A mechanism for trust-minimized language-model serving over untrusted hardware.
Networks that buy inference from untrusted operators must detect a provider who substitutes a cheaper model, serves stale outputs, or returns degraded results. The prevailing designs either pair cryptographic per-request verification with a large slashable correctness bond, raising a capital barrier that excludes casual supply, or abandon the bond for subjective quality scoring, which is gameable. We show this is a false choice forced by expensive verification. Recent verifiable-inference primitives, locality-sensitive activation commitments and log-probability spot-checks, verify a request at a small constant fraction (rho) of its generation cost, cheap enough to audit nearly every request rather than a small sample. We prove that under escrowed payment and indistinguishable audits, honesty is a provider's best response precisely when the detection margin q satisfies q ≥ Δ/(p+Φ), where Δ is the per-request compute saved by cheating, p the fee, and Φ the franchise value of continued participation. Market viability already forces Δ < p, so driving q toward 1 via full-coverage verification makes a zero bond, and even a zero franchise, sufficient: forfeiture of the escrowed fee on the cheated request alone deters. This frees stake to serve priority and availability, and reassigns Sybil resistance to a non-capital, hardware-rooted cost that bounds an operator's fraction of identities by its share of physical throughput, which we show reduces verifier collusion to the standard honest-majority threshold. The construction is modality-agnostic: the same mechanism covers diffusion and codec models through a trajectory commitment whose single-step re-check preserves the small cost ratio. The same cheap verification applies per segment, so a model too large for any single GPU is sharded across a cohort of untrusted commodity machines, each segment independently re-executed, signed, and paid for the layers it served under a conservation invariant, with no per-shard bond to multiply. We machine-check the economic claims in the Z3 SMT solver and the Lean proof assistant, model-check the deterrence game in PRISM-games, verify the settlement protocol in ProVerif and Tamarin, and implement and measure the full audited path on a production engine. We claim no new cryptographic primitive; the contribution is the mechanism design that composes existing inference-verification primitives into a permissionless verified-inference network in which honest providers risk zero capital, a design we have not seen elsewhere.