AI will make formal verification go mainstream
TL;DR Highlight
Martin Kleppmann argues LLM-based coding assistants are finally bringing formal verification (which has been stuck in academia for decades) into mainstream software engineering.
Who Should Read
Software engineers curious about formal verification, and researchers working on AI-assisted program correctness tools.
Core Mechanics
- Formal verification (mathematically proving program correctness) has been theoretically available for decades but practically unusable — the tooling was too complex and the proof writing overhead too high for most engineers.
- LLMs change the equation: they can write Lean/Coq/TLA+ specs and proofs from natural language descriptions, dramatically lowering the entry barrier for engineers with no formal methods background.
- Kleppmann's thesis is that the bottleneck was never the underlying theory — it was the user-facing tooling friction. LLMs remove that friction by generating the proof boilerplate.
- The productivity case for formal verification has always been strongest in safety-critical systems (avionics, medical devices, financial protocols) — LLMs now make it accessible to a broader set of projects.
- There's still a verification gap: LLMs generate proofs that may not check out, requiring a human or proof checker to validate. But the starting point is much better than blank page.
- The essay cites Terence Tao's recent Lean proof work as evidence that even world-class mathematicians find LLM-assisted formal proofs significantly faster.
Evidence
- Kleppmann is the author of 'Designing Data-Intensive Applications' — his endorsement carries weight in the distributed systems community.
- The Lean community reported a significant uptick in activity and new users after the release of LLMs that can write Lean proofs, suggesting real adoption effect.
- Several HN commenters shared personal experiences of successfully using Claude/GPT to write TLA+ specs for distributed protocols that would have taken weeks manually.
- Skeptics noted that LLMs sometimes generate plausible-looking but logically incorrect proofs — the risk is false confidence. The tool needs to be paired with a proof checker, not trusted standalone.
- Counter-argument raised: the hardest part of formal verification is specifying what you want to prove, not writing the proof itself. LLMs don't help much with specification design.
How to Apply
- If you maintain a critical piece of infrastructure (consensus protocol, auth system, payment logic), try using Claude to generate a TLA+ or Lean spec and see if it catches any edge cases you missed.
- For teams evaluating formal verification: start with a small, well-defined component (e.g., a retry logic or rate limiter) and use LLM-generated proofs as a first pass, then verify with the proof checker.
- Use LLMs to translate existing unit tests into property-based tests or formal invariants — lower risk entry point than full formal verification.
- Pair with tools like Lean's proof checker or AWS TLC — LLM generates the proof, the tool validates it. Don't trust LLM proofs without machine verification.
Terminology
Related Papers
What happened after 2k people tried to hack my AI assistant
실제로 6,000개 이상의 이메일로 AI 에이전트에 prompt injection 공격을 시도한 공개 실험 결과로, Claude Opus 4.6이 비밀 파일 유출을 한 번도 허용하지 않았지만 실험 설계의 현실성에 대한 논란이 뜨거웠다.
When Does Combining Language Models Help? A Co-Failure Ceiling on Routing, Voting, and Mixture-of-Agents Across 67 Frontier Models
여러 LLM을 조합해도 '모든 모델이 동시에 틀리는 비율(β)'이 성능 상한선이며, 업계가 쓰는 pairwise 상관계수(ρ)는 이 상한선을 예측하지 못한다.
Beyond Function Calling: Benchmarking Tool-Using Agents under Tool-Environment Unreliability
실제 환경처럼 API가 망가지거나 결과가 이상할 때 LLM 에이전트가 얼마나 잘 버티는지 측정하는 벤치마크 ToolBench-X 공개.
Nearly Half of LG Smart TV Apps Contain Residential Proxy SDKs
6,038개의 LG·Samsung 스마트 TV 앱을 스캔했더니 2,058개에서 사용자의 IP를 몰래 팔아 트래픽을 중계하는 Residential Proxy SDK가 발견됐다. TV는 컴퓨터처럼 감시받지 않아서 프록시 호스트로 거의 이상적인 환경이다.
Prompt Injection as Role Confusion
LLM이 시스템 프롬프트, 사용자 입력, 툴 출력을 구분하지 못하는 구조적 결함이 prompt injection의 근본 원인이라는 ICML 2026 논문으로, 현재 LLM 보안 아키텍처의 한계를 명확히 분석한다.
GPT-5.5 hallucinates 3x more than MIT-licensed GLM-5.2
모델 크기가 커질수록 성능이 좋아진다는 통념에 반해, 오픈소스 753B 모델 GLM-5.2가 추정 1~2T 규모의 GPT-5.5보다 환각 비율이 3배 낮다는 벤치마크 결과가 나왔다. 단순히 파라미터 수와 벤치마크 점수만으로 모델을 선택하면 실제 업무에서 낭패를 볼 수 있다는 경고다.