Go to ICLR 2026 Workshop Trustworthy AI homepageExpert Selections In MoE Models Reveal (Almost) As Much As Text
Keywords: mixture of experts, privacy, inversion attack
TL;DR: We show that per-token MoE router top-k expert IDs leak substantial information about the input, enabling high-accuracy text reconstruction from expert routing alone.
Abstract: We present a text-reconstruction attack on mixture-of-experts (MoE) language models that recovers tokens from expert selections alone. In MoE models, each token is routed to a subset of expert subnetworks; we show these routing decisions leak substantially more information than previously understood. Prior work using logistic regression achieves limited reconstruction; we show that a 3-layer MLP improves this to 63.1\% top-1 accuracy, and that a transformer-based sequence decoder recovers 91.2\% of tokens top-1 (94.8\% top-10) on 32-token sequences from OpenWebText after training on 100M tokens. These results connect MoE routing to the broader literature on embedding inversion. We outline practical leakage scenarios (e.g., distributed inference and side channels) and show that adding noise reduces but does not eliminate reconstruction. Our findings suggest that expert selections in MoE deployments should be treated as sensitive as the underlying text.
Submission Number: 91
Loading