OpenAI has published details on the security architecture designed to protect its research infrastructure and frontier model training. This architecture supports the secure training of advanced AI models and aims to benefit other AI research labs and security professionals.
OpenAI operates some of the largest AI training supercomputers, which are crucial for delivering industry-leading models. The security of these systems is prioritized to ensure that advanced AI benefits everyone. The outlined architecture and operations support the secure training of frontier models at scale, protecting sensitive model weights and other assets from unauthorized access.
Threat Model
Research infrastructure presents unique security challenges due to the diverse and evolving nature of workloads. Key assets, such as unreleased model weights, need to be safeguarded from unauthorized release or compromise. OpenAI has created dedicated research environments to protect these assets while ensuring researchers have sufficient access to resources.
Architecture
The technical architecture is built on Azure and utilizes Kubernetes for orchestration, implementing a security architecture that fits the threat model.
1) Identity Foundation
- Built on Azure Entra ID (formerly Azure Active Directory).
- Integrates with internal authentication and authorization frameworks.
- Enables risk-based verification, use of authentication tokens, and detection of anomalous logins.
2) Kubernetes Architecture
- Kubernetes manages workloads with role-based access control (RBAC) policies.
- Admission Controller policies set security baselines for workloads.
- Modern VPN technology provides secure networking.
- Network policies define communication paths, adopting a deny-by-default egress policy.
- gVisor is used for additional isolation in higher-risk tasks.
3) Storing Sensitive Data
- Key management services store and manage sensitive information.
- Role-based access control limits access to secrets.
4) Identity and Access Management (IAM)
- AccessManager service manages internal authorization and enables least-privilege access.
- Policies require multi-party approval for access to sensitive resources.
- GPT-4 integration facilitates least-privilege role assignment.
5) CI/CD Security
- CI/CD pipelines are secured to maintain development and deployment integrity.
- Access to pipelines and workers is restricted.
- Multi-party approval is required for merging code to the deployment branch.
- Infrastructure as code (IaC) enforces expected configuration.
6) Flexibility
- Research requires rapid iteration on infrastructure to support shifting requirements.
- Flexibility is essential to achieve security and functional goals.
Protecting Model Weights
A defense-in-depth approach is used to protect model weights from exfiltration, including:
- Authorization: Multi-party approvals for access grants.
- Access: Private-linked storage resources requiring authentication and authorization.
- Egress Controls: Network controls allowing traffic only to predefined targets.
- Detection: A mosaic of detective controls.
Auditing and Testing
- Internal and external red teams simulate adversaries to test security controls.
- Third-party security consultancy has performed penetration tests.
- Compliance regimes are being explored, including AI-specific security and regulatory standards.
Research and Development on Future Controls
Continuous innovation and adaptation are required to secure increasingly advanced AI systems. OpenAI is committed to developing new security controls to stay ahead of emerging threats and enhance the security of its AI infrastructure.