Emerging encryption and hardware security technologies like confidential computing offer the promise of protecting model weights and inference data by extending trusted computing primitives beyond the CPU host and into AI accelerators. This approach has the potential to achieve several key properties:

1. Cryptographic Attestation: GPUs can be cryptographically attested for authenticity and integrity, ensuring that model weights are only executed on authorized hardware.

2. Encrypted Model Weights: Model weights can remain encrypted until they are staged and loaded on the GPU, preventing unauthorized access.

3. GPU-Specific Encryption: The unique cryptographic identity of GPUs can enable model weights and inference data to be encrypted for specific GPUs or groups of GPUs, ensuring decryptability only by authorized parties.

This vision of a hardware-rooted trust model aims to provide a secure foundation for advanced AI systems, where model weights and sensitive data are protected even from potential compromises of the software stack or network infrastructure. However, this approach raises concerns about the potential for increased barriers to entry and reduced openness in the AI ecosystem.

Air gaps are often cited as an essential security mechanism, and this is not unfounded. Network segmentation is a powerful control used to protect sensitive workloads like the control systems for critical infrastructure. Instead, we prioritize flexible network isolation that allows AI systems to work offline, line-separated from untrusted networks including the internet.

The networks we describe must eliminate classes of vulnerabilities that could allow a threat actor with access to one tenant to compromise model weights stored in another tenant. This ensures that the confidentiality, integrity, and availability of the data and workloads are maintained, even in the face of potential insider threats or other compromises.

By designing AI infrastructure with robust network and tenant isolation, we can enable AI systems to operate in a resilient, offline manner, reducing the attack surface and protecting the sensitive model weights that are the core of these advanced AI capabilities.

Operations and physical security measures for AI data centers are necessary to ensure resilience against insider threats that can compromise the confidentiality, integrity, and availability of the data center and its workloads. This includes:

• Robust access controls and monitoring to restrict and audit physical access to the data center facilities and critical infrastructure.
• Comprehensive video surveillance and logging to provide visibility into all activities within the data center.
• Redundant power and cooling systems to maintain availability in the face of disruptions.
• Secure disposal and sanitization procedures for decommissioned hardware to prevent data leakage.
• Tamper-evident seals and other physical security measures to detect and deter unauthorized modifications to infrastructure.
• Rigorous personnel security practices, such as background checks and security awareness training, to vet and monitor data center staff.
• Incident response and disaster recovery plans to quickly identify, contain, and recover from security incidents or outages.

These operational and physical security controls work in concert to create a multi-layered defense that protects the confidentiality and integrity of the data center environment, including the AI models and training data housed within.

Since AI developers need assurance that their intellectual property is protected when working with infrastructure providers, AI infrastructure must be audited for and compliant with applicable security standards. Existing standards like SOC 2, ISO/IEC, and NIST families will still apply. However, the list is expected to grow to include AI-specific security and regulatory standards that address the unique challenges of securing AI systems.

These AI-specific audit and compliance programs will help ensure that the confidentiality, integrity, and availability of AI-related data and models are maintained. By adhering to these standards, infrastructure providers can demonstrate their commitment to protecting the valuable intellectual property of their AI developer customers. This, in turn, will foster trust and enable AI developers to focus on innovation, knowing that their critical assets are safeguarded.

The development of these AI-specific standards will require collaboration between industry, academia, and regulatory bodies. This collective effort will help establish a robust framework for securing the AI ecosystem, ensuring that the rapid advancements in AI technology are accompanied by appropriate safeguards and compliance measures.

Open AI believes that AI will be transformative for cyber defense, with the potential to level the playing field between attackers and defenders. Defenders across the globe struggle to ingest and analyze the vast amounts of security signals needed to detect and respond to threats to their networks. Additionally, the significant resources required to build a sophisticated security program place meaningful cyber defense out of reach for many organizations.

AI presents an opportunity to enable cyber defenders and improve security. AI can be incorporated into security workflows to accelerate security engineers and reduce the toil in their work. At Open AI, they use their models to analyze high-volume and sensitive security telemetry that would otherwise be out of reach for teams of human analysts. By leveraging AI, defenders can more effectively detect, investigate, and respond to threats, helping to close the gap with sophisticated attackers.

Open AI is committed to advancing the state of the art in AI-powered cyber defense. They believe that continued security research, including exploring ways to circumvent the security measures they have outlined, is essential to staying ahead of the rapidly evolving threat landscape. Ultimately, these AI-powered security controls must provide defense in depth, as there are no flawless systems and no perfect security.

Open AI acknowledges that the security measures they propose are likely just the beginning, and that continuous security research is required given the rapidly evolving state of AI security. They recognize that there are no flawless systems and no perfect security.

To address this, Open AI emphasizes the need for:

1. Resilience: The security controls must provide defense-in-depth, as there will inevitably be gaps and vulnerabilities that are discovered over time.

2. Redundancy: Relying on a single security measure is not enough. Multiple layers of protection are necessary to ensure the overall resilience of the system.

3. Continuous Security Research: Ongoing research is required to understand how to circumvent the proposed security measures, as well as to identify and close any gaps that emerge. This includes both offensive and defensive research to stay ahead of potential threats.

Open AI recognizes that the field of AI security is still in its early stages, and that a proactive and adaptive approach is necessary to protect advanced AI systems. By embracing resilience, redundancy, and continuous security research, they aim to stay ahead of the evolving threat landscape and ensure the safety and security of their AI infrastructure.