Back to Dashboard
Assessment / Compute/ 3.2.2

3.2.2 Classification of Workloads

2026 Governance Status: Newly tractable

Original Problem in the Paper

Paper motivation: beyond hardware classification, governance needs classification of computational workloads to identify concerning/anomalous workloads, support reporting of training runs above compute thresholds, preserve customer privacy, identify compute trends, and maintain development audit trails. Dedicated open problems: privacy-preserving workload classification using high-level cloud/provider data despite changing hardware/software/algorithms; robustness to adversarial gaming such as noisy utilization, splitting workloads across accounts/providers/clusters, or otherwise hiding training/inference/malicious-cyber workloads.

July 2026 Update & Trajectory

Policy/KYC/reporting scaffolding exists, and a June 2026 primary-source systems paper now shows that privacy-preserving NVIDIA NVML telemetry can detect many hidden ML-training workloads without inspecting code, data, weights, kernels, or customer content. That makes workload classification newly tractable, but not governance-grade: the public evidence is still narrower than the regulatory need for adversarially robust, cross-vendor, frontier-scale classification that can distinguish pretraining, fine-tuning, inference, HPC, and other accelerator uses.

Deployed / Operationalized

  • Proposed U.S. IaaS rule would require U.S. IaaS providers to verify foreign customers and report transactions where a foreign person trains a large AI model with potential malicious cyber capabilities.
  • EO-era and BIS/Commerce compute controls use reporting/threshold concepts for large model training, creating demand for workload identification.
  • Privacy-preserving GPU-telemetry classification has now been demonstrated in a research setting on NVIDIA hardware, including adversarial monitor-evader testing; it is not yet a deployed regulatory classifier.

New Tractable Vectors

  • Extend content-agnostic GPU telemetry classifiers from NVIDIA NVML research prototypes to regulator-auditable provider deployments.
  • Use KYC, account/entity linkage, accelerator allocation, duration, network/storage patterns, and billing data as governance context around technical classifier outputs while avoiding raw-customer-data inspection.
  • Develop privacy-preserving aggregate compute trend reporting at provider/data-center level.
  • Prototype stronger adversarial-resilience tests for workload splitting, noisy utilization, multi-provider orchestration, telemetry tampering, and low-level evasion.

Key Open Questions

  • Validated classifier distinguishing pretraining, fine-tuning, inference, scientific HPC, crypto/mining, and other accelerator workloads across hardware/software stacks.
  • Cross-vendor generality beyond NVIDIA NVML and validation on frontier-scale, multi-node training systems.
  • Robustness against workload shaping, throttling, dummy jobs, account splitting, geographic distribution, encrypted/orchestrated training, telemetry tampering, and custom low-level evasion.
  • International/legal standards for what telemetry providers may collect, retain, disclose, and use in regulatory deployment.
  • Detecting malicious-cyber inference workloads without content surveillance or overbroad blocking of benign security research.