undefined | Better HN

0 pointsluiscosio2mo ago0 comments

I’m working on Security Level 5 (SL5), which is basically “nation state grade security” for frontier AI systems. The core idea is that if a model’s weights or training artifacts could enable catastrophic harm, you should treat them like top-tier secrets and secure them accordingly.

One piece I helped with is SenL, a “sensitivity level” framework for AI labs. It’s like a practical clearance system for AI assets. Not everything in a lab is equally dangerous, so you label assets by sensitivity (weights, training data, eval sets, agent tooling, deployment configs, etc.), then tie that label to concrete controls like who can access it, where it can run, what logging is required, and what monitoring / two-person rules apply.

If anyone’s curious, SL5 is here: http://sl5.org/ and the SenL framework is part of the published artifacts.

0 comments

jesse__2mo ago

> The core idea is that if a model’s weights or training artifacts could enable catastrophic harm, you should treat them like top-tier secrets and secure them accordingly.

My read here is that you're implying that if an attacker has access to, for example, weight data, they can invariably find a way to exploit it.

If that's a correct assumption, I think you're playing an unwinnable game, since attackers always have indirect access through inference of the model. It feels like locking down weights/training data/etc is the ai version of security through obfuscation.

Just my 2c, for what it's worth

luiscosioOP2mo ago

Thanks for the insight!

I think this is exactly why some of the work is moving away from “assume unrestricted API inference forever.”

For example, we’re prototyping ideas like air-gapped or very low-bandwidth inference gateways, where interaction happens over narrow channels (serial, optical, audio, etc.), with explicit threat models and monitoring. The point isn’t that this’s practical for today’s models, but to reason about what inference might look like for AGI/ASI-level systems where the risk profile is fundamentally different.

Others are thinking along similar lines too. For example, this SPAR project on constrained and minimal inference pathways: https://sparai.org/projects/sp26/rec7NyTst8Upfp83l

jesse__2mo ago

Great, thanks for adding some nuance!

j / k navigate · click thread line to collapse

0 pointsluiscosio2mo ago0 comments

If anyone’s curious, SL5 is here: http://sl5.org/ and the SenL framework is part of the published artifacts.

0 comments

jesse__2mo ago

> The core idea is that if a model’s weights or training artifacts could enable catastrophic harm, you should treat them like top-tier secrets and secure them accordingly.

My read here is that you're implying that if an attacker has access to, for example, weight data, they can invariably find a way to exploit it.

Just my 2c, for what it's worth

luiscosioOP2mo ago

Thanks for the insight!

I think this is exactly why some of the work is moving away from “assume unrestricted API inference forever.”

Others are thinking along similar lines too. For example, this SPAR project on constrained and minimal inference pathways: https://sparai.org/projects/sp26/rec7NyTst8Upfp83l

jesse__2mo ago

Great, thanks for adding some nuance!

j / k navigate · click thread line to collapse