Back to Dashboard
Assessment / Compute/ 3.2.2

3.2.2 Classification of Workloads

2026 Governance Status: Newly tractable for binary NVIDIA training detection; governance-grade workload classification remains open

Original Problem in the Paper

Paper motivation: beyond hardware classification, governance needs privacy-preserving classification of computational workloads to identify potentially concerning or anomalous workloads, support reporting of large training runs above compute thresholds, identify compute-usage trends, and preserve development audit trails. The original paper asks whether large training runs can be detected while retaining developer privacy, for example from processor-utilization signatures, and whether compute workloads can be reliably classified as training, inference, or non-AI-related. Its dedicated open problems are privacy-preserving workload classification from high-level provider data despite changing hardware/software/algorithms, and robustness to adversarial gaming such as noisy resource use or splitting workloads across accounts, providers, or clusters.

July 2026 Update & Trajectory

- Commerce’s Jan. 2024 NPRM proposed requiring U.S. IaaS providers to verify foreign customers and, for EO 14110 implementation, to report when they know they will engage or have engaged in a transaction with a foreign person that could allow that person to train a large AI model with potential capabilities usable in malicious cyber-enabled activity. - EO-era compute-threshold reporting and Commerce’s proposed IaaS reporting rule use training-run/technical-condition concepts, creating demand for workload identification; separate BIS advanced-computing export-control guidance governs items involving D:5/Macau-headquartered entities and briefly addresses bona fide data-center operators rather than technically classifying customer workloads. - Privacy-preserving GPU-telemetry classification has been demonstrated in a research setting for NVIDIA NVML telemetry, including adversarial monitor-evader testing. The demonstrated system is not a deployed regulatory classifier and, for stronger hardware-operator adversaries, depends on trustworthy telemetry / hardware-enabled-monitoring assumptions that remain deployment questions.

Deployed / Operationalized

  • No items recorded in this class.

New Tractable Vectors

  • Extend content-agnostic GPU-telemetry classifiers from NVIDIA NVML research prototypes toward regulator-auditable provider deployments, while making telemetry trust, sampling, false-positive/false-negative, and appeals assumptions explicit.
  • Explore combining technical classifier outputs with lawful, provider-held governance context—such as KYC/customer identity, beneficial-ownership/account/reseller links, and other non-content operational metadata—while avoiding inspection of raw customer code, data, or semantic content.
  • Prototype privacy-preserving aggregate compute-trend reporting at provider or data-center level; the original paper identifies compute-trend visibility as a governance goal, but deployment evidence remains to be established.
  • Prototype stronger adversarial-resilience tests for workload shaping, utilization noise, workload splitting, geographically distributed training, telemetry tampering, and low-level evasion.

Key Open Questions

  • Validated classifier distinguishing training, inference, and non-AI accelerator workloads across real provider environments, plus finer categories such as pretraining, fine-tuning, scientific HPC, rendering, or cryptomining where a governance regime actually needs those distinctions.
  • Cross-vendor generality beyond NVIDIA NVML and validation on large, multi-node training systems rather than only the hardware/workload corpus tested in the June 2026 paper.
  • Robustness against workload shaping, throttling, dummy jobs, account splitting, geographic distribution, encrypted/orchestrated training, telemetry tampering, and custom low-level evasion.
  • International/legal standards for what telemetry and non-content operational metadata providers may collect, retain, disclose, and use in regulatory deployment.
  • Still open: detecting malicious-cyber inference workloads without content surveillance or overbroad blocking of benign security research.