Implementing robust security, privacy, and fail-safe mechanisms in artificial intelligence hardware environments

Artificial intelligence (AI) systems have penetrated many aspects of human life. Encouraged by the evolution of deep learning algorithms and hardware, AI has achieved human-level performance on various application domains including computer vision, speech recognition, natural language processing, drug discovery, and financial prediction. Unfortunately, the widespread use of AI systems also poses serious security and privacy risks. For instance, in terms of general security, AI may be exploited in various forms such as adversarial attacks that target the integrity of AI hardware as well as the safety of autonomous systems. Moreover, AI as a service may lead to serious privacy leakage, e.g., inadvertent leakage of sensitive learning data, misappropriation of trained weights, and extraction of business logic.

Different from traditional IT systems, AI systems typically employ a unique technology stack that involves application-oriented data structures, AI operators, and tensor processing architectures. Traditional security and privacy solutions designed for general IT systems, e.g., secure multi-party computations for Privacy-Preserving Machine Learning (PPML), compatibility with General-Purpose Processors (GPPs), etc., usually become ineffective or suffer significant performance penalties due to their high overhead. In this case, designing robust security, privacy, and fail-safe mechanisms that can cope with new attack edges while being embedded into the native processing flow of AI hardware is crucial for the trustworthy development, deployment, and management of the emerging AI hardware environments. Towards this end, trusted execution environment (TEE)-based techniques can be developed to facilitate secure PPML without CPU modification using customized AI accelerators.

Nevertheless, accelerating AI hardware can also suffer new attack scenarios including illegal data/extraction interference with hardware and software prying, which calls for hardware-rooted security. In this case, to ensure effective trustworthiness without modification of widely adopted AI accelerators, it is necessary to investigate innovative ways to provide robust security using two-tier trust design, which anchors trustworthiness on secure GPPs while leveraging native privilege mechanisms of AI accelerators to prevent ill-intended interference by GPPs. At preparation time, the GPP assigns security keys to the hardware security engine to establish initial trust, while at runtime, it guarantees the authenticity of the executing AI application and the integrity of security keys through a remote attestation technique. As a result, the security engine can effectively monitor AI operations and detect anomalies to ensure the trustworthiness of the AI hardware environments (Elbtity et al., 2023; Jouppi et al., 2023; Nvidia, 2025a, 2025b, 2025c).