EEG foundation-model releases are usually audited one endpoint at a time: raw-reconstruction, membership inference, identity linkage, or DP-SGD on the downstream head. We audit the same released embeddings under all four endpoints jointly, on BIOT, LaBraM, and EEGPT, and show that each single-endpoint audit clears releases that still leak spectral attributes. The decisive evidence is a cross-encoder transfer audit: a single ridge attribute decoder learned from one frozen encoder transfers, via a fitted linear bridge, to held-out-subject test splits of every other encoder, with subject-disjoint matched-control 95% CI lower bound at least 0.081 across all six BIOT/LaBraM/EEGPT directions. We prove a sufficient condition: two encoders sharing a nontrivial attribute-coordinate projector overlap beta admit a chained ridge bridge attacker with centered-gain lower bound sqrt(beta/(1+tau^2)) - eps_br - rho_0, and back-solve beta in [0.008, 0.198]. To turn the joint audit into a deployment-readable decision rule we introduce an audit-endpoint disagreement score (AEDS), prove sufficient conditions for its positivity, and bootstrap-calibrate it per cell; AEDS is positive in all eight matched-CI cells (BIOT/LaBraM/EEGPT on EEGMMI; LaBraM on Sleep-EDF, 54-channel LIMO, CHB-MIT pediatric scalp EEG) with p<0.001, while a head-level Carlini LiRA membership audit reaches AUC only 0.50-0.70. Standard defenses fail under audit: a Wiener-style noise-aware adaptive attacker, the LiRA audit, and DP-SGD at every utility-preserving epsilon in {4,8} leave the attribute channel essentially unchanged. The contribution is an audit framework that turns scattered single-endpoint defenses into a joint release decision, supported by a cross-encoder bridge theorem and adaptive-attacker, LiRA, and DP-SGD baselines; the audit licenses release-blocking, not raw-waveform exfiltration or held-out-subject identity recovery.

翻译：脑电图基础模型的发布通常只针对单个端点进行审计：原始重构、成员推理、身份关联或下游分类头的差分隐私随机梯度下降。我们针对BIOT、LaBraM和EEGPT模型，联合所有四个端点对同一发布嵌入进行审计，结果表明每个单端点审计均会通过那些仍泄漏频谱属性的发布。决定性证据来自交叉编码器迁移审计：从单个冻结编码器学习到的岭属性解码器，通过拟合线性桥接迁移至每个其他编码器的留出受试者测试分割中，在所有六个BIOT/LaBraM/EEGPT方向上的受试者不重叠匹配对照95%置信区间下限至少为0.081。我们证明了一个充分条件：共享非平凡属性坐标投影重叠β的两个编码器，可引发链式岭桥接攻击者，其中心增益下界为sqrt(β/(1+τ^2)) - ε_br - ρ_0，并反向求解β∈[0.008, 0.198]。为将联合审计转化为可部署可读的决策规则，我们引入审计端点不一致得分（AEDS），证明其正性的充分条件，并逐单元进行自助法校准；在所有八个匹配置信区间单元（EEGMMI上的BIOT/LaBraM/EEGPT；Sleep-EDF、54通道LIMO、CHB-MIT儿科头皮脑电图上的LaBraM）中，AEDS均为正（p<0.001），而分类头级别的Carlini LiRA成员推理审计仅达到AUC 0.50-0.70。标准防御机制在审计下失效：维纳式噪声感知自适应攻击者、LiRA审计以及每个保持效用的ε∈{4,8}下的DP-SGD均使属性通道基本保持不变。本文贡献在于提出一个审计框架，将分散的单端点防御转化为联合发布决策，该框架由交叉编码器桥接定理以及自适应攻击者、LiRA和DP-SGD基线支持；该审计许可发布阻断，而非原始波形窃取或留出受试者身份恢复。