Six papers accepted at ICLR2026

Our group will present six papers at ICLR 2026. 4 papers are accepted at ICLR's main track, one paper is presented through TMLR's journal-to-conference track, and one paper is presented through a spotlight talk at the Trustworthy AI workshop. Congratulations! 

Edit-Based Flow Matching for Temporal Point Processes
(David Lüdke*, Marten Lienen*, Marcel Kollovieh and Stephan Günnemann)

What if modeling event sequences didn't require processing them one event at a time? Temporal point processes are fundamental for modeling events in continuous time—from financial transactions to social network activity—yet most approaches rely on autoregressive generation. Recent diffusion-inspired methods offered a compelling alternative by jointly transforming noise into data through insertions and deletions, but they still lack the expressivity to efficiently navigate sequence space. In this work, we introduce EdiTPP, which adds substitution as a third atomic operation within a continuous-time Markov chain framework. This seemingly simple addition has profound effects: substitutions act as shortcuts that bypass costly delete-insert pairs, reducing total edit operations by ~17% while achieving up to 4× faster sampling. Our unconditionally trained model flexibly handles both unconditional generation and conditional tasks like forecasting—without task-specific retraining. Empirically, EdiTPP achieves state-of-the-art results across synthetic and real-world benchmarks while offering a principled compute-quality tradeoff at inference time. Overall, our work demonstrates that the right choice of elementary operations can fundamentally improve how we generate structured sequences in continuous time.

Discrete Bayesian Sample Inference for Graph Generation
(Ole Petersen*, Marcel Kollovieh*, Marten Lienen and Stephan Günnemann)

Generating graphs is hard. They show up everywhere: molecules, knowledge graphs, networks, but they're discrete and unordered, which makes them challenging to generate. We're introducing GraphBSI, a one-shot graph generator that takes a Bayesian approach: instead of "noising and denoising" graphs, it refines a probabilistic belief over graphs in a continuous parameter space, until converging at a discrete one. This makes handling discrete structure much more natural. On the theory side, we formulate Bayesian Sample Inference (BSI) as an SDE and derive a noise-controlled family that preserves the right marginals using a score approximation, and we show connections to Bayesian Flow Networks and Diffusion models.

Sampling-aware Adversarial Attacks Against Large Language Models
(Tim Beyer, Yan Scholten, Leo Schwinn*, Stephan Günnemann*)

Adversarial robustness of large language models is typically evaluated using single, greedy generations, despite the repeated stochastic sampling which occurs in real-world applications. This paper shows that ignoring sampling fundamentally overestimates LLM safety. We introduce a sampling-aware perspective that treats sampling as a first-class attack component and frames adversarial attacks as a compute-constrained resource allocation problem between prompt optimization and generation. By reallocating compute from optimization to sampling, we demonstrate dramatic improvements: existing attacks become up to two orders of magnitude more efficient and achieve up to +37 p.p. higher attack success rates at equal compute. Analyzing the full distribution of output harmfulness reveals that most optimization strategies primarily suppress refusals rather than increasing harm severity, explaining why sampling is so effective. Finally, we propose a label-free, model-agnostic entropy-maximization objective that is explicitly designed for sampling-aware attacks and uncovers tail risks missed by standard objectives. Overall, our results establish sampling as essential for realistic LLM safety evaluation and attack design at scale.

Model Collapse Is Not a Bug but a Feature in Machine Unlearning for LLMs
(Yan Scholten, Sophie Xhonneux, Leo Schwinn*, Stephan Günnemann*)

What if one of the most critical failure modes in generative AI could be turned into a feature? In this work, we explore how model collapse -- typically considered a bug -- can actually help us unlearn data safely and effectively. Current unlearning methods take a counterintuitive approach: they optimize against the very data they are supposed to unlearn, with negative effects for privacy and safety. Our approach challenges this paradigm and instead draws inspiration from model collapse -- the phenomenon where generative models trained on their own outputs gradually degrade in quality. By carefully guiding this collapse process, we can transform what was once a failure mode into a powerful mechanism for unlearning targeted information from LLMs. Our method achieves unlearning without reusing sensitive data, supported by both theoretical analysis and empirical evidence. Overall, our work opens exciting new directions in trustworthy AI: leveraging collapse to enable safer and more principled unlearning in LLMs and beyond.

Further, one paper will be presented that got awarded a J2C-Certification :

Adversarial Robustness of Graph Transformers 
(Philipp Foth*, Lukas Gosch*, Simon Geisler, Leo Schwinn, Stephan Günnemann)

Existing studies have shown that Message-Passing Graph Neural Networks (MPNNs) are highly susceptible to adversarial attacks. In contrast, despite the increasing importance of Graph Transformers (GTs), their robustness properties are unexplored. We close this gap and design the first adaptive attacks for GTs. In particular, we provide general design principles for strong gradient-based attacks on GTs w.r.t. structure perturbations and instantiate our attack framework for five representative and popular GT architectures. Specifically, we study GTs with specialized attention mechanisms and Positional Encodings (PEs) based on pairwise shortest paths, random walks, and the Laplacian spectrum. We evaluate our attacks on multiple tasks and perturbation models, including structure perturbations for node and graph classification, and node injection for graph classification. Our results reveal that GTs can be catastrophically fragile in many cases. Addressing this vulnerability, we show how our adaptive attacks can be effectively used for adversarial training, substantially improving robustness.

Lastly, one paper will be presented as a spotlight talk at the Trustworthy AI @ ICLR 26 Workshop:

Exact Certification of Neural Networks and Partition Aggregation Ensembles against Label Poisoning
(Ajinkya Mohgaonkar, Lukas Gosch, Mahalakshmi Sabanayagam, Debarghya Ghoshdastidar, Stephan Günnemann)

Label-flipping attacks, which corrupt training labels to induce misclassifications at inference, remain a major threat to supervised learning models. This drives the need for robustness certificates that provide formal guarantees about a model's robustness under adversarially corrupted labels. Existing certification frameworks rely on ensemble techniques such as smoothing or partition-aggregation, but treat the corresponding base classifiers as black boxes, yielding overly conservative guarantees. We introduce EnsembleCert, the first certification framework for partition-aggregation ensembles that utilizes white-box knowledge of the base classifiers. Concretely, EnsembleCert yields tighter guarantees than black-box approaches by aggregating per-partition white-box certificates to compute ensemble-level guarantees in polynomial time. To extract white-box knowledge from the base classifiers efficiently, we develop ScaLabelCert, a method that leverages the equivalence between sufficiently wide neural networks and kernel methods using the neural tangent kernel. ScaLabelCert yields the first exact, polynomial-time calculable certificate for neural networks against label-flipping attacks.