3.2.2 Classification of Workloads
Original Problem in the Paper
Paper motivation: beyond hardware classification, governance needs classification of computational workloads to identify concerning/anomalous workloads, support reporting of training runs above compute thresholds, preserve customer privacy, identify compute trends, and maintain development audit trails. Dedicated open problems: privacy-preserving workload classification using high-level cloud/provider data despite changing hardware/software/algorithms; robustness to adversarial gaming such as noisy utilization, splitting workloads across accounts/providers/clusters, or otherwise hiding training/inference/malicious-cyber workloads.
July 2026 Update & Trajectory
Policy/KYC/reporting scaffolding exists, and a June 2026 primary-source systems paper now shows that privacy-preserving NVIDIA NVML telemetry can detect many hidden ML-training workloads without inspecting code, data, weights, kernels, or customer content. That makes workload classification newly tractable, but not governance-grade: the public evidence is still narrower than the regulatory need for adversarially robust, cross-vendor, frontier-scale classification that can distinguish pretraining, fine-tuning, inference, HPC, and other accelerator uses.
Deployed / Operationalized
- Proposed U.S. IaaS rule would require U.S. IaaS providers to verify foreign customers and report transactions where a foreign person trains a large AI model with potential malicious cyber capabilities.
- EO-era and BIS/Commerce compute controls use reporting/threshold concepts for large model training, creating demand for workload identification.
- Privacy-preserving GPU-telemetry classification has now been demonstrated in a research setting on NVIDIA hardware, including adversarial monitor-evader testing; it is not yet a deployed regulatory classifier.
New Tractable Vectors
- Extend content-agnostic GPU telemetry classifiers from NVIDIA NVML research prototypes to regulator-auditable provider deployments.
- Use KYC, account/entity linkage, accelerator allocation, duration, network/storage patterns, and billing data as governance context around technical classifier outputs while avoiding raw-customer-data inspection.
- Develop privacy-preserving aggregate compute trend reporting at provider/data-center level.
- Prototype stronger adversarial-resilience tests for workload splitting, noisy utilization, multi-provider orchestration, telemetry tampering, and low-level evasion.
Key Open Questions
- Validated classifier distinguishing pretraining, fine-tuning, inference, scientific HPC, crypto/mining, and other accelerator workloads across hardware/software stacks.
- Cross-vendor generality beyond NVIDIA NVML and validation on frontier-scale, multi-node training systems.
- Robustness against workload shaping, throttling, dummy jobs, account splitting, geographic distribution, encrypted/orchestrated training, telemetry tampering, and custom low-level evasion.
- International/legal standards for what telemetry providers may collect, retain, disclose, and use in regulatory deployment.
- Detecting malicious-cyber inference workloads without content surveillance or overbroad blocking of benign security research.