AI security & verification programme

AI Verification


Building verification mechanisms for high-stakes coordination over AI development and deployment.

No single lab, evaluator, or government can make frontier AI safe on its own. As capabilities grow, safety increasingly depends on coordination, and coordination depends on trust. Our engineering team works on the technical mechanisms that underlie high-stakes coordination.

Our goal is to make it inevitable that verification mechanisms are built. We don’t have to be the ones who develop the final systems, but we do need to make sure someone — possibly ourselves — does the work. As such, we work in two ways.

  • Proactive verification tech R&D. We are developing proofs of concept of foundational verification primitives, and running full verification system prototypes.
  • Government and AI lab collaborations. Verification ultimately interfaces with governments and AI developers; we spend time speaking with and supporting any stakeholders interested in advancing verification.
ai-security

Verification Is a Ladder

Verification is a process, not a one-shot solution. A ladder of technical mechanisms can build trust towards high-stakes coordination over AI — and nuclear verification history shows how the early rungs get climbed.

Read here

Amodo R&D Status

Inference recomputation

Our envisaged AI verification scheme requires recomputation of parts of the workload to tell whether the prover is using their data centre in line with approved workloads. We are starting by verifying they are running an approved AI model.

Active work

We are working on implementing a “verifier proxy” that scrapes inference responses to be verified. Our next focus is capturing inference responses for verification using network TAPs and red teaming the recomputation algorithm.

Network TAPs

Network TAPs might be needed to capture data centre traffic for recomputation. Placed on the front-end network, ideally, they should be able to mirror network packets to the verifier’s recomputation server.

Active work

We are testing existing off-the-shelf fibre TAPs to see whether they work at 800G. We’ve also been working on the design of an “Optical-Electrical-Optical” TAP and supporting the initial design of an FPGA-based TAP.

Memory wipes

Forced and verified memory wipes can be used to bound the amount of illegal computation that a server can do. Forcing regular memory wipes makes it more difficult for an adversary to be running illegal workloads. The challenge is verifying a memory wipe has been done and making sure that a memory wipe is fast enough.

  • Done:
  • Done:
    Proof of principleMemory wipes for use in AI verification
  • In progress:
    MVPWork in progress.
Active work

Our next focus is speeding up memory wipes of SSDs or designing data centre architectures that work around the speed limitations we’ve found with whole SSD wipes.

Packet hashing

Capturing all front-end network traffic requires a huge amount of high-bandwidth information capture and a very large amount of storage. One approach is to hash packets before storage and combine this with a packet retrieval/recreation mechanism.

  • In progress:
    TheoryWork in progress.
  • In progress:
    Proof of principleWork in progress.
  • Not started:
    MVP
Active work

We’re finishing up our theoretical analysis of hashing and creating proof of principle demos that look at hashing speed on server CPUs, NICs/DPUs, and consider theoretical speeds on dedicated FPGAs.

Side channel communications

Verification schemes often rely on capturing all server communication. If all communication is happening over the network fabric, then in theory all of this traffic can be captured. If there are high-bandwidth side-channels, then the prover might be able to covertly run workloads and communicate results without the verifier capturing them.

  • Done:
    TheoryComplete, unreleased
  • Not started:
    Proof of principle
  • Not started:
    MVP
Active work

We are working to turn our internal write-up into something that can be shared with other researchers. After this, we will be using www.sidechannel.cloud to test some of these side-channel mitigations.

Additional work

On top of these discrete research priorities, we are also working on or plan to work on:

  • Turning the discrete components into a full system.
  • Prototyping training recomputation schemes.
  • Workload classification using power (including power at different points in the power chain).
  • System demos for policy makers and AI labs.

Technical notes

ai-security

Network Traffic Hashing

Hashing network traffic creates a tamper-evident record of what data has transited a link. We benchmark line-rate hashing at 400GbE across CPU and DPU hardware, with an interactive dashboard of the results.

ai-security

Example Schemes for Verifying High-Stakes AI Agreements

Recomputation-based schemes for verifying that an AI cluster ran the workloads it declared — covering inference (TOPLOC, Token-DiFR) and pre-training — plus the non-determinism, game theory, and practicalities that make them work.

Read here
ai-security

Understanding Data Center Power Delivery

We mapped the power delivery systems of AI data centers. Our diagram explores the data available at each stage, measurement techniques and signals of interest for AI security.

Read here
ai-security

Network Taps — A First Test

A quick test installation of a 10G network tap for AI verification — passive vs active taps, fibre types, and what scales to production speeds.

Read here
ai-security

The Tray as a Bandwidth Boundary

We used a DPU as a tray-level bandwidth limiter — an extra layer of security for protecting model weights, achieving near line-rate encryption with hardware-offloaded IPsec.

Read here

Side Channel Cloud

Free security and verification research infrastructure.

  • Power side channels
  • Network TAPs
  • Software-defined radios
  • Bare-metal access
  • DPUs · FPGAs · SmartNICs
Get Access Today →