Hardware-Enabled Mechanisms for Verifying Responsible AI Development
DOI:
https://doi.org/10.70777/si.v2i3.15157Keywords:
training compute, ai governance, artificial general intelligence, hardware-enabled mechanisms, ai transparency, agi risk, ai riskAbstract
Advancements in AI capabilities, driven in large part by scaling up computing resources used for AI training, have created opportunities to address major global challenges but also pose risks of misuse. Hardware-enabled mechanisms (HEMs) can support responsible AI development by enabling verifiable reporting of key properties of AI training activities such as quantity of compute used, training cluster configuration or location, as well as policy enforcement. Such tools can promote transparency and improve security, while addressing privacy and intellectual property concerns. Based on insights from an interdisciplinary workshop, we identify open questions regarding potential implementation approaches, emphasizing the need for further research to ensure robust, scalable solutions.
References
Aarne, O., Tim, F., and Caleb, W. (2024). Secure, governable chips. Center for a New American Security. https://www. cnas. org/publications/reports/secure-governable-chips. Using On-Chip Mechanisms to Manage National Security Risks from AI & Advanced Computing.
Abdou, A., Ashraf, M., and C, V. O. P. (2015). Cpv: Delay-based location verification for the internet. IEEE Transactions on Dependable and Secure Computing, 14(2), 130–144.
Acemoglu, D., and Restrepo, P. (2019). The Wrong Kind of AI? Artificial Intelligence and the Future of Labor Demand. Tech. Rep. 25682, National Bureau of Economic Research. URL: http://www.nber.org/papers/w25682
Arif, M. J., Shanika, K., and Santosh, K. (2010). Geoweight: internet host geolocation based on a probability model for latency measurements. In ACSC, (pp. 89–98).
ARM (2019). Anchoring TrustZone with SRAM PUF. Architectures and Processors blog, Marten van Hulst. URL: https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/anchoring-trustzone -with-sram-puf
Batina, L., Bhasin, S., Jap, D., and Picek, S. (2019). Csi nn: Reverse engineering of neural network architectures through electromagnetic side channel. In 28th USENIX Security Symposium (USENIX Security 19), (pp. 515–532). URL: https://www.usenix.org/conference/usenixsecurity19/presentation/batina
Bhunia, S., Hsiao, M. S., Banga, M., and Narasimhan, S. (2014). Hardware trojan attacks: Threat analysis and countermeasures. Proceedings of the IEEE, 102(8), 1229–1247.
Brass, A., and Aarne, O. (2024). Location Verification for AI Chips. URL: https://static1.squarespace.com/static/64edf 8e7f2b10d716b5ba0e1/t/6670467ebe2a477eb1554f40/1718634112482/Location%2BVerification%2Bfor%2BAI %2BChips.pdf
Carlsmith, J. (2022). Is power-seeking ai an existential risk? arXiv preprint arXiv:2206.13353. URL: https://arxiv.org/ abs/2206.13353
DCGM (2024). Manage and Monitor GPUs in Cluster Environments. URL: https://developer.nvidia.com/dcgm
EPIC (1993). The Clipper Chip. URL: https://archive.epic.org/crypto/clipper/
Epoch AI (2024a). Data on Notable AI Models. Accessed: 2025-01-24. URL: https://epoch.ai/data/notable-ai-models
Epoch AI (2024b). Key trends and figures in machine learning. Accessed: 2025-01-24. URL: https://epoch.ai/trends
Fist, T., and Grunewald, E. (2023). Preventing AI Chip Smuggling to China. A Working Paper. URL: https: //www.cnas.org/publications/reports/preventing-ai-chip-smuggling-to-china
Gondree, M., and Peterson, Z. N. (2013). Geolocation of data in the cloud. In Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY ’13, (p. 25–36). New York, NY, USA: Association for Computing Machinery. URL: https://doi.org/10.1145/2435349.2435353
Grattafiori, A., Dubey, A., Jauhri, A., Pandey, A., Kadian, A., Al-Dahle, A., Letman, A., Mathur, A., Schelten, A., and et al., A. V. (2024). The llama 3 herd of models. arXiv preprint arXiv:2407.21783. Llama Team, AI @ Meta1. URL: https://arxiv.org/abs/2407.21783
Gu, A., and Dao, T. (2023). Mamba: Linear-time sequence modeling with selective state spaces. arXiv preprint arXiv:2312.00752. URL: https://arxiv.org/abs/2312.00752
Gueye, B., Artur, Z., Mark, C., and Serge, F. (2004). Constraint-based geolocation of internet hosts. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, (pp. 288–293).
Gupta, B., and Quamara, M. (2021). A taxonomy of various attacks on smart card–based applications and countermeasures. Concurrency and Computation: Practice and Experience, 33(7), 1–1.
Heim, L., and Pilz, K. (2024). What share of all chips are high-end data center AI chips? URL: https://blog.heim.xyz/ share-of-ai-chips/
Heim, L., Tim, F., Janet, E., Sihao, H., Stephen, Z., Robert, T., A, O. M., and Noa, Z. (2024). Governing through the cloud: The intermediary role of compute providers in ai regulation. arXiv preprint arXiv:2403.08501.
Hendrycks, D. (2023). Natural selection favors ais over humans. arXiv preprint arXiv:2303.16200. URL: https: //arxiv.org/abs/2303.16200
Hu, W., Chip-Hong, C., Anirban, S., Swarup, B., Ryan, K., and Hai, L. (2020). An overview of hardware security and trust: Threats, countermeasures, and design tools. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 40(6), 1010–1038. URL: https://dr.ntu.edu.sg/bitstream/10356/147019/2/TCAD_Hardware_S ecurity_Survey.pdf
IBM (2012). IBM 4765 Cryptographic Coprocessor Security Module. Tech. Rep. e1ced7a0, Advanced Cryptographic Hardware Development, IBM Poughkeepsie and IBM Research, Z¨urich. Security Policy. URL: https://csrc.nist.gov/ CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1505.pdf
Immler, V., Johannes, O., Martin, K., Matthias, H., and Georg, S. (2018). B-trepid: Batteryless tamper-resistant envelope with a puf and integrity detection. In 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), (pp. 49–56). IEEE. URL: https://api.semanticscholar.org/CorpusID:49187407
In Focus (2024). Dod replicator initiative: Background and issues for congress. Congressional Research Service. URL: https://crsreports.congress.gov/product/pdf/IF/IF12611
Intel (2022). IntelR Converged Security and Management Engine (Intel CSME) Security. Tech. Rep. 631900, Technical White Paper. URL: https://www.intel.com/content/dam/www/public/us/en/security-advisory/documents/intel-csme-s ecurity-white-paper.pdf
Intel (2024). Intel On Demand. URL: https://download.intel.com/newsroom/2023/data-center-hpc/4th-Gen-Xeon-O n-Demand-Fact-Sheet.pdf
Kalluri, P. R., Agnew, W., Cheng, M., Owens, K., Soldaini, L., and Birhane, A. (2023). The surveillance ai pipeline. arXiv preprint arXiv:2309.15084. URL: https://arxiv.org/abs/2309.15084
Kaplan, J., McCandlish, S., Henighan, T., Brown, T. B., Chess, B., Child, R., Gray, S., Radford, A., Wu, J., and Amodei, D. (2020). Scaling laws for neural language models.
Kocher, P., Jann, H., Anders, F., Daniel, G., Daniel, G., Werner, H., Mike, H., Moritz, L., Stefan, M., Thomas, P., et al. (2020). Spectre attacks: Exploiting speculative execution. Communications of the ACM, 63(7), 93–101. URL: https://spectreattack.com/spectre.pdf
Kohls, K., and Diaz, C. (2022). Verloc: Verifiable localization in decentralized systems. In 31st USENIX Security Symposium (USENIX Security 22), (pp. 2637–2654).
Korinek, A., and Suh, D. (2024). Scenarios for the transition to agi. arXiv e-prints. URL: https://arxiv.org/abs/2403.121 07
Kulp, G., Gonzales, D., Smith, E., Heim, L., Puri, P., Vermeer, M. J. D., and Winkelman, Z. (2024). Hardware-Enabled Governance Mechanisms: Developing Technical Solutions to Exempt Items Otherwise Classified Under Export Control Classification Numbers 3A090 and 4A090. Santa Monica, CA: RAND Corporation.
Laki, S., Matray, P., Haga, P., Seb˝ok, T., Csabai, I., and Vattay, G. (2011). Spotter: A model based active geolocation service. In 2011 Proceedings IEEE INFOCOM, (pp. 3173–3181). IEEE.
Lau, J. H. (2022). Recent advances and trends in advanced packaging. IEEE Transactions on Components, Packaging
and Manufacturing Technology, 12(2), 228–252.
Lipp, M., Michael, S., Daniel, G., Thomas, P., Werner, H., Stefan, M., Paul, K., Daniel, G., Yuval, Y., and Mike, H.
(2018). Meltdown. arXiv preprint arXiv:1801.01207. URL: https://arxiv.org/pdf/1801.01207
Maram, D., Iddo, B., Mahimna, K., and Ari, J. (2021). Goat: File geolocation via anchor timestamping. Cryptology
ePrint Archive.
Mosavirik, T., Schaumont, P., and Tajik, S. (2022). Impedanceverif: On-chip impedance sensing for system-level
tampering detection. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023(1), 301–325.
URL: https://tosc.iacr.org/index.php/TCHES/article/view/9954
Muñoz, A., Ríos, R., Román, R., and López, J. (2023). A survey on the (in)security of trusted execution environments.
Computers & Security, 129, 103180. URL: https://www.sciencedirect.com/science/article/pii/S0167404823000901
Nevo, S., Lahav, D., Karpur, A., Bar-On, Y., Bradley, H.-A., and Alstott, J. (2024). Securing AI model weights:
Preventing theft and misuse of frontier models. 1. Rand Corporation.
NIST (2019). Security Requirements for Cryptographic Modules. Tech. Rep. FIPS PUB 140-3, Information Technology
Laboratory, National Institute of Standards and Technology, Gaithersburg. Federal Information Processing Standards
Publication. Category: Information security; Subcategory: Cryptography. URL: https://nvlpubs.nist.gov/nistpubs/FI
PS/NIST.FIPS.140-3.pdf
NVIDIA (2024). NVIDIA Collective Communications Library (NCCL). URL: https://developer.nvidia.com/nccl
Nvidia and Broadcom (2024). Frontier Model Scaling Challenges and Requirements, Fault Recovery through Memory
Reconstruction, Rack Layouts. In D. Patel, and D. Nishbal (Eds.) 100,000 H100 Clusters: Power, Network Topology,
Ethernet vs InfiniBand, Reliability, Failures, Checkpointing. URL: https://semianalysis.com/2024/06/17/100000-h10
-clusters-power-network/
Nvidia H100 (2024). NVIDIA H100 NVL GPU. Tech. Rep. PB-11773-001_v01, NVIDIA. Product Brief. URL:
https://www.nvidia.com/content/dam/en-zz/Solutions/Data-Center/h100/PB-11773-001_v01.pdf
OpenAI (2024). Openai o1 system card. URL: https://cdn.openai.com/o1-system-card.pdf
Ostrouchov, G., Don, M., Rizwan, A., Christian, E., Mallikarjun, S., and Jim, R. I. (2020). Gpu lifetimes on titan
supercomputer: Survival analysis and reliability. Oak Ridge National Laboratory (ORNL), Oak Ridge, TN (United
States). URL: https://www.osti.gov/biblio/1771896
Padamanabban, V. N., and Lealkshminarayanan, S. (2001). Determining the geographic location of internet hosts. In
Proceedings of the 2001 ACM SIGMETRICS international conference on Measurement and modeling of computer
systems, (pp. 324–325).
Pandey, S., and Carlos, M. (2022). Towards transient electronics through heat triggered shattering of off-the-shelf
electronic chips. Micromachines, 13(2), 242.
Pandey, S. S., Niladri, B., Yan, X., and H, M. C. (2018). Self-destructing secured microchips by on-chip triggered
energetic and corrosive attacks for transient electronics. Advanced Materials Technologies, 3(7), 1800044.
Patel, D., Cozma, G., and Wong, G. (2023). From DLRM to LLM, internal workloads win, but how does Google fare in
external workloads? URL: https://semianalysis.com/2023/04/12/google-ai-infrastructure-supremacy/
Patel, D., Nishball, D., and Ontiveros, J. E. (2024). Gigawatt Clusters, Telecom Networking, Long Haul Fiber,
Hierarchical & Asynchronous SGD, Distributed Infrastructure Winners. URL: https://semianalysis.com/2024/09/04/
multi-datacenter-training-openais/#from-gigabits-to-terabits-modulation-and-multiplexing
Peng, B., Quesnelle, J., and Kingma, D. P. (2024). Decoupled momentum optimization. arXiv preprint
arXiv:2411.19870. URL: https://arxiv.org/abs/2411.19870
Petrie, J. (2024). Near-term enforcement of ai chip export controls using a minimal firmware-based design for offline
licensing. arXiv preprint arXiv:2404.18308. URL: https://arxiv.org/abs/2404.18308
Petrie, J., Aarne, O., Ammann, N., and Dalrymple, D. (2024). Mechanisms for flexible hardware-enabled guarantees.
Tech. rep., Institute for AI Policy and Strategy. URL: https://yoshuabengio.org/wp-content/uploads/2024/09/FlexH
EG-Interim-Report_2024.pdf
Prime Intellect (2024). INTELLECT-1 Release: The First Globally Trained 10B Parameter Model. URL: https:
//www.primeintellect.ai/blog/intellect-1-release#conclusion-and-next-steps-scaling-to-the-frontier
Rahimi, P., Kumar, S. A., Xiaohang, W., and Alok, P. (2021). Trends and challenges in ensuring security for low-power
and high-performance embedded socs. In 2021 IEEE 14th International Symposium on Embedded Multicore/Manycore
Systems-on-Chip (MCSoC), (pp. 226–233).
Reuel, A., Bucknall, B., Casper, S., Fist, T., Soder, L., Aarne, O., Hammond, L., Ibrahim, L., Chan, A., Wills, P.,
Anderljung, M., Garfinkel, B., Heim, L., Trask, A., Mukobi, G., Schaeffer, R., Baker, M., Hooker, S., Solaiman,
I., Luccioni, A. S., Rajkumar, N., Moës, N., Ladish, J., Guha, N., Newman, J., Bengio, Y., South, T., Pentland,
A., Koyejo, S., Kochenderfer, M. J., and Trager, R. (2024). Open problems in technical ai governance. URL:
https://arxiv.org/abs/2407.14981
Sastry, G., Lennart, H., Haydn, B., Markus, A., Miles, B., Julian, H., Cullen, O., K, H. G., Richard, N., Konstantin, P.,
et al. (2024). Computing Power and the Governance of Artificial Intelligence. arXiv preprint arXiv:2402.08797.
URL: https://cdn.governance.ai/Computing_Power_and_the_Governance_of_AI.pdf
Scher, A., and Thiergart, L. (2024). Mechanisms to verify international agreements about ai development. URL:
I-Development-27-Nov-24.pdf
Secure Boot (2024). Hardware Secure Boot. In B. Kelly (Ed.) OCP Security workgroup. Microsoft Corporation. URL:
https://www.opencompute.org/documents/secure-boot-2-pdf
Sevely, F., Wu, T., Ferreira de Sousa, F. S., Seguier, L., Brossa, V., Charlot, S., Esteve, A., and Rossi, C. (2022).
Developing a highly responsive miniaturized security device based on a printed copper ammine energetic composite.
Sensors and Actuators A: Physical, 346, 113838. URL: https://www.sciencedirect.com/science/article/pii/S0924424
Shao, M., Chen, B., Jancheska, S., Dolan-Gavitt, B., Garg, S., Karri, R., and Shafique, M. (2024). An empirical
evaluation of llms for solving offensive security challenges. arXiv preprint arXiv.2402.11814.
Shavit, Y. (2023). What does it take to catch a chinchilla? verifying rules on large-scale neural network training via
compute monitoring. arXiv preprint arXiv:2303.11341. URL: https://arxiv.org/abs/2303.11341
Sheng, P., Vishal, S., Ranvir, R., Himanshu, T., and Pramod, V. (2024). Bft-poloc: A byzantine fortified trigonometric
proof of location protocol using internet delays. arXiv preprint arXiv:2403.13230.
Srivatsa, A. R., Leng, J., Singh, N., Ding, Y., Mostovoy, R., Zhang, X., Bauer, M., Ramalingam, J., Kulshrestha, P., and
Thao, T. (2020). Metrology and inspection: Challenges and solutions for emerging technology nodes. In 2020 4th
IEEE Electron Devices Technology & Manufacturing Conference (EDTM), (pp. 1–4).
Staat, P., Tobisch, J., Zenger, C., and Paar, C. (2021). Anti-tamper radio: System-level tamper detection for computing
systems. arXiv e-prints, (pp. arXiv–2112). URL: https://casa.rub.de/fileadmin/img/Publikationen_PDFs/2022_Ant
i-Tamper_Radio_System-Level_Tamper_Detection_for_Computing_Systems_Publication_ClusterofExcellence_
CASA_Bochum.pdf
Sun, Y., Agostini, N. B., Dong, S., and Kaeli, D. (2020). Summarizing cpu and gpu design trends with product data.
arXiv preprint arXiv:1911.11313. URL: https://arxiv.org/pdf/1911.11313
Tada, S., Yuki, Y., Kohei, M., Makoto, N., Kazuo, S., and Noriyuki, M. (2021). Design and concept proof of an
inductive impulse self-destructor in sense-and-react countermeasure against physical attacks. Japanese Journal of
Applied Physics, 60(SB), SBBL01. URL: https://dx.doi.org/10.35848/1347-4065/abdf1f
TechInsights (2024). Nvidia Shipped 3.76 Million Data-center GPUs in 2023, According to Study. Tech. rep., HPC.
Agam Shah, Podcast. URL: https://www.hpcwire.com/2024/06/10/nvidia-shipped-3-76-million-data-center-gpus-i
n-2023-according-to-study/
TechPowerUp (2023). Special Chinese Factories are Dismantling NVIDIA GeForce RTX 4090 Graphics Cards and
Turning Them into AI-Friendly GPU Shape. URL: https://www.techpowerup.com/316066/special-chinese-factories
-are-dismantling-nvidia-geforce-rtx-4090-graphics-cards-and-turning-them-into-ai-friendly-gpu-shape
The Bipartisan Senate AI Working Group (2024). Driving u.s. innovation in artificial intelligence. a roadmap for
artificial intelligence policy in the united states senate. Majority Leader Chuck Schumer: Senator Mike Rounds,
Senator Martin Heinrich and Senator Todd Young. URL: https://www.schumer.senate.gov/imo/media/doc/Roadmap
_Electronic1.32pm.pdf
TheVerge (2025). Chip race: Microsoft, Meta, Google, and Nvidia battle it out for AI chip supremacy. Emilia David.
URL: https://www.theverge.com/2024/2/1/24058186/ai-chips-meta-microsoft-google-nvidia/archives/2
UFM (2024). NVIDIA Unified Fabric Manager (UFM). URL: https://www.nvidia.com/en-us/networking/infiniband/uf
m/
Webster, G., Creemers, R., Kania, E., and Triolo, P. (2017). Full translation: China’s ‘new generation artificial
intelligence development plan’. URL: https://digichina.stanford.edu/work/full-translation-chinas-new-generation-art
ificial-intelligence-development-plan-2017/
Downloads
Published
How to Cite
Issue
Section
Categories
License
Copyright (c) 2025 Aidan O’Gara, Gabriel, Will Hodgkins, James Petrie, Vincent Immler, Aydin Aysu, Kanad Basu, Shivam Bhasin, Stjepan Picek, Ankur Srivastava
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.
