SL5 Standard for AI Security

TL;DR

The SL5 standard defines long-term security requirements for AI systems to prevent high-level threats, emphasizing proactive measures in infrastructure, organization, and technology development.

Contribution

This paper introduces the first revision of the SL5 AI security standard, focusing on long-term, high-impact security measures for AI infrastructure and operations.

Findings

Prioritized requirements for facility and organizational security are outlined.

Some SL5 requirements exceed current industry standards, requiring bold measures.

Gaps between private-sector capabilities and government security levels are identified.

Abstract

Security Level 5 (SL5) is a security posture for AI systems that could plausibly thwart top-priority operations by the world's most cyber-capable institutions: those with extensive resources, state-level infrastructure, and expertise years ahead of the public state of the art. The SL5 terminology originates from the RAND Corporation's 2024 report "Securing AI Model Weights". Frontier AI development requires use-case-specific, productivity-optimised and updateable AI datacenter security standards. This first revision of the SL5 standard focuses on requirements with long lead times: interventions that must be planned years in advance, such as facility construction, hardware procurement, and organizational capability development. We prioritize these requirements because preserving optionality for SL5 by 2028/2029 requires starting now. These capabilities cannot be retrofitted on short notice when the need becomes urgent. Some requirements represent significant departures from current day standard practice. We believe bold measures are necessary for this level of security and see clear opportunities to apply optimization pressure to existing and novel solutions to customize them for the AI industry and address the practical operational requirements as much as possible. Our organization exists to begin paving this path. Some requirements approximate government security capabilities where private-sector approaches may be insufficient. We identify these gaps and note where government involvement may ultimately be necessary.