IBM · Filed Jan 7, 2025 · Published Jul 9, 2026 · verified — real USPTO data

IBM Patents a Way to Protect AI Models by Feeding Them Controlled Noise

IBM wants to make AI models forget things they shouldn't remember, and the method involves deliberately corrupting the math happening inside the network at every step.

IBM Patent: Adding Noise to AI Models for Privacy — figure from US 2026/0195594 A1
Figure from the official USPTO publication.
See all 11 drawings from this filing ↓
Publication number US 2026/0195594 A1
Applicant INTERNATIONAL BUSINESS MACHINES CORPORATION
Filing date Jan 7, 2025
Publication date Jul 9, 2026
Inventors Guy Amit, Abigail Goldsteen, ARIEL FARKASH
CPC classification 706/25
Grant likelihood Medium
Examiner CENTRAL, DOCKET (Art Unit OPAP)
Status Docketed New Case - Ready for Examination (Feb 13, 2025)
Document 20 claims

How IBM's noise trick keeps AI outputs private

Imagine an AI assistant that, after answering your question, couldn't be forced to reveal what it learned about you in the first place. That's the direction IBM is pointing with this patent.

When an AI processes your input, it passes signals through layers of a neural network, each layer building on the last. IBM's idea is to insert a small module between those layers that deliberately scrambles the signal a little, clipping extreme values and adding carefully chosen random noise before passing anything forward. The AI still gets a useful answer out, but the internal signals are harder to reverse-engineer back to your original data.

This matters most in settings where privacy regulations require that sensitive information not leak out of an AI system. By baking the noise in during both training and actual use, IBM's approach tries to make the protection consistent rather than bolted on afterward.

How the Noisy Forward module clips and perturbs activations

The patent describes a component called a Noisy Forward (NF) module that sits between the hidden layers of a neural network (the internal computation stages that turn your input into an output).

At each layer, the network produces what's called an activation matrix, essentially a table of numbers representing how strongly different features of your input fired. The NF module does three things to that matrix before passing it along:

  • Clipping: Any value above or below a set threshold gets cut to that threshold, preventing extreme outliers from carrying too much information.
  • Noise sampling: A random number is drawn from a unimodal symmetric distribution (think a bell curve centered at zero, so the noise is just as likely to push a value up as down) and added to the clipped matrix.
  • Forwarding: The scrambled matrix is passed to the next layer, and the process repeats until the final layer produces an answer.

This technique is closely related to differential privacy, a mathematical framework (used by Apple and Google in their data collection) that guarantees individual data points can't be identified from aggregate outputs. IBM applies that same logic inside the network itself, not just to its outputs.

What this means for enterprise AI privacy compliance

For companies running AI on sensitive data, such as medical records, financial history, or internal documents, the risk isn't just that the AI gives a wrong answer. It's that someone could probe the model with clever questions and extract information it was trained on. IBM's noise injection approach targets that extraction risk directly, making the internal states of the model harder to reverse.

If IBM integrates this into its watsonx platform or similar enterprise AI offerings, it could become a compliance checkbox for regulated industries. The catch is that adding noise always costs some accuracy, and the patent doesn't fully resolve that tradeoff. How much noise is enough to protect privacy without making the AI noticeably worse is the real engineering problem this filing leaves open.

Editorial take

This is a legitimate and well-studied problem in AI security, and IBM's framing of differential privacy as an in-network module rather than a post-processing step is a reasonable engineering approach. It's not a flashy consumer story, but for enterprise buyers who need to prove their AI doesn't leak training data, this kind of patent signals IBM is building toward certifiable privacy guarantees.

The drawings

11 drawing sheets from US 2026/0195594 A1 · click any drawing to enlarge

Patent filing page

Which company should we read for you?

We track 17 companies here. Pro is the same weekly breakdown for any company you choose, delivered privately. Type a name and we'll scope it and send you a quote.

Get one Big Tech patent every Sunday

Plain English, intelligent commentary, no hype. Free.

Source. Full patent text and figures from the official USPTO publication PDF.

Editorial commentary on a publicly published patent application. Not legal advice.