Training vs inference
Anticipate failure modes
Training vs inference becomes useful when you can predict its behavior, measure it, and name its limits.
Before you start
Why this matters
Read this failure list once: claiming prompts retrain the model, leaking evaluation data into training, training on unlicensed or sensitive data, using too high a learning rate, serving a checkpoint with a different tokenizer, ignoring inference drift from prompt changes, and comparing training GPU hours with per-request latency as if they were the same metric. Pick the failure that could pass a cheerful demo and explain why the demo would miss it.
1Learn the idea
Read
Failures are part of the design
See it
Training
Inference
Training = long study · Inference = quick answer from what it already learned
Realistic failures include claiming prompts retrain the model, leaking evaluation data into training, training on unlicensed or sensitive data, using too high a learning rate, serving a checkpoint with a different tokenizer, ignoring inference drift from prompt changes, and comparing training GPU hours with per-request latency as if they were the same metric.
Classify each failure as prevent, detect, contain, or recover. Prevention is strongest when a hard invariant is possible: schema validation, access control, data-split isolation, or admission limits. Detection needs an observable signal and owner. Containment limits blast radius with tenant boundaries, read-only tools, canaries, budgets, or circuit breakers. Recovery needs a tested fallback, rollback, re-index, or human queue.
Avoid a vague instruction such as “be careful.” Write a tripwire: a metric threshold, validation error, unexpected version, or forbidden action. Then state the response. If the response is “retry,” explain why the failure is transient and why retrying cannot duplicate a side effect or amplify overload.
Read
Apply it to a concrete case
A classifier trains for five epochs on 80,000 labeled tickets and freezes a checkpoint. Every new ticket then runs a forward pass in milliseconds. Adding today’s policy to a prompt helps that request but does not alter the checkpoint.
The worked number is one epoch over 80,000 examples with batch size 100 requires 800 optimizer steps; five epochs require 4,000 steps. State the unit and denominator whenever you report it. A percentage without a denominator can conceal a tiny sample; a latency without a percentile can conceal slow users; a similarity score without a labeled task can conceal irrelevant neighbors. Compare the observed value with a threshold chosen before seeing the final test result.
Now test the tempting shortcut. Suppose the team optimizes only the most visible metric. The result may look better while the system becomes less trustworthy. The reason is concrete: Training is expensive but amortized across many uses and can change persistent behavior. Inference is repeated per request and dominates operating cost at scale. Fine-tuning can improve stable task behavior but is slower to update than retrieval; retrieval gives fresh facts without changing weights. This is why the decision record must include both the intended gain and the tolerated regression. If the tolerated regression is unknown, the change is not ready for a consequential workflow.
Read
Decision rules
- Prefer a measured baseline over a persuasive demo.
- Keep versions, inputs, and thresholds reproducible.
- Separate syntactic success from semantic correctness and authorization.
- Escalate or abstain when evidence falls outside the contract.
- Re-evaluate when data, traffic, models, providers, or user goals change.
These rules turn the topic into an engineering decision rather than a slogan. They also make disagreement productive: another person can challenge the assumptions, rerun the evaluation, and reach a documented conclusion.
Read
Rehearse one failure safely
Choose the failure with the largest combination of likelihood and impact. Inject it in a test environment without weakening production controls. Capture the first observable symptom, the alert that should fire, the component that contains the damage, and the recovery action. Then remove one safeguard and predict how the blast radius changes before running again. The lesson is not that every failure can be detected from model text. Strong designs enforce invariants outside the model and preserve enough evidence to distinguish bad input, component failure, policy refusal, and ordinary low-confidence output.