This work proposes a zero-shot, post-hoc privacy auditing framework that requires no intervention in model training or repeated retraining, addressing the impracticality of existing methods for large-scale deployed systems. By leveraging only known member and non-member samples, the approach introduces causal inference principles to model confounding effects induced by distributional shifts. It features a dual correction strategy operating at both global and instance levels, integrating adaptive composition analysis with pointwise membership inference calibration. Empirical evaluations on synthetic data and large-scale models demonstrate the method’s effectiveness, marking the first practical and efficient privacy audit achievable without any model retraining.

Privacy auditing provides empirical lower bounds on the differential privacy parameters of learning algorithms. Existing methods, however, require interventional access to the training pipeline, either to retrain multiple times or to randomize data inclusion. This is often infeasible for large deployed systems such as foundation models. We introduce Zero-Run privacy auditing, a post-hoc framework for auditing models using two fixed datasets: examples known to be training-set members and examples known to be non-members. In this observational regime, membership is no longer randomized; instead, member and non-member data often differ in distribution, so membership inference scores may reflect a distribution shift rather than algorithmic leakage. Drawing on ideas from causal inference, we formalize this confounding effect and propose two complementary corrections that yield valid privacy audits. Our first approach models the combined effect of distribution shift and algorithmic leakage as an adaptive composition, producing conservative global corrections. Our second approach conditions on observed data and adjusts pointwise membership guesses, yielding sharper instance-dependent bounds. Experiments on synthetic data and large-scale models show that Zero-Run auditing enables practical privacy evaluation when retraining or controlled data insertion is infeasible.