5.2.2 Verification of Compute Workloads
Original Problem in the Paper
Paper motivation: developers/deployers may need reliable proof of which chips trained a model and for how long; chip/cloud owners may need to show their compute was not used for unreported large training; mechanisms must preserve user-data and IP privacy and avoid dual-use surveillance. Open problems: TEE workload attestation at scale, non-TEE methods, misuse-limiting design, low overhead, neutral clusters/training transcripts, randomness, trustworthy neutral clusters, large non-AI workload verification.
July 2026 Update & Trajectory
Confidential-computing stacks operationalize attestation of code/environment and key release for protected AI inference/training-like workloads, and NVIDIA’s 2026 reference architecture is concrete. But governance-grade verification of aggregate FLOPs, exact model/data/program run across large distributed training clusters, or non-AI workload exemption remains unsolved; July 2026 evidence supports deployment for confidentiality/integrity, not full regulatory compute accounting.
Deployed / Operationalized
- NVIDIA confidential AI factory architecture with CPU TEEs, confidential GPUs, Kata confidential containers, remote attestation, KBS/key release, and Kubernetes integration.
- TEE-based attestation can verify expected software measurements before secrets/model keys are released, giving a substrate for workload claims.
- US/EU-style reporting/documentation obligations create demand for workload verification but do not themselves verify workloads.
New Tractable Vectors
- Composite CPU+GPU attestation policies for specific container/model-image hashes.
- Attestation-gated model/key release as a practical proof that an approved workload ran inside a measured enclave.
- Measuring overhead/throughput of confidential GPU inference/training and deciding which critical workloads justify it.
Key Open Questions
- Low-overhead, cluster-scale FLOP/accounting proofs across thousands of GPUs and dynamic distributed jobs.
- Verifying training transcripts under nondeterminism, optimizer randomness, checkpoint restarts, and elastic scaling.
- Non-TEE verification paths for commodity clusters and legacy accelerators.
- Privacy-preserving regulator interfaces that prove threshold exceedance/non-exceedance without broad surveillance.