What does 'formal certification' actually mean for machine learning?
Formal certification means using mathematical proof, not just testing, to guarantee that a machine learning model behaves correctly under all possible conditions. Traditional testing checks a few examples, but formal methods like Satisfiability Modulo Theories (SMT) solvers or barrier certificates can exhaustively verify properties across the entire input space [1][7]. For instance, one study encoded tree-based models as logical formulas and proved that no possible input could violate a safety rule like 'water table depth must be physically consistent' [1].
This is fundamentally different from post-hoc explainability tools like SHAP and LIME, which only diagnose individual predictions approximately. The same study showed that in counterexamples where a model violated a safety specification, the offending feature could rank last in SHAP importance, proving that explanations are no substitute for formal proof [1].
What is the catch? The accuracy-safety trade-off is real.
The strongest evidence comes from a 2026 study that formally verified 33 variants of XGBoost and Explainable Boosting Machines (EBMs) trained on 7,291 geotechnical sites. An unconstrained EBM achieved 80.1% accuracy but violated all four physical safety specifications. A fully constrained EBM satisfied three of four specifications but dropped to 67.2% accuracy [1]. No variant in the study achieved both over 80% accuracy and full compliance, revealing a persistent trade-off between predictive performance and provable safety.
This trade-off is not unique to geotechnical models. A 2025 systematic literature review of 46 studies on formal methods for ML safety confirmed that scalability to large models and integration with training remain persistent challenges [3]. The review noted that while techniques like reachability analysis, SMT-based verification, and control barrier functions have advanced, real-world validation is still limited [3].
How are real systems being certified today?
In aviation, a 2025 case study demonstrated an end-to-end certification workflow for an Aircraft Emergency Braking System (AEBS) integrating two deep neural networks. The study systematically mapped machine learning assurance processes onto conventional Design Assurance Level (DAL) C objectives, showing that certification is feasible when statistical methods and safety assessment are tightly integrated [6]. This is a practical reference, not just theory.
Another approach, called Proof-Carrying Machine Learning (PCML), ships models with explicit, checkable evidence—proofs, certificates, or verifiable artifacts—that substantiate safety claims under stated assumptions [2]. This reframes certification as a governance problem: the 'proof' must bind assumptions, scope conditions, and monitoring duties to the decisions made by the autonomous system [2]. Similarly, a 2025 framework unified adversarial training and differentiable logics to enforce logical specifications during training, demonstrated on a neural network controller for a drone [5].
What can't formal certification do yet?
Formal certification struggles with scale, uncertainty, and emerging model types. A 2026 review of formal methods for ML identified scalability to large and complex models as a major gap, along with limited real-world validation and integration with training processes [3]. For example, verifying graph neural networks with uncertain node features and graph structure over multiple message-passing steps is an open problem [8]. Neural ODEs, a newer continuous model class, have barely been studied for safety despite showing higher performance on image recognition [4].
Even when certification is possible, it often requires restrictive assumptions. A 2025 framework for certifying robustness against data poisoning and evasion attacks introduced barrier certificates and probably approximately correct (PAC) bounds, but these rely on modeling training as a discrete-time dynamical system—an assumption that may not hold for all architectures [7]. The bottom line: formal certification is advancing rapidly, but it is not yet a plug-and-play solution for every ML system in every safety-critical domain.
Sources used in this answer
Formal verification of tree-based machine learning models for lateral spreading
No model variant among 33 tested achieved both >80% accuracy and full compliance with all four physical safety specifications; an unconstrained EBM (80.1% accuracy) violated all four, while a fully constrained EBM (67.2%) satisfied three [1].
Proof-Carrying Machine Learning for Safety-Critical Autonomy
Proof-Carrying Machine Learning (PCML) reframes certification as shipping models with explicit, checkable evidence (proofs, certificates) that bind assumptions and monitoring duties to safety claims [2].
Formal methods for safety-critical machine learning: a systematic literature review
A systematic review of 46 studies (2020–2025) found that scalability to large models, integration with training, and limited real-world validation remain persistent challenges for formal methods in ML safety [3].
Formal Verification of Neural ODE for Safety Evaluation in Autonomous Vehicles
Neural ODEs have been barely studied for safety and formal guarantees, despite showing higher performance than classical neural networks on image recognition [4].
A General Framework for Property-Driven Machine Learning
A unified framework combining adversarial training and differentiable logics was demonstrated on a neural network controller for a drone, enabling property-driven learning [5].
Certifying Machine Learning in Aviation: An End-to-End DAL C Case Study
An end-to-end certification case study of an Aircraft Emergency Braking System (AEBS) with two deep neural networks mapped ML assurance onto DAL C objectives, providing a practical reference [7].
Robustness Certificates for Neural Networks Against Data Poisoning and Evasion Attacks
A formal robustness certification framework using barrier certificates and PAC bounds certified non-trivial perturbation budgets against both poisoning and evasion attacks on MNIST, SVHN, CIFAR-10, and CIFAR-100 [10].
Formal Verification of Graph Convolutional Networks with Uncertain Node Features and Uncertain Graph Structure
No prior work verified robustness of generic graph convolutional networks with uncertainty in node features and graph structure over multiple message-passing steps; this work addressed that gap using reachability analysis with polynomial zonotopes [11].