Skip to main content

May 3, 2024

Reimagining secure infrastructure for advanced AI

OpenAI calls for an evolution in infrastructure security to protect advanced AI

An abstract artwork featuring simple geometric shapes with soft colors. A blue rectangle sits at the bottom, overlaid by a curved white line, with a semi-circle in orange rising behind it, resembling a stylized sunset over water.

Securing advanced AI systems will require an evolution in infrastructure security. We’re sharing six security measures that we believe will complement the security controls of today and contribute to the protection of advanced AI.

OpenAI’s mission is to ensure that advanced AI benefits everyone, from healthcare providers to scientists to educators – and yes, even to cybersecurity engineers. That work begins with building secure, trustworthy AI systems that protect the underlying technology from those who seek to subvert it.

Threat model

AI is the most strategic and sought after technology of our time. It is pursued with vigor by sophisticated cyber threat actors with strategic aims. At OpenAI, we defend against these threats every day. We expect these threats to grow in intensity as AI continues to increase in strategic importance.

Protecting model weights is an important priority for many AI developers. Model weights are the output of the model training process. Model training combines three essential ingredients: sophisticated algorithms, curated training datasets, and vast amounts of computing resources. The resulting model weights are sequences of numbers stored in a file or series of files. AI developers may wish to protect these files because they embody the power and potential of the algorithms, training data, and computing resources that went into them.

Since nearly all of the societal utility of model weights stems from their online use, reaping their benefits requires their online availability:

  • In order to power tools like ChatGPT and the OpenAI API Platform, users must be able to send API requests to infrastructure hosting the model weights. While hosting model weights enables anyone with an Internet connection to harness the power of AI, it also presents a target for hackers.

  • In order to develop new AI models, model weights must be deployed to research infrastructure so researchers can perform model training. While this enables the exploration of new scientific frontiers, research infrastructure and credentials that provide access to it also represent potential attack surface.

This online availability requirement is what distinguishes the challenge of protecting model weights from that of protecting other high-value software assets 1 2 3.

Model weights are merely files that must be decrypted and deployed in order to be used, and if the infrastructure and operations providing their availability are compromised the model weights are liable to be stolen. Conventional security controls like network security monitoring and access controls can enable robust defenses, however new approaches are needed to maximize protection while ensuring availability.

Rethinking secure infrastructure

We believe that protecting advanced AI systems will require an evolution of secure infrastructure. Similarly to how the advent of the automobile required new developments in safety or the creation of the Internet required new frontiers in security, advanced AI will also require innovations.

Security is a team sport, and is best approached through collaboration and with transparency. Our security program has sought to manifest this principle via voluntary security commitments provided to the White House, research partnerships via the Cybersecurity Grant Program, participation in industry initiatives such as the Cloud Security Alliance AI Safety Initiative(opens in a new window), and transparency via compliance and third-party audits(opens in a new window) and our Preparedness Framework(opens in a new window). Now, we seek to develop forward-looking security mechanisms for advanced AI systems through ongoing collaboration with industry, the research community, and government.

In the spirit of shared work and shared responsibility that bonds all security teams, today we are sharing six security measures for advanced AI infrastructure. These measures are meant to complement existing cybersecurity best practices, and to build on the controls of today to protect advanced AI:

I. Trusted computing for AI accelerators
II. Network and tenant isolation guarantees
III. Innovation in operational and physical security for datacenters
IV. AI-specific audit and compliance programs
V. AI for cyber defense
VI. Resilience, redundancy, and research

Key investments for future capabilities: six security measures for advanced AI infrastructure

The following technical and operational control mechanisms build on existing security concepts. However, attaining them for the unique scale and availability requirements of advanced AI will require research, investment, and commitment.

I. Trusted computing for AI accelerators

Trusted computing and data protection paradigms have the potential to introduce new layers of defense to protect advanced AI workloads.

Emerging encryption and hardware security technology like confidential computing offers the promise of protecting model weights and inference data by extending trusted computing primitives beyond the CPU host and into AI accelerators themselves. Extending cryptographic protection to the hardware layer has the potential to achieve the following properties:

  1. GPUs can be cryptographically attested for authenticity and integrity.

  2. GPUs having cryptographic primitives can enable model weights to remain encrypted until they are staged and loaded on the GPU. This adds an important layer of defense in depth in the event of host or storage infrastructure compromise.

  3. GPUs having unique cryptographic identity can enable model weights and inference data to be encrypted for specific GPUs or groups of GPUs. Fully realized, this can enable model weights to be decryptable only by GPUs belonging to authorized parties, and can allow inference data to be encrypted from the client to the specific GPUs that are serving their request.

These new technologies could allow model weights to be protected with strong controls at the hardware layer.

Trusted computing is not a new concept: these principles have long been attainable on conventional CPUs anchored on hardware trusted platform modules or trusted execution environments. However these capabilities eluded GPUs and AI accelerators until recently, and early versions of confidential computing for GPUs are just hitting the market. As promising as confidential computing for GPUs is, the technology is still nascent. Investment in both hardware and software is required to unlock the scale and performance necessary for many large language models and use-cases. Additionally, confidential computing technologies on CPUs have had their share of vulnerabilities, and we cannot expect GPU equivalents to be flawless. Its success is far from given, which is why now is the time to invest and iterate so we can one day realize its potential.

II. Network and tenant isolation guarantees

Network and tenant isolation can provide strong boundaries to protect AI infrastructure against determined and deeply embedded threats.

“Airgaps” are often cited as an essential security mechanism, and that is not unfounded: network segmentation is a powerful control used to protect sensitive workloads like the control systems for critical infrastructure. However, “airgap” is an underspecified term, and underplays the design and compromises required when discussing inherently connected systems like AI services.

Instead, we prioritize flexible network isolation that allows AI systems to work offline – separated from untrusted networks including the Internet – to minimize attack surface and vectors for exfiltration of intellectual property and other valuable data. Management networks will need to be carefully designed and abide by similar properties as well. This acknowledges the reality that computing infrastructure requires management and that management requires access, and instead focuses on the desired properties of eliminating attack surface and vectors for data exfiltration. This type of control does not fit every use-case, for example Internet-facing tools, but may be appropriate for the most sensitive workloads.

Robust tenant isolation must ensure that AI workloads and assets cannot be compromised by technical or operational vulnerabilities originating from the infrastructure provider. AI systems must be resilient to cross-tenant access. For example, their architecture must eliminate classes of vulnerabilities that could allow a threat actor with access to one tenant to compromise model weights stored in another tenant. Additionally, strong technical and operational controls must exist to protect AI workloads from risks arising from the platform or infrastructure provider itself. Specifically, model weights must not be accessible by unauthorized cloud engineers or datacenter technicians, or adversaries abusing their credentials or suborning them.

III. Innovation in operational and physical security for datacenters

Operations and physical security measures for AI datacenters are necessary to ensure resilience against insider threats that can compromise the confidentiality, integrity, and availability of the datacenter and its workloads. We anticipate stringent controls spanning conventional and novel methods. Conventional methods include extensive fortification, access controls, round-the-clock monitoring, prohibitions on data-bearing devices entering and leaving facilities, data destruction requirements, and two-person rules.

We are eager to explore new methods for attaining datacenter physical and operational security. Research areas may include advances in supply chain verification, remote 'kill switches' to isolate the datacenter or wipe data in case of unauthorized access or suspected compromise, and tamper-evident systems that do the same.

IV. AI-specific audit and compliance programs

Since AI developers need assurance that their intellectual property is protected when working with infrastructure providers, AI infrastructure must be audited for and compliant with applicable security standards.

While existing standards like the SOC2, ISO/IEC, and NIST families will still apply, we expect this list will grow to include AI-specific security and regulatory standards that address the unique challenges of securing AI systems. This may include efforts emerging from the Cloud Security Alliance’s AI Safety Initiative or the NIST SP 800-218 AI updates. OpenAI is a member of the CSA AI Safety Initiative’s executive committee.

V. AI for cyber defense

We believe AI will be transformative for cyber defense and has the potential to level the playing field between attackers and defenders.

Defenders across the globe struggle to ingest and analyze signals needed to detect and respond to threats to their networks. Additionally, the resources required to build a sophisticated security program are significant, placing meaningful cyber defense out of reach of many.

AI presents an opportunity to enable cyber defenders and improve security. AI can be incorporated into security workflows to accelerate security engineers and reduce the toil in their work. Security automation can be implemented responsibly to maximize its benefits and avoid its downsides even with today’s technology. At OpenAI we use our models to analyze high-volume and sensitive security telemetry that would otherwise be out of reach for teams of human analysts. We’re committed to applying language models to defensive security applications, and will continue to support independent security researchers and other security teams as they test innovative ways to apply our technology to protect the world.

VI. Resilience, redundancy, and research

We need to test these measures, and appreciate that these concepts are likely just the beginning. Continuous security research is required given the greenfield and swiftly evolving state of AI security. This includes research on how to circumvent the measures outlined above, as well as to close the gaps that will inevitably be revealed.

Lastly, these controls must provide defense in depth. There are no flawless systems, and there is no perfect security. Therefore these controls must achieve resiliency by working together. If we assume that individual controls will fail, we can instead solve for the end state where the integrity of the overall system can still hold with smart design. By building redundant controls, raising the bar for attackers, and building the operational muscle to interdict attacks, we can prepare to protect future AI against ever increasing threats.

We are building and investing to achieve these goals

At OpenAI, the work to develop and protect advanced AI continues every day. We invite the AI and security communities to join us in the exploration and development of new methods to protect advanced AI. Here’s how you can get involved:

Apply for an OpenAI Cybersecurity Grant

Our Cybersecurity Grant Program seeks to support defenders to change the power dynamics of cybersecurity through the application of AI. Please consider applying today if you have research that aligns with this mission or the concepts described above.

Join us

Authors

OpenAI

Footnotes

  1. 1

     Root certificate authorities can be permanently isolated from the Internet. They can be cryptographically fragmented using consensus algorithms like Shamir’s Secret Sharing, requiring multiple stakeholders to reassemble access them. They can be stored in specialized hardware security modules and physically guarded.

  2. 2

     Cryptocurrency “cold wallets” can be isolated from the Internet.

  3. 3

     Techniques for protecting online cryptographic private key material exist with hardware security like trusted platform modules (TPMs) or CPU secure enclaves, however these are limited in their operations.