Adversarially Robust Control of Conditional Value-at-Risk via Rockafellar-Uryasev Conformal Inference

Catherine Chen; Jingyan Shen; Lihua Lei; Zhun Deng

arxiv: 2606.00320 · v1 · pith:URZTMLRUnew · submitted 2026-05-29 · 💻 cs.LG

Adversarially Robust Control of Conditional Value-at-Risk via Rockafellar-Uryasev Conformal Inference

Catherine Chen , Jingyan Shen , Zhun Deng , Lihua Lei This is my paper

Pith reviewed 2026-06-28 23:17 UTC · model grok-4.3

classification 💻 cs.LG

keywords CVaRconformal inferenceadversarial robustnessonline learningtail risk controlrisk managementdistribution-free methods

0 comments

The pith

An online conformal procedure controls CVaR at a target level under any adversarial non-stationary process.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces a distribution-free online framework for controlling Conditional Value-at-Risk that works even when the data distribution changes arbitrarily or adversarially over time. It extends conformal tail risk control by using the Rockafellar-Uryasev variational representation to handle the nonlinear nature of CVaR. This yields provable safety guarantees without assuming stationarity or linearity. The authors prove that the realized empirical CVaR approaches the target level asymptotically and remains tight up to a finite-sample gap.

Core claim

The central discovery is a procedure that leverages the Rockafellar-Uryasev representation to cast CVaR control as a problem solvable by conformal inference in an online fashion, delivering asymptotic control of the empirical CVaR at the target level for any data-generating process, with the control being asymptotically tight apart from a finite-sample conservatism gap.

What carries the argument

The Rockafellar-Uryasev variational representation of CVaR, which reduces the risk measure to an optimization problem that conformal tail risk control can handle online.

If this is right

The framework applies directly to portfolio risk management under non-stationary market conditions.
It enables toxicity mitigation in LLMs by controlling the risk of rare but severe failures.
Safety guarantees hold for any non-stationary or strategically shifting data process.
The control achieves asymptotic tightness, avoiding unnecessary conservatism in the long run.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The method could generalize to controlling other tail-based risk measures in adversarial settings.
It suggests a way to maintain safety in deployed systems without assuming the environment remains fixed after training.
Practical tests on drifting real-world data streams would quantify the size of the finite-sample gap.

Load-bearing premise

The Rockafellar-Uryasev representation allows the transfer of conformal tail risk control guarantees to the fully adversarial non-stationary case.

What would settle it

An experiment in which an adversary manipulates the data sequence so that the long-run empirical CVaR stays strictly above the target level by more than the predicted gap would falsify the asymptotic control claim.

Figures

Figures reproduced from arXiv: 2606.00320 by Catherine Chen, Jingyan Shen, Lihua Lei, Zhun Deng.

**Figure 1.** Figure 1: Online CVaR control via Rockafellar-Uryasev Conformal inference. Left: Uncontrolled tail risk in adversarial or non-stationary environments leads to catastrophic failures. Middle: Our method combines Conformal Decision Theory with AdaGradFTRL. Right: The resulting controller provably enforces the target CVaR level with adversarial guarantees. large language model (LLM) alignment. In such applications, c… view at source ↗

**Figure 2.** Figure 2: LLM Toxicity Control Experiment. Realized empirical CVaRβ and evolution of λt for β = 0.85 with target α = 0.1, step size γ = 0.05, and 100 steps of burn-in for the Uniform regime in the first column, Adversarial regime in middle column, and Adversarial-Jump regime in the right column. We compare RUCC against a static baseline with a fixed λ throughout the experiment. Specifically, we estimate a constant t… view at source ↗

**Figure 3.** Figure 3: Portfolio Management Experiment. Realized empirical 180-day rolling CVaRβ (top row) and evolution of λt (bottom row) for β = 0.85, γ = 0.05 with target α = 0.01 and burn-in period of 100 days during 1991–2001 in the first column, 2009–2018 in second column, 1991–2025 in the third column. where r risky t and r risk-free t denote the return of the risky asset and the return of the risk-free asset, respective… view at source ↗

**Figure 4.** Figure 4: LLM Toxicity Control Experiment. Dataset toxicity distributions under different sampling regimes. (Top) Stationary uniform sampling. (Middle) Adversarial setting with progressively tail-thickening sampling. (Bottom) Adversarial-jump setting. C. Additional Results for Experiment 1: Large Language Model Toxicity Control Figures 4a, 4b, and 4c visualize the empirical distribution of human toxicity scores for … view at source ↗

**Figure 5.** Figure 5: LLM Toxicity Control Experiment. Evolution of at parameter in Beta distribution under different sampling regimes: adversarial setting (left), adversarial-jump setting (right). From the figures, it can be observed that at is increasing overall across time for both regimes, while spontaneous shocks are injected to the adversarial-jump regime, where at can take values as low as 0.5, or as high as 5. C.2. Addi… view at source ↗

**Figure 6.** Figure 6: LLM Toxicity Control Experiment. Realized empirical CVaRβ and evolution of λt with γ = 0.05, and target α = 0.1 for the uniform regime 22 [PITH_FULL_IMAGE:figures/full_fig_p022_6.png] view at source ↗

**Figure 7.** Figure 7: LLM Toxicity Control Experiment. Realized empirical CVaRβ and evolution of λt with γ = 0.05, and target α = 0.1 for the adversarial regime 23 [PITH_FULL_IMAGE:figures/full_fig_p023_7.png] view at source ↗

**Figure 8.** Figure 8: LLM Toxicity Control Experiment. Realized empirical CVaRβ and evolution of λt with γ = 0.05, and target α = 0.1 for the adversarial-jump regime 24 [PITH_FULL_IMAGE:figures/full_fig_p024_8.png] view at source ↗

**Figure 9.** Figure 9: Portfolio Management Experiment. Realized empirical CVaRβ and evolution of λt for γ = 0.05 with target α = 0.01 during 1991–2000. 26 [PITH_FULL_IMAGE:figures/full_fig_p026_9.png] view at source ↗

**Figure 10.** Figure 10: Portfolio Management Experiment. Realized empirical CVaRβ and evolution of λt for γ = 0.05 with target α = 0.01 during 2009–2018. 27 [PITH_FULL_IMAGE:figures/full_fig_p027_10.png] view at source ↗

**Figure 11.** Figure 11: Portfolio Management Experiment. Realized empirical CVaRβ and evolution of λt for γ = 0.05 with target α = 0.01 during 1991–2025. 28 [PITH_FULL_IMAGE:figures/full_fig_p028_11.png] view at source ↗

read the original abstract

We present an online, distribution-free framework for controlling the Conditional Value-at-Risk (CVaR), extending conformal tail risk control to non-stationary and adversarial environments. Unlike classical risk control methods, which rely on stationarity or linearity of expectation, our approach provides provable safety guarantees for a nonlinear tail risk functional under arbitrary data-generating processes that may drift or shift strategically over time. By leveraging deep connections between conformal tail risk control, online learning, and the variational representation of CVaR introduced by Rockafellar and Uryasev, we develop a novel procedure for online CVaR control with adversarial regret guarantees. The proposed method operates without assumptions on the underlying data-generating process, making it broadly applicable in modern high-stakes deployment settings. We prove that the realized empirical CVaR is asymptotically controlled at the target level, and that the resulting control is asymptotically tight up to a finite-sample conservatism gap. We demonstrate the effectiveness of our approach on portfolio risk management and toxicity mitigation for Large Language Models (LLMs), where rare but catastrophic failures dominate system risk.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper sketches a direction for adversarial CVaR control but the transfer from online regret on the auxiliary problem to uniform tail control is not shown in the abstract.

read the letter

The main thing to know is that this work tries to give distribution-free CVaR control that holds even when an adversary picks the next loss distribution at each step. It does this by folding the Rockafellar-Uryasev variational form into an online procedure that also borrows conformal tail ideas.

What the paper does well is name a practical gap. Most existing conformal risk bounds assume exchangeability or stationarity, which fails in settings like drifting markets or adaptive attacks on models. Framing the problem as regret minimization against arbitrary processes and targeting the nonlinear tail functional is a sensible move, and the two application areas (portfolio risk and LLM toxicity) line up with where such guarantees would matter.

The soft spot is exactly where the stress-test note points. The abstract claims asymptotic control of realized empirical CVaR at the target level with asymptotic tightness up to a finite-sample gap. Yet it supplies no derivation showing how sublinear regret on the auxiliary beta problem produces uniform tracking of the variational minimum when the adversary can shift the distribution arbitrarily. Without that explicit link or error bounds, the central guarantee does not yet close. The abstract also gives no explicit assumptions or tightness rates, so the claim cannot be assessed from the given text.

This is for readers already working on online conformal methods or robust risk measures who want to see how the pieces might fit together. It is not ready for a reader who needs a self-contained proof.

It deserves a serious referee because the problem is real and the high-level approach is not obviously circular, but any review should require the authors to supply the missing transfer argument in detail.

Referee Report

1 major / 2 minor

Summary. The paper proposes an online, distribution-free method for controlling Conditional Value-at-Risk (CVaR) in non-stationary adversarial settings. It extends conformal tail-risk control by combining it with online learning and the Rockafellar-Uryasev variational representation of CVaR, claiming provable safety under arbitrary data-generating processes, asymptotic control of the realized empirical CVaR at the target level, and asymptotic tightness up to a finite-sample gap. Applications to portfolio risk management and LLM toxicity mitigation are mentioned.

Significance. If the central guarantees hold without hidden assumptions on the loss or process, the result would extend conformal methods to nonlinear tail functionals with regret bounds under adversarial shifts, offering a concrete tool for high-stakes risk control where stationarity cannot be assumed.

major comments (1)

[Abstract (proof claims) and the section deriving the online procedure] The abstract asserts that sublinear regret on the auxiliary online problem yields asymptotic control of the realized empirical CVaR under arbitrary adversarial shifts, yet no explicit construction, uniform convergence argument, or error bound is supplied showing how the variational minimum of the RU representation is tracked when the data-generating process is chosen adversarially at each step. This step is load-bearing for the strongest claim.

minor comments (2)

Notation for the target level α and the auxiliary online problem should be introduced with explicit definitions before the regret analysis.
The finite-sample conservatism gap is mentioned but not quantified with explicit rates or dependence on dimension or horizon.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the careful review and constructive feedback on the proof structure. We address the single major comment below and will revise the manuscript to provide the requested explicit arguments.

read point-by-point responses

Referee: [Abstract (proof claims) and the section deriving the online procedure] The abstract asserts that sublinear regret on the auxiliary online problem yields asymptotic control of the realized empirical CVaR under arbitrary adversarial shifts, yet no explicit construction, uniform convergence argument, or error bound is supplied showing how the variational minimum of the RU representation is tracked when the data-generating process is chosen adversarially at each step. This step is load-bearing for the strongest claim.

Authors: We agree that the manuscript would benefit from a more explicit derivation connecting the sublinear regret of the auxiliary online convex program to the asymptotic CVaR control. While Section 3 derives the online update rule using the Rockafellar-Uryasev representation and Section 4 states the main asymptotic theorem, the chaining argument via uniform convergence of the variational objective under adversarial shifts is only outlined rather than fully expanded with an error bound. In the revised version we will add a dedicated lemma (and supporting proof) that (i) uses the o(T) regret to show that the time-averaged RU objective converges to its infimum, (ii) invokes the conformal threshold update to control the deviation of the empirical tail, and (iii) supplies an explicit finite-sample gap term that vanishes asymptotically even when the data-generating process is chosen adversarially at each step. This will make the load-bearing step fully rigorous without altering the stated claims. revision: yes

Circularity Check

0 steps flagged

No circularity; derivation relies on external variational representation and conformal methods without self-referential reduction.

full rationale

The provided abstract and context cite the Rockafellar-Uryasev representation as an external input and describe an online procedure combining conformal tail control with regret bounds. No equations, self-citations, or fitted parameters are shown that reduce the asymptotic CVaR control claim to a tautology or prior author result by construction. The central guarantee is presented as a proof combining independent components rather than a renaming or self-definition. Without explicit load-bearing self-citations or fitted-input predictions in the given material, the derivation is treated as self-contained.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review supplies no explicit free parameters, axioms, or invented entities; the central claim rests on unstated technical connections between conformal inference and the Rockafellar-Uryasev representation that cannot be audited here.

pith-pipeline@v0.9.1-grok · 5731 in / 1103 out tokens · 18680 ms · 2026-06-28T23:17:01.453676+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

15 extracted references · 12 canonical work pages · 3 internal anchors

[1]

N., Bates, S., Cand`es, E

Angelopoulos, A. N., Bates, S., Cand`es, E. J., Jordan, M. I., and Lei, L. Learn then test: Calibrating predictive al- gorithms to achieve risk control.The Annals of Applied Statistics, 19(2):1641–1662, 2025a. Angelopoulos, A. N., Bates, S., Fisch, A., Lei, L., and Schuster, T. Conformal risk control. InThe Twelfth International Conference on Learning Rep...

work page arXiv
[2]

doi: 10.1111/j.1467-9965.2007.00311

ISSN 1467-9965. doi: 10.1111/j.1467-9965.2007.00311. x. URL https://onlinelibrary.wiley.com/ doi/10.1111/j.1467-9965.2007.00311.x. Chen, C. Y .-C., Shen, J., Deng, Z., and Lei, L. Conformal tail risk control for large language model alignment,

work page doi:10.1111/j.1467-9965.2007.00311 2007
[3]

cjadams, andinversion, D

URLhttps://arxiv.org/abs/2502.20285. cjadams, andinversion, D. B., Sorensen, J., Dixon, L., Vasserman, L., and nithum. Jigsaw unintended bias in toxicity classification,

work page arXiv
[4]

P., Eyre, B., Inamdar, A., Madras, D., and Zemel, R

Deng, Z., Zollo, T. P., Eyre, B., Inamdar, A., Madras, D., and Zemel, R. Quest: Enhancing estimates of quantile- based distributional measures using model predictions. arXiv preprint arXiv:2507.05220,

work page arXiv
[5]

RealToxicityPrompts: Evaluating Neural Toxic Degeneration in Language Models

Accessed via public API. Gehman, S., Gururangan, S., Sap, M., Choi, Y ., and Smith, N. A. Realtoxicityprompts: Evaluating neural toxic degeneration in language models.arXiv preprint arXiv:2009.11462,

work page internal anchor Pith review Pith/arXiv arXiv 2009
[6]

Crafting papers on machine learning

Langley, P. Crafting papers on machine learning. In Langley, P. (ed.),Proceedings of the 17th International Conference on Machine Learning (ICML 2000), pp. 1207–1216, Stan- ford, CA,

2000
[7]

Lei, L., Sahoo, R., and Wager, S

Morgan Kaufmann. Lei, L., Sahoo, R., and Wager, S. Policy learning under bi- ased sample selection.arXiv preprint arXiv:2304.11735,

work page arXiv
[8]

McMahan, H

URLhttps://arxiv.org/abs/2310.05921. McMahan, H. B. Follow-the-regularized-leader and mirror descent: Equivalence theorems and l1 regularization. In Proceedings of the 14th International Conference on Arti- ficial Intelligence and Statistics (AISTATS), volume 15 of JMLR Workshop and Conference Proceedings, pp. 525– 533,

work page arXiv
[9]

Red Teaming Language Models with Language Models

URL https://arxiv.org/abs/2202.03286. Rockafellar, R. T. and Uryasev, S. Optimization of conditional value-at-risk.Journal of Risk, 2(3):21–42,

work page internal anchor Pith review Pith/arXiv arXiv
[10]

Tyrrell Rockafellar and Stanislav Uryasev

doi: 10.21314/JOR.2000.038. URL https: //www.risk.net/journal-risk/2161159/ optimization-conditional-value-risk. Sahoo, R., Lei, L., and Wager, S. Learning from a biased sample,

work page doi:10.21314/jor.2000.038 2000
[11]

Learning from a Biased Sample

URL https://arxiv.org/abs/ 2209.01754. Shalev-Shwartz, S. Online learning and online convex opti- mization.Foundations and Trends in Machine Learning, 4(2):107–194,

work page internal anchor Pith review Pith/arXiv arXiv
[12]

10 Adversarially Robust Control of Conditional Value-at-Risk via Rockafellar-Uryasev Conformal Inference Yang, Z., Cand `es, E., and Lei, L

URL https://arxiv.org/abs/2212.13629. 10 Adversarially Robust Control of Conditional Value-at-Risk via Rockafellar-Uryasev Conformal Inference Yang, Z., Cand `es, E., and Lei, L. Bellman conformal inference: Calibrating prediction intervals for time se- ries,

work page arXiv
[13]

Zollo, T., Morrill, T., Deng, Z., Snell, J., Pitassi, T., and Zemel, R

URL https://arxiv.org/ abs/2510.08748. Zollo, T., Morrill, T., Deng, Z., Snell, J., Pitassi, T., and Zemel, R. Prompt risk control: A rigorous framework for responsible deployment of large language models. In International Conference on Learning Representations, volume 2024, pp. 4045–4067, 2024a. Zollo, T. P., Morrill, T., Deng, Z., Snell, J. C., Pitassi,...

work page arXiv 2024
[14]

Initially, λt remains large, corresponding to less aggressive filtering

and theadversarial-jumpsetting (Figure 8), λt exhibits a clear decreasing trend over time for all β. Initially, λt remains large, corresponding to less aggressive filtering. As the controller accumulates evidence and adapts to the realized tail distribution, λt is gradually reduced, reflecting an increasingly strict control of the risky region. Larger β v...

1991
[15]

Accordingly, as the baseline controller has a fixed λt, its associated realized CVaRβ grows beyond the target level over time. In contrast, the realized tail risk of the RUCC controller initially starts below the target level and steadily increases over time as the controller adapts, and moves tightly around the target level as time passes. During 2009–20...

2009

[1] [1]

N., Bates, S., Cand`es, E

Angelopoulos, A. N., Bates, S., Cand`es, E. J., Jordan, M. I., and Lei, L. Learn then test: Calibrating predictive al- gorithms to achieve risk control.The Annals of Applied Statistics, 19(2):1641–1662, 2025a. Angelopoulos, A. N., Bates, S., Fisch, A., Lei, L., and Schuster, T. Conformal risk control. InThe Twelfth International Conference on Learning Rep...

work page arXiv

[2] [2]

doi: 10.1111/j.1467-9965.2007.00311

ISSN 1467-9965. doi: 10.1111/j.1467-9965.2007.00311. x. URL https://onlinelibrary.wiley.com/ doi/10.1111/j.1467-9965.2007.00311.x. Chen, C. Y .-C., Shen, J., Deng, Z., and Lei, L. Conformal tail risk control for large language model alignment,

work page doi:10.1111/j.1467-9965.2007.00311 2007

[3] [3]

cjadams, andinversion, D

URLhttps://arxiv.org/abs/2502.20285. cjadams, andinversion, D. B., Sorensen, J., Dixon, L., Vasserman, L., and nithum. Jigsaw unintended bias in toxicity classification,

work page arXiv

[4] [4]

P., Eyre, B., Inamdar, A., Madras, D., and Zemel, R

Deng, Z., Zollo, T. P., Eyre, B., Inamdar, A., Madras, D., and Zemel, R. Quest: Enhancing estimates of quantile- based distributional measures using model predictions. arXiv preprint arXiv:2507.05220,

work page arXiv

[5] [5]

RealToxicityPrompts: Evaluating Neural Toxic Degeneration in Language Models

Accessed via public API. Gehman, S., Gururangan, S., Sap, M., Choi, Y ., and Smith, N. A. Realtoxicityprompts: Evaluating neural toxic degeneration in language models.arXiv preprint arXiv:2009.11462,

work page internal anchor Pith review Pith/arXiv arXiv 2009

[6] [6]

Crafting papers on machine learning

Langley, P. Crafting papers on machine learning. In Langley, P. (ed.),Proceedings of the 17th International Conference on Machine Learning (ICML 2000), pp. 1207–1216, Stan- ford, CA,

2000

[7] [7]

Lei, L., Sahoo, R., and Wager, S

Morgan Kaufmann. Lei, L., Sahoo, R., and Wager, S. Policy learning under bi- ased sample selection.arXiv preprint arXiv:2304.11735,

work page arXiv

[8] [8]

McMahan, H

URLhttps://arxiv.org/abs/2310.05921. McMahan, H. B. Follow-the-regularized-leader and mirror descent: Equivalence theorems and l1 regularization. In Proceedings of the 14th International Conference on Arti- ficial Intelligence and Statistics (AISTATS), volume 15 of JMLR Workshop and Conference Proceedings, pp. 525– 533,

work page arXiv

[9] [9]

Red Teaming Language Models with Language Models

URL https://arxiv.org/abs/2202.03286. Rockafellar, R. T. and Uryasev, S. Optimization of conditional value-at-risk.Journal of Risk, 2(3):21–42,

work page internal anchor Pith review Pith/arXiv arXiv

[10] [10]

Tyrrell Rockafellar and Stanislav Uryasev

doi: 10.21314/JOR.2000.038. URL https: //www.risk.net/journal-risk/2161159/ optimization-conditional-value-risk. Sahoo, R., Lei, L., and Wager, S. Learning from a biased sample,

work page doi:10.21314/jor.2000.038 2000

[11] [11]

Learning from a Biased Sample

URL https://arxiv.org/abs/ 2209.01754. Shalev-Shwartz, S. Online learning and online convex opti- mization.Foundations and Trends in Machine Learning, 4(2):107–194,

work page internal anchor Pith review Pith/arXiv arXiv

[12] [12]

10 Adversarially Robust Control of Conditional Value-at-Risk via Rockafellar-Uryasev Conformal Inference Yang, Z., Cand `es, E., and Lei, L

URL https://arxiv.org/abs/2212.13629. 10 Adversarially Robust Control of Conditional Value-at-Risk via Rockafellar-Uryasev Conformal Inference Yang, Z., Cand `es, E., and Lei, L. Bellman conformal inference: Calibrating prediction intervals for time se- ries,

work page arXiv

[13] [13]

Zollo, T., Morrill, T., Deng, Z., Snell, J., Pitassi, T., and Zemel, R

URL https://arxiv.org/ abs/2510.08748. Zollo, T., Morrill, T., Deng, Z., Snell, J., Pitassi, T., and Zemel, R. Prompt risk control: A rigorous framework for responsible deployment of large language models. In International Conference on Learning Representations, volume 2024, pp. 4045–4067, 2024a. Zollo, T. P., Morrill, T., Deng, Z., Snell, J. C., Pitassi,...

work page arXiv 2024

[14] [14]

Initially, λt remains large, corresponding to less aggressive filtering

and theadversarial-jumpsetting (Figure 8), λt exhibits a clear decreasing trend over time for all β. Initially, λt remains large, corresponding to less aggressive filtering. As the controller accumulates evidence and adapts to the realized tail distribution, λt is gradually reduced, reflecting an increasingly strict control of the risky region. Larger β v...

1991

[15] [15]

Accordingly, as the baseline controller has a fixed λt, its associated realized CVaRβ grows beyond the target level over time. In contrast, the realized tail risk of the RUCC controller initially starts below the target level and steadily increases over time as the controller adapts, and moves tightly around the target level as time passes. During 2009–20...

2009