ETSI sets security requirements for AI data centers and cloud platforms

ETSI has published TS 104 033, a technical specification that defines security requirements for AI computing platforms. The specification establishes a security framework for platforms used to host AI applications in data center and edge computing environments, covering security functions, platform components, interfaces, and services designed to protect AI models, datasets, training processes, and inference workloads.

“This work builds on the AI computing platform security framework we have previously developed and marks a significant step forward in establishing concrete and actionable security requirements for the platform itself,” said Scott Cadzow, Chair of the ETSI Technical Committee Securing AI.

An AI computing platform is a computing platform intended to host AI applications. It provides the computing resources, storage, networking, and software components required to support AI workloads throughout their lifecycle. They are deployed in data centers and edge computing environments and often include AI accelerators such as GPUs and NPUs.

AI computing platform structure overview (Source: ETSI)

Security requirements for AI computing platforms

The specification groups security requirements into identity management and access control, data protection, integrity protection, auditing, incident response, and resilience.

Identity management and access control support the principle of least privilege and restrict platform access to authorized users and systems. Remote access to root-level accounts is prohibited. Integrity protection includes support for secure boot mechanisms that help ensure system components have not been altered.

The platform must protect data transmitted to and from authorized entities against unauthorized disclosure. It must support backup and recovery of data at rest and system configuration information required for system restoration.

The specification addresses risks specific to AI environments. AI models and datasets should remain protected while stored, transmitted, and processed. Shared AI accelerators such as GPUs and NPUs should provide isolation between users and workloads.

The platform should detect attacks targeting AI inference processes and securely store AI-related logs for auditing and forensic analysis. It should support recovery of model training activities following failures or cyberattacks and maintain service availability during abnormal operating conditions. These requirements establish a foundation for secure and trustworthy AI operations in data center and edge computing environments.

Security services for AI workloads

The AI computing platform provides security services that protect AI models, datasets, training processes, and inference operations throughout their lifecycle.

The specification identifies several core services, including protection of AI assets during transmission and storage, protection of AI assets during processing, AI accelerator resource isolation, training recovery, inference attack detection, secure logging, and Model Bill of Materials (Model BoM) support.

These services support the confidentiality, integrity, availability, and traceability of AI systems. Encryption, integrity verification, tenant-specific key management, and hardware-bound decryption protect AI assets from unauthorized access and tampering. Resource isolation prevents tenants from accessing each other’s workloads in shared computing environments. Inference attack detection identifies attempts to extract sensitive information or compromise AI models.

Training recovery services allow model training to resume after system failures or cyberattacks, reducing the risk of lost work. Secure logging protects AI-related records from alteration or deletion, while Model BoM services provide verifiable records of model development and training history to support auditing, forensic investigations, and model traceability.

Mechanisms supporting the security framework

To support the platform’s security requirements and services, the framework defines mechanisms for establishing AI confidential computing environments and securing communications between them.

Key mechanisms include AI asset encryption and decryption, which protect models and datasets while stored or transferred, and AI confidential computing, which enables sensitive AI workloads to run within protected execution environments. The framework includes AI accelerator resource isolation to prevent unauthorized access between users sharing the same hardware resources.

Additional mechanisms support recovery from failures, detection of attacks against inference processes, protection of AI-related logs from tampering, and Model Bill of Materials proof functions that provide evidence of the integrity and authenticity of information related to AI model development and deployment.