ETSI TS 104 033 V0.0.14 (2023-11)

ETSI TS 104 033 V1.1.1 (2026-05)

TECHNICAL SPECIFICATION
Securing Artificial Intelligence (SAI);
Security requirements for
an Artificial Intelligence Computing Platform

2 ETSI TS 104 033 V1.1.1 (2026-05)

Reference
DTS/SAI-006
Keywords
artificial intelligence, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from the
ETSI Search & Browse Standards application.
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format on ETSI deliver repository.
Users should be aware that the present document may be revised or have its status changed,
this information is available in the Milestones listing.
If you find errors in the present document, please send your comments to
the relevant service listed under Committee Support Staff.
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure (CVD) program.
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced in any form or by any means except for the purpose of implementation of standards.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2026.
All rights reserved.
ETSI
3 ETSI TS 104 033 V1.1.1 (2026-05)
Contents
Intellectual Property Rights . 6
Foreword . 6
Modal verbs terminology . 6
1 Scope . 7
2 References . 7
2.1 Normative references . 7
2.2 Informative references . 7
3 Definition of terms, symbols and abbreviations . 8
3.1 Terms . 8
3.2 Symbols . 8
3.3 Abbreviations . 8
4 Overview . 9
5 Security requirements and security functions of the framework . 11
5.1 Security requirements for the AI computing platform. 11
5.1.1 Overview . 11
5.1.2 Identity management and access control . 11
5.1.3 Integrity protection . 12
5.1.3.1 Protection of integrity of system startup data . 12
5.1.3.2 Protection of integrity of AI model data . 12
5.1.4 Data protection . 12
5.1.4.1 Data in transit . 12
5.1.4.2 Data at rest . 12
5.1.5 Secure audit . 13
5.1.6 Secure response . 13
5.1.7 Resilience . 13
5.2 Security services of the AI computing platform . 13
5.2.1 Overview . 13
5.2.2 AI assets protection in transmission and storage . 14
5.2.3 AI assets protection in processing . 14
5.2.4 AI accelerator resource isolation . 15
5.2.5 Training procedure recovery . 15
5.2.6 Inference attack detection service . 16
5.2.7 AI related log storage and transfer requirements . 16
5.2.8 Model BoM service . 17
Annex A (normative): Mapping to baseline requirements of ETSI EN 303 645 . 18
Annex B (informative): Security components and composition of the AI computing platform. 21
B.1 Overview of an AI computing platform . 21
B.2 Security components in hardware layer . 23
B.2.1 Host Hardware Based Root of Trust (HBRT) . 23
B.2.2 AI accelerator HBRT . 23
B.2.3 Host trusted boot module . 23
B.2.4 AI accelerator trusted boot module . 24
B.2.5 Minimal system . 24
B.2.6 Host Hardware Unique Key (HUK) . 24
B.2.7 AI accelerator HUK. 24
B.2.8 Host Hardware Mediated Execution Environment (HMEE) . 24
B.2.9 AI accelerator HMEE . 25
B.2.10 Hardware abnormality detection module . 25
B.2.11 AI accelerator resource isolation module . 25
B.2.12 Host secure communication module. 26
B.2.13 AI accelerator secure communication module . 26
ETSI
4 ETSI TS 104 033 V1.1.1 (2026-05)
B.3 Security components in basic software layer . 26
B.3.1 Integrity protection module . 26
B.3.2 Trust measurement module . 26
B.3.3 System abnormality detection module . 27
B.4 Security components in application enabling layer . 27
B.4.1 Security management module . 27
B.4.2 Inference attack detection engine . 28
B.4.3 Encryption/decryption module . 28
B.4.4 Training procedure recovery module . 28
B.4.5 Log protection module . 29
B.4.6 Model BoM module . 29
B.5 Composition of a typical AI computing platform . 29
Annex C (informative): Security mechanisms in the framework . 31
C.1 Overview . 31
C.2 AI assets encryption/decryption . 31
C.3 AI confidential computing. 31
C.3.1 Mechanism description . 31
C.3.2 Involved security components . 31
C.3.3 Reference point and service-based interface . 31
C.3.4 Mechanism procedure . 32
C.4 AI accelerator resource isolation . 34
C.5 Training procedure recovery . 34
C.6 Inference attack detection . 34
C.7 AI related log protection. 34
C.8 Model BoM proof mechanism . 34
C.8.1 Mechanism overview . 34
C.8.2 Involved security components . 34
C.8.3 Reference point and service-based interface . 34
C.8.4 Mechanism procedure . 35
C.9 Measured boot . 35
C.10 Recovery from minimal system . 35
Annex D (informative): Implementation reference for security mechanism of AI computing
platform . 36
D.1 Overview . 36
D.2 AI assets encryption/decryption mechanism . 36
D.3 AI confidential computing mechanism . 36
D.4 AI accelerator resource isolation mechanism . 38
D.5 AI related log protection mechanism . 38
D.6 Inference attack detection mechanism . 38
D.7 Model BoM proof mechanism . 38
D.8 Recovery from minimal system . 39
Annex E (informative): Model BoM overview . 40
E.1 Model BoM description. 40
E.2 Model BoM Threats and its mitigations . 41
ETSI
5 ETSI TS 104 033 V1.1.1 (2026-05)
Annex F (normative): Mapping to baseline requirements of ETSI EN 304 223 . 42
Annex G (informative): Bibliography . 44
Annex H (informative): Change history . 45
History . 46

ETSI
6 ETSI TS 104 033 V1.1.1 (2026-05)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI IPR online database.
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its
Members. 3GPP™, LTE™ and 5G™ logo are trademarks of ETSI registered for the benefit of its Members and of the
3GPP Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of ®
the oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Securing Artificial Intelligence
(SAI).
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

ETSI
7 ETSI TS 104 033 V1.1.1 (2026-05)
1 Scope
The present document specifies the requirements for a security framework of an AI computing platform. It further
defines the security functions to be provided by the platform, the components to be implemented in the platform and
their interfaces.
The present document is intended for use by designers of AI computing platforms.
The present document extends from the conclusions presented in ETSI GR SAI 009 [i.1].
NOTE: The present document applies to AI computing platforms that are deployed in data centres or edge
computing environments. Other forms of computing platform, e.g. mobile phones or embedded devices
capable of executing AI functionality, may also refer to this security framework adapted to specific
conditions, resource constraints and security requirements.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found in the
ETSI docbox.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long-term validity.
The following referenced documents are necessary for the application of the present document.
[1] ETSI TS 104 224: "Securing Artificial Intelligence (SAI); Explicability and transparency of AI
processing".
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long-term validity.
The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's
understanding, but are not required for conformance to the present document.
[i.1] ETSI GR SAI 009: "Securing Artificial Intelligence (SAI); Artificial Intelligence Computing
Platform Security Framework".
[i.2] OWASP: "CycloneDX v1.7".
[i.3] ETSI TR 104 048: "Securing Artificial Intelligence (SAI); Data Supply Chain Security".
[i.4] ETSI EN 303 645: "CYBER; Cyber Security for Consumer Internet of Things: Baseline
Requirements".
[i.5] IETF RFC 8446: "The Transport Layer Security (TLS) Protocol Version 1.3".
[i.6] ISO/IEC 24970: "Artificial intelligence — AI system logging".
ETSI
8 ETSI TS 104 033 V1.1.1 (2026-05)
[i.7] ETSI EN 304 223: "Securing Artificial Intelligence (SAI); Baseline Cyber Security Requirements
for AI Models and Systems".
3 Definition of terms, symbols and abbreviations
3.1 Terms
For the purposes of the present document, the following terms apply:
AI application: software program that use AI techniques to perform specific tasks
AI computing platform: computing platform intended to host AI applications
AI model: computer program that has been trained on a set of data to recognize certain patterns or make certain
decisions without further human intervention
execution environment: context in which computer code can execute (run)
3.2 Symbols
For the purposes of the present document, the following symbols apply:
{Security component} delimits a "security component" described in Annex B that is involved in the interactive
procedures
EXAMPLE: {Security management module}, {Host HMEE security function}.
 delimits a "Service-based interface" described in Annex B that is used to deliver
relevant information or data between the AI computing platform and platform users
EXAMPLE: , .
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AES Advanced Encryption Standard
AI Artificial Intelligence
BMC Baseboard Management Controller
BoM Bill of Materials
CPU Central Processing Unit
DoS Denial of Service
GCM Galios Counter Mode
GPU Graphics Processing Unit
HBRT Hardware Based Root of Trust
HMEE Hardware-Mediated Execution Enclave
HSM Hardware Security Module
HUK Hardware Unique Key
JTAG Joint Test Action Group
LLM Large Language Model
NIC Network Interface Card
NPU Network Processing Unit
OS Operating System
RPO Recovery Point Objective
RTR Root of Trust for Reporting
RTS Root of Trust for Storage
SDK Software Development Kit
SE Secure Enclave
SoC System on Chip
ETSI
9 ETSI TS 104 033 V1.1.1 (2026-05)
TCG Trusted Computing Group
TLS Transport Layer Security
TPM Trusted Platform Module
UI User Interface
VM Virtual Machine
4 Overview
The AI computing platform is a platform that is optimized to provide an execution environment and related resources to
an AI system as shown in Figure 1 with a detailed view of the AI computing platform given in Figure 2.
The baseline requirements from ETSI EN 303 645 [i.4] apply (and shown in Table 1 below) in addition to specific
requirements identified in the present document. Refer to Annex A for details.
Table 1: Baseline provision from ETSI EN 303 645 [i.4] mapped to
the AI Computing platform requirement
Requirement in ETSI EN 303 645 [i.4] Equivalent or extended provision in
the present document
5.1 No universal default passwords n/a
5.2 Implement a means to manage reports of vulnerabilities
5.3 Keep software updated
5.4 Securely store sensitive security parameters Addressed in clause 5.1.4.2
5.5 Communicate securely Addressed in clause 5.1.4.1
5.6 Minimize exposed attack surfaces
5.7 Ensure software integrity
5.8 Ensure that personal data is secure
5.9 Make systems resilient to outages
5.10 Examine system telemetry data
5.11 Make it easy for users to delete user data
5.12 Make installation and maintenance of devices easy
5.13 Validate input data
6 Data protection provisions for consumer IoT

The AI Computing platform shall make provision to support the requirements for transparency and explicability of AI
processing defined in ETSI TS 104 224 [1], and should support the baseline security requirements for AI models and
systems in ETSI EN 304 223 [i.7]. Refer to Annex F for details. The platform also should respect the recommendations
for data supply chain security outlined in ETSI TR 104 048 [i.3].
The AI computing platform is decomposed into three (3) distinct layers:
• Hardware layer, composed of elements to give assurance of hardware enabled secure storage, networking
hardware and specialist computing hardware in support of AI functions (e.g. AI Accelerator elements).
• Basic software layer, is an interface to provide the hardware layer capabilities to AI application providers and
users and is composed of operating system, chip-level SDK, virtualization component for VM or containers,
etc.
• (AI) Application enabling layer, is the AI application facing element of the platform and is composed of
different types of deep learning framework, application-level SDK, management module, etc.
NOTE: As the AI Computing platform defined in the present document is intended for deployment primarily in
data centres or edge computing environments the elements of a computing platform that would be present
for a desktop or UI-centric environment (e.g. graphics processing) are not considered.
The further decomposition of each of the three (3) distinct layers are given in Annex B.
ETSI
10 ETSI TS 104 033 V1.1.1 (2026-05)

Figure 1: AI computing platform overview

Figure 2: De-composition of a typical AI computing platform
The platform provides resources required for the AI model and associated AI application including (see also ETSI
GR SAI 009 [i.1]):
• Computing execution environment (in particular, one or more AI accelerated processors are included), the
execution environment includes the fundamental software framework, various kinds of libraries and different
hardware drivers.
• Storage to give secure and reliable support of assets including training dataset, testing dataset, inference data
and training script, etc.
• Networking.
In ETSI GR SAI 009 [i.1], Table 1 and Table 2, threats to the AI computing platform are summarized and analysed. The
threat analysis from ETSI GR SAI 009 [i.1] is adopted without change for the present document. From the security
threat analysis provided in ETSI GR SAI 009 [i.1] the following security services are identified and specified in detail
in the present document:
• Protection of AI assets in transmission and storage.
• Protection of AI assets during processing.
• AI accelerator resource isolation service.
• Model training recovery service.
• Inference attack detection service.
• AI related log protection.
• Model BoM service.
ETSI
11 ETSI TS 104 033 V1.1.1 (2026-05)
In addition, the AI Computing platform shall support the following more general services in support of the AI
Computing platform specific services listed above:
• Identity management and access control (see clause 5.1.2).
• Integrity protection (see clause 5.1.3):
- Protection of integrity of system startup data.
- Protection of integrity of AI model data.
• Data protection (see clause 5.1.4):
- Data in transit.
- Data at rest.
• Secure audit (see clause 5.1.5).
• Secure response (see clause 5.1.6).
• Resilience (see clause 5.1.7).
5 Security requirements and security functions of the
framework
5.1 Security requirements for the AI computing platform
5.1.1 Overview
The security requirements for the AI computing platform are defined in order to mitigate threats against itself.
The baseline security requirements are grouped as shown in Figure 3 in order to protect the AI Computing platform.

Figure 3: Overview of baseline security requirements of the AI computing platform
NOTE 1: Unless otherwise specified, all security requirements are applicable to the AI computing platform in data
centre and edge computing scenarios.
NOTE 2: The implementation reference for security mechanism of the AI computing platform based on clause 5 is
provided in Annex D.
5.1.2 Identity management and access control
The AI computing platform shall implement the principle of least privilege where the following requirements on
identity management and access control apply:
• External physical interfaces of the AI computing platform, e.g. JTAG ports, shall be disabled after
manufacture.
ETSI
12 ETSI TS 104 033 V1.1.1 (2026-05)
NOTE 1: This is consistent with the principles outlined in clause 5.6 of ETSI EN 303 645 [i.4], particularly
provisions 5.6-3 and 5.6-4, to minimize the attack surface.
• Access control shall be implemented to allow only authorized access to the platform via the physical interface.
• Remote access of an account with root privilege shall be prohibited.
NOTE 2: Root privilege violates the principle of least privilege and is consistent with provision 5.6-7 of ETSI
EN 303 645 [i.4].
• Only identified and authenticated parties, where authorization to access has been verified, shall be able to
access resources on an AI computing platform.
5.1.3 Integrity protection
5.1.3.1 Protection of integrity of system startup data
The following requirements on integrity protection of system startup data apply:
• An AI computing platform shall support and implement a secure boot mechanism.
EXAMPLE: An AI computing platform can meet this requirement by support of solutions including those from
the Trusted Computing Group (TCG) which have the capability to cooperate with hardware
security modules such as a Trusted Platform Module (TPM) hardware root of trust, a Hardware
Security Module (HSM) or Secure Enclave (SE) to facilitate the mechanisms including proactive
integrity measurement and remote attestation.
5.1.3.2 Protection of integrity of AI model data
• The following requirements on integrity of AI model data apply: An AI computing platform should support for
verifying integrity of AI model before performing inference task.
5.1.4 Data protection
5.1.4.1 Data in transit
NOTE: For the present clause data refers to AI specific data.
The following requirements on protection of data in transit apply:
• The AI computing platform shall protect data transmitted to and from the platform from unauthorized
exposure.
• The AI computing platform shall protect data transmitted to and from the platform by only allowing
transmission to or from identified, authenticated and authorized entities.
EXAMPLE: Known protocols such as TLSv1.3 [i.5] with appropriate selection and application of
cryptographic primitives can be used to satisfy these requirements,
e.g. TLS_AES_128_GCM_SHA256 (identifying TLS using AES-128 in Galois Counter Mode for
encryption with SHA256 for hashing operations).
5.1.4.2 Data at rest
The following requirements on protection of data at rest apply:
• The AI computing platform shall have the ability to backup, and recover, system configuration parameters and
other data that may be required for system recovery.
NOTE: This is consistent with provisions given in clauses 5.7 and 5.11 of ETSI EN 303 645 [i.4].
ETSI
13 ETSI TS 104 033 V1.1.1 (2026-05)
5.1.5 Secure audit
The following requirements on secure audit apply:
• An AI computing platform shall provide event information about AI assets in the logs.
• Log data should be protected such that it cannot be modified after being recorded.
• Log data shall be protected from unauthorized access (the general access control conditions shall apply).
5.1.6 Secure response
The following requirements for secure response apply:
• An AI computing platform should implement a network traffic detection mechanism on network interfaces and
further implement a control mechanism to regulate the traffic and manage abnormal traffic.
• An AI computing platform should implement an intrusion detection mechanism in order to identify network
attacks in a timely manner (i.e. at the initial stage of the attack) and support secure responses against these
attacks.
• An AI computing platform should implement an anomaly detection mechanism on operating system and
provide in-time responses. The scope of the detection should include, but not be limited to, the following:
- Key file anomaly.
- Process anomaly.
- Container anomaly.
- User/privileged/root account anomaly.
5.1.7 Resilience
In addition to the requirements above, the AI computing platform should be designed to maximize reliability and
resilience.
The following requirements on resilience apply:
• An AI computing platform should implement adjustment or protection mechanism for AI-specific accelerators:
- The mechanism should monitor real-time parameters of GPU or NPU like temperature, power, etc. to
estimate the health status of these accelerators.
- If abnormal status is detected, a coping mechanism should be automatically executed to change certain
configurations like degrading the performance or reallocating workflows on these accelerators to avoid
further system faults.
• An AI computing platform should have a safe mode which executes a set of minimally required tasks when it
has been attacked or disrupted. The required tasks should include at least platform recovery procedure which
brings the platform back to a predefined normal state.
5.2 Security services of the AI computing platform
5.2.1 Overview
Security services provided by an AI computing platform are described in clause 5.2. Upon utilizing these services via
predefined interfaces, platform users like model providers and AI application providers can effectively reduce the risks
on their AI assets like models and datasets. This clause only introduces the effect of each security service while the
detailed mechanisms and interfaces of these services are described in Annex B and Annex C.
ETSI
14 ETSI TS 104 033 V1.1.1 (2026-05)
5.2.2 AI assets protection in transmission and storage
The AI computing platform shall assure the confidentiality of models and datasets when those assets are in transit or at
rest (see also clause 5.1.4 above).
The service shall be provided through interfaces by platform. The service should satisfy the following requirements:
• The service should support multi-tenant scenarios where different users utilize different keys to implement
encryption and decryption:
- Each tenant in a multi-tenant scenario should manage their own keys.
- It shall not be possible for any tenant to gain access to any other tenant's content.
- It should be difficult for any tenant to infer the existence of any other tenant in a multi-tenant scenario.
NOTE 1: The above requirements are particularly important in a data centre environment where the AI computing
platform is shared.
• The service should support hardware-bound decryption so that only the platform with designated AI-specific
accelerator has the permission to decrypt the AI assets.
NOTE 2: It is very useful in edge computing scenarios where model providers only allow their well-trained models
to be decrypted and deployed on designated edge devices for inference so that intellectual property of
models can be protected.
• The service should provide integrity verification capability for AI assets utilizing cryptographic methods
before deploying or using the certain assets to check that these assets are not tampered or forged.
NOTE 3: Leveraging the advanced pattern recognition capabilities of Large Language Models (LLM) enhance
early detection and response to anomalies, fortifying the security framework of AI asset management.
EXAMPLE: To deploy this service, the secure communication module (refer to clauses B.2.12 and B.2.13) in
hardware layer, the integrity protection module in software layer (refer to clause B.3.1), and the
security management module (refer to clause B.4.1) and encryption/decryption module (refer to
clause B.4.2) in application enabling layer can cooperate to protect AI assets in transmission and
storage.
5.2.3 AI assets protection in processing
AI computing platforms need stringent security measures for the protection of AI assets during processing. It includes
ensuring the integrity, confidentiality, and reliability of AI system operations and outputs.
The service shall satisfy the following requirements:
• The platform shall establish secure and isolated environments for the processing of AI assets to prevent
unauthorized access and ensure data integrity.
NOTE 1: Isolation is crucial in multi-tenant platforms to prevent cross-tenant data breaches and ensure that LLM
processing is not influenced by external factors.
• The service should provide mechanisms to protect the connection between CPU resource and AI accelerator
resource. The mechanism should be based on cryptographic connection, connection isolation, or combination
of both.
• The platform should ensure that model processing is resilient against Denial of Service (DoS) attacks,
maintaining availability and functionality under various conditions.
NOTE 2: LLM, due to their resource-intensive nature, can be targets for DoS attacks, impacting their availability
and effectiveness.
• The platform should utilize advanced anomaly detection algorithms tailored to model activities, identifying
unusual patterns or behaviours that may indicate security incidents.
ETSI
15 ETSI TS 104 033 V1.1.1 (2026-05)
NOTE 3: Anomaly detection specific to LLM processing can provide early warnings of potential security threats,
enabling prompt response measures.
EXAMPLE: To deploy this service, the hardware abnormality detection module (refer to clause B.2.10) and the
AI accelerator resource isolation module (refer to clause B.2.11) in hardware layer, and the system
abnormality detection module in software layer (refer to clause B.3.3) can cooperate to protect AI
assets in processing.
5.2.4 AI accelerator resource isolation
The AI computing platform shall provide an AI accelerator resource isolation service.
NOTE 1: One role of the AI accelerator resource isolation service is to isolate AI assets used by different tenants
from each other.
EXAMPLE 1: Utilizing this service, an AI accelerator device such as a GPU or NPU can simultaneously allocate
several isolated computing and storage resource for different tenants sharing the device. The
service shall satisfy the following requirements:
- The service shall guarantee that the resource allocated to one tenant is only used by this
tenant. Other tenants shall not have access to or use the resource.
- The service shall ensure that the resource allocated to one tenant does not exceed its pre-
configured quota.
- The service should support hardware-based isolation instead of software-based isolation.
EXAMPLE 2: That is, certain computing resource and memory resource are exclusively allocated to a certain
stakeholder rather than time division multiplexing method:
- The service shall provide controlled access only to a restricted group of stakeholders,
including administrators.
- Where accelerators are accessed remotely, the service shall provide mechanisms to support
traffic segregation (e.g. by means of network isolation).
- The service should support isolation capabilities for prompt, data and reasoning to prevent
injection attacks by malicious users during the reasoning process.
NOTE 2: The isolation mechanism can be implemented either through software-based approaches (e.g. using
separate processes/modules) or hardware-based approaches (e.g. using isolated hardware channels for
prompt, data, etc.).
EXAMPLE 3: To deploy this service, the HBRT module (refer to clauses B.2.1 and B.2.2), the HUK module
(refer to clauses B.2.6 and B.2.7), the HMEE module (refer to clauses B.2.8 and B.2.9) and the AI
accelerator resource isolation module (refer to clause B.2.11) in hardware layer, and the security
management module (refer to clause B.4.1) in application enable layer can cooperate to isolate AI
accelerator resource.
5.2.5 Training procedure recovery
An AI computing platform shall provide recovery service for model training procedure when executing model training
tasks. This service shall be activated when an AI computing platform meets some system error accidently or suffers
from some cyberattack by malicious adversaries.
NOTE 1: This service should be a requirement for data centre and training platform.
This service shall recover the training procedure, the corresponding intermediate data, training results, system
parameters, etc. to the time point of system abnormality. It effectively mitigates the risks of loss of important data in the
training procedure when the AI computing platform malfunctions.
NOTE 2: This is particularly important for the training of LLM.
ETSI
16 ETSI TS 104 033 V
...