OpenAI recently introduced six security measures to complement current security controls and contribute to the protection of advanced AI. OpenAI believes these measures will play a pivotal role in securing future advanced AI systems.
Highlights:
- OpenAI introduced new security measures to contribute to the protection of advanced AI systems.
- They mainly prioritize the protection of model weights as they are the main target for hackers.
- These security measures include techniques like trusted computing for AI accelerators and network and tenant isolation guarantees.
Current Security Threats for AI Models
OpenAI says that AI technology is highly strategic and sought after thus making it vulnerable to attacks. Various malicious cyber actors with strategic objectives are already targeting AI models.
OpenAI expects these threats to grow in intensity as AI gains more strategic importance.
When it comes to infrastructure, protecting model weights, and the output files from the expensive model training process, is a priority for OpenAI. These weights are of utmost importance as they embody the algorithms, data, and computing resources used to train AI models.
While the online availability of model weights is essential for powering AI tools, it also presents a target for hackers. Deploying weights to infrastructure for usage enables their utility but also creates a potential attack surface.
Model weights are files that require decryption and deployment onto systems to be utilized, and any breach or compromise of the infrastructure and operations enabling their availability could potentially lead to the theft of these model weight files.
Conventional security controls can provide robust defenses, but new approaches are needed to maximize protection while ensuring the availability of these critical model-weight files.
6 New Security Measures Taken by OpenAI
To counter these problems, OpenAI introduced six security measures for advanced AI infrastructure. These measures are designed to complement existing cybersecurity best practices and to build on the existing security controls to protect advanced AI. The 6 measures are:
1) Trusted computing for AI accelerators
Emerging encryption and hardware security technology like confidential computing offers the potential to protect model weights and inference data through trusted computing primitives on AI accelerators themselves.
This extends cryptographic protection to the hardware layer, enabling attestation of GPU integrity, keeping model weights encrypted until loaded on GPUs, and allowing weights/data to be encrypted for specific authorized GPUs.
Additionally, model weights and inference data should only be decryptable by authorized GPUs. While still nascent, investment in confidential computing for GPUs could unlock new layers of defence for securing advanced AI workloads.
2) Network and tenant isolation guarantees
Network and tenant isolation are crucial for protecting AI infrastructure against advanced threats. While “airgaps” are essential, flexible network isolation that allows AI systems to operate offline, disconnected from untrusted networks like the internet, is more appropriate.
This minimizes attack surface and data exfiltration risks for sensitive workloads while acknowledging the need for controlled management access.
Robust tenant isolation ensures AI workloads and assets are resilient to cross-tenant vulnerabilities and cannot be compromised by issues originating from the infrastructure provider.
Overall, network and tenant isolation provide strong boundaries to safeguard AI infrastructure, mitigating risks from external threats and limiting potential compromise from within the provider environment.
3) Innovation in operational and physical security for data centres
Robust physical security measures and operational controls are crucial for AI data centers to mitigate insider threats and ensure the confidentiality, integrity, and availability of the facility and its workloads.
Conventional methods like fortified access controls, continuous monitoring, restrictions on data-bearing devices, data destruction protocols, and two-person integrity rules are necessary.
Potential new approaches include supply chain verification advancements, remote data isolation or wiping capabilities in case of unauthorized access or suspected compromise, and tamper-evident systems that trigger similar defensive actions.
4) AI-specific audit and compliance programs
AI developers require assurance that their intellectual property is protected when working with infrastructure providers. As such, AI infrastructure must undergo audits and comply with relevant security standards.
While existing standards like SOC2, ISO/IEC, and NIST will still apply, new AI-specific security and regulatory standards are expected to emerge to address the unique challenges of securing AI systems. This may include efforts from the Cloud Security Alliance’s AI Safety Initiative or NIST’s AI-related guidelines.
OpenAI is involved in developing these standards as a member of the CSA AI Safety Initiative’s executive committee.
5) AI for cyber defence
AI has the potential to transform cyber defence and help to level the playing field between attackers and defenders. Defenders often struggle to effectively analyze security data and signals required to detect and respond to threats due to resource constraints.
AI presents an opportunity to enable cyber defenders and improve security. AI models can be integrated into security workflows to accelerate analyst efforts and automate repetitive tasks, reducing operational burdens responsibly. OpenAI leverages their language models to analyze large volumes of sensitive security data that would otherwise be impractical for human analysts alone.
6) Resilience, redundancy, and research
Ongoing research is crucial due to the new and rapidly changing nature of AI security.
This research should include finding ways to bypass the outlined measures and addressing any weaknesses that come to light. Controls should deliver a comprehensive defence and work together to maintain resilience even if individual controls fail. No system is perfect, and perfect security doesn’t exist.
By implementing redundant controls, setting higher barriers for attackers, and developing the capability to stop attacks, future AI systems can be protected better from increasingly sophisticated threats.
Also, check a new research paper on how many-shot jailbreaking can be vulnerable to many AI models.
Conclusion
OpenAI’s newly introduced security measures are a step towards ensuring the protection of advanced AI systems. These measures underscore the critical importance of safeguarding model weights and ensuring robust defense against evolving cyber threats.
