation each seal different loopholes, but a commitment-aware evader can still outmaneuver both.
Continuous post-deployment compliance audits, mandated by emerging regulations such as the EU AI Act and Digital Services Act, create a class of strategic gaming distinct from the one-shot input/output gaming studied in prior work. Regulated systems can delay outcome reporting, drift their reports within plausible noise envelopes, exploit longitudinal sample attrition, and cherry-pick among ambiguous metric definitions. We formalize continuous auditing as a $T$-round Stackelberg game between an auditor that commits to a temporal policy and an adaptive auditee, and identify a structural feature of any noise-aware static-auditor design: a cover regime in which coverage gaps and granularity gaps cannot be closed simultaneously. We make this formal as Observation 1 and show that two minimal extension policies, each derived from the observation, close the regime along orthogonal axes: a sample-size-aware static rule (Periodic-with-floor) closes the granularity-failure case, while a history-conditioned suspicion-escalation policy closes the coverage-failure case for the naive Drift strategy -- and neither closes both, exactly as the observation predicts; an audit-aware OffAuditDrift strategy that exploits Stackelberg commitment defeats both. To support empirical study we contribute a non-additive harm decomposition (welfare loss $W$, coverage loss $C$) that exposes how attrition shifts harm from the regulator-accountable surface to a regulator-invisible one; an initial library of five auditee strategies (Delay, Drift, Cherry-pick, Attrition, OffAuditDrift) and five auditor policies, calibrated to summary statistics from published audits of the DSA Transparency Database; and a reproducible simulator with a small, extensible Python interface.
Summary
Main Finding
Continuous (multi-round) compliance audits create a qualitatively different strategic problem than one-shot audits: for any noise-aware static temporal audit design that uses a Wald-style acceptance band, there is a quantifiable "cover regime" in which the auditor cannot simultaneously close (a) coverage gaps (auditee hides bad reporting by not reporting on some rounds) and (b) granularity gaps (auditee shrinks reported sample sizes so noise envelopes hide systematic bias). Two minimal policy extensions close the regime only along orthogonal axes (sample-size floor closes granularity; history-conditioned escalation closes coverage for naïve drift), and an audit-aware auditee (OffAuditDrift) exploiting the auditor’s committed schedule can evade all fixed static cadences. Continuous auditing therefore requires adaptive/structural remedies (minimum sample commitments, secret/randomized or history-conditioned audits, compelled data access) rather than only temporal cadence choices.
Key Points
- Formal model: continuous compliance modeled as a T-round Stackelberg game (auditor commits a temporal policy; auditee adapts its reported metric and reported sample size across rounds).
- Detection rule: auditor applies a noise-aware Wald-style threshold (|m̂t − mt| > ε + z·sqrt(m̂t(1−m̂t)/nt)), so detection sensitivity increases with claimed sample size nt.
- Cover regime (Observation 4.1): define Δ(m̂, nmin, nmax) = (ε + z·sqrt(m̂(1−m̂)/nmax), ε + z·sqrt(m̂(1−m̂)/nmin)]. If a uniform drift δ lies in Δ, then:
- If the auditor does not audit every round, an auditee can drift on unaudited rounds (coverage failure) and never be detected.
- If the auditor audits every round but cannot constrain nt, the auditee can report small nt (attrition) and drift by δ without detection (granularity failure).
- Shrinking one failure class (e.g., auditing more rounds) does not remove the other unless the auditor leaves the static temporal-only policy class (e.g., imposes nt floors or conditions audits on history).
- Harm decomposition (non-additive): two accountability surfaces are identified—
- Welfare loss W = sum over unaudited rounds of nt · |m̂t − mt| (harm inside the verified report on unaudited rounds).
- Coverage loss C = sum over rounds of (N − nt) · |m̂t − mt| (harm to the excluded population). Attrition shifts harm from W to C; total societal harm is reallocated and may be hidden from regulator metrics if only W is observed.
- Canonical auditee strategies provided: Honest, Delay, Drift, Cherry-pick, Attrition, OffAuditDrift. OffAuditDrift is audit-aware: honest on audited rounds, drifts on known off-audit rounds (requires the auditor’s committed schedule to be public/deterministic).
- Auditor policy primitives: One-shot, Periodic, Scheduled-random (all static temporal), and two minimal exits: Min-sample floor (Periodic-with-floor) and Suspicion-escalation (history-conditioned escalation).
- Empirical artifact: a pip-installable Python simulator, calibrated to summary statistics from published DSA Transparency Database audits, with reproducible experiments and standard metrics (gaming gap, time-to-detection, W, C). The full headline grid runs quickly on a laptop.
Data & Methods
- Formalization:
- T-round Stackelberg game between auditor (commits policy π) and auditee (strategy σ chooses reported metric m̂t ∈ [0,1] and sample size nt ∈ {nmin, nmax} each round).
- Three information regimes considered: R1 (public deterministic schedule), R2 (public randomized policy, private draw), R3 (adaptive secret schedule).
- Auditor’s test is Wald-style CI around the auditee’s report; Bonferroni-adjusted z used to control family-wise error across audited rounds when requested.
- Strategy and policy library:
- Auditee strategies implemented: Delay (lagged reporting), Drift (fixed additive bias), Cherry-pick (report max of K noisy estimates), Attrition (reduce nt when metric crosses threshold + drift), OffAuditDrift (honest on audited rounds, drift on known off-audit rounds).
- Auditor policies: One-shot, Periodic, Scheduled-random (static); Min-sample floor (enforce nt ≥ nfloor on audited rounds); Suspicion-escalation (start periodic, if a gap above threshold is observed then audit every subsequent round).
- Metrics:
- Gaming gap G: mean (m̂t − mt) over audited rounds.
- Time-to-detection τd (uncorrected and Bonferroni-corrected).
- Welfare loss W and Coverage loss C as above (note: W and C are not additive components of a single total; they represent different accountable surfaces).
- Empirics / calibration:
- Simulator parameters (e.g., σ for latent drift, m0, nmin = 100, nmax = 1000, δ and δcover values) tuned to summary statistics reported in DSA audits (Drolsbach & Pröllochs 2023; Trujillo et al. 2025).
- Experiments show: (i) Min-sample floor defeats granularity failure but does not stop coverage failure under OffAuditDrift; (ii) Suspicion-escalation defeats naive Drift’s coverage failure in many cases but does not fix granularity without sample constraints; (iii) OffAuditDrift defeats static cadences when the schedule is public.
- Reproducibility: artifact is pip-installable, deterministic seeds, JSON outputs, small API to add strategies/policies.
Implications for AI Economics
- Regulatory design is fundamentally an incentive-design problem over time. Static scheduling choices (audit cadence alone) are insufficient when regulated firms can control what is reported (definition), when (timing), and how much of the population is included (sample size).
- Measurement and welfare misallocation:
- Regulators who rely only on audited-round statistics (W) can be systematically misled: firms can use attrition or off-audit drifting to reallocate harm into unobserved or excluded populations (C). Market welfare estimates and externalities will be biased downward from the regulator’s perspective.
- Enforcement cost trade-offs:
- Enforcing minimum-sample-size (or compelled data access) reduces the auditee’s ability to hide bias via attrition but may raise compliance costs, generate pushback over legitimate small populations, and invite legal challenges—so the economic trade-off between enforcement cost and residual harm matters.
- Secret/randomized audit draws (or at least non-publicized schedules) reduce the effectiveness of audit-aware strategies like OffAuditDrift; however, they may be operationally and politically harder to implement (transparency vs. enforcement trade-offs).
- Optimal monitoring requires adaptive auditing:
- History-conditioned escalation (or richer sequential testing procedures: SPRT, CUSUM, Bayesian posteriors) can stop some coverage failures early at modest cost. Economics research should model the auditor’s optimal dynamic policy given enforcement cost constraints and potential strategic responses.
- Market competition and firm behavior:
- Firms facing weak temporal-only audits have incentives to manipulate reported metrics in ways that distort competition (apparent superior compliance without actual quality improvements), potentially creating adverse selection and reducing social welfare.
- Policy recommendations (from economic perspective):
- Combine temporal randomness/secret scheduling with enforceable minimum-sample or compelled disclosure rules to limit both coverage and granularity failures.
- Track both audited-sample welfare (W) and measures of coverage (nt/N or detected attrition) so regulators can detect reallocation of harm.
- Calibrate enforcement (sample floors, penalties for selective attrition, compelled access) by weighing monitoring/verification costs against expected welfare gains from reduced strategic evasion.
- Research directions for AI economics:
- Solve for Stackelberg equilibria when both auditor and auditee can be adaptive across repeated plays (multi-play reputational effects, fines, litigation).
- Endogenize enforcement costs and legal constraints, and study how different enforcement budgets change optimal monitoring (e.g., when to invest in secret audits vs. sample-floor enforcement).
- Empirically estimate how often attrition and off-audit strategies are used in real markets, and quantify welfare transfers across observed and excluded populations using field data (e.g., ingest per-platform DSA-TDB traces).
- Extend to multi-target regulators (many firms), resource-constrained audit allocation, and strategic complementarities across firms (herding in reporting practices).
Short summary: the paper formalizes continuous compliance as a temporal Stackelberg game, exposes a precise structural trade-off for noise-aware static auditors (the cover regime), demonstrates that simple policy extensions close only one axis of failure each, and supplies a calibrated, reproducible simulator and strategy/policy library to study these dynamics. The core economic takeaway is that monitoring design must jointly consider schedule secrecy/randomization, sample-size enforcement, and history-conditioned adaptation to prevent firms from reallocating harm into regulator-invisible pockets.
Assessment
Claims (9)
| Claim | Direction | Confidence | Outcome | Details |
|---|---|---|---|---|
| Continuous post-deployment compliance audits, mandated by emerging regulations such as the EU AI Act and Digital Services Act, create a class of strategic gaming distinct from the one-shot input/output gaming studied in prior work. Governance And Regulation | negative | high | existence of a distinct class of strategic gaming (audit-evasion behaviors) under continuous audits |
0.12
|
| Regulated systems can delay outcome reporting, drift their reports within plausible noise envelopes, exploit longitudinal sample attrition, and cherry-pick among ambiguous metric definitions. Governance And Regulation | negative | high | types of auditee strategic behaviors available under continuous audits |
0.12
|
| We formalize continuous auditing as a T-round Stackelberg game between an auditor that commits to a temporal policy and an adaptive auditee. Governance And Regulation | positive | high | game-theoretic representation of auditor-auditee interaction (model formalization) |
0.2
|
| We identify a structural feature of any noise-aware static-auditor design: a cover regime in which coverage gaps and granularity gaps cannot be closed simultaneously (formalized as Observation 1). Regulatory Compliance | negative | high | trade-off between coverage gaps and granularity gaps in static auditing designs |
0.12
|
| Two minimal extension policies, each derived from the observation, close the regime along orthogonal axes: a sample-size-aware static rule (Periodic-with-floor) closes the granularity-failure case, while a history-conditioned suspicion-escalation policy closes the coverage-failure case for the naive Drift strategy — and neither closes both, exactly as the observation predicts. Regulatory Compliance | mixed | high | ability of proposed auditor policies to close granularity or coverage failures |
0.12
|
| An audit-aware OffAuditDrift strategy that exploits Stackelberg commitment defeats both (Periodic-with-floor and history-conditioned suspicion-escalation) auditor extensions. Governance And Regulation | negative | high | effectiveness of an audit-aware auditee strategy at defeating auditor policies |
0.12
|
| We contribute a non-additive harm decomposition (welfare loss W, coverage loss C) that exposes how attrition shifts harm from the regulator-accountable surface to a regulator-invisible one. Governance And Regulation | negative | high | distribution of harm (welfare loss vs coverage loss) and effect of sample attrition |
0.12
|
| We provide an initial library of five auditee strategies (Delay, Drift, Cherry-pick, Attrition, OffAuditDrift) and five auditor policies, calibrated to summary statistics from published audits of the DSA Transparency Database. Governance And Regulation | positive | high | availability of calibrated strategy/policy library and calibration to DSA summary statistics |
0.12
|
| We release a reproducible simulator with a small, extensible Python interface to support empirical study. Research Productivity | positive | high | availability of a reproducible simulation tool and Python interface |
0.12
|