3.2.2 Classification of Workloads
Original Problem in the Paper
Paper motivation: beyond hardware classification, governance needs privacy-preserving classification of computational workloads to identify potentially concerning or anomalous workloads, support reporting of large training runs above compute thresholds, identify compute-usage trends, and preserve development audit trails. The original paper asks whether large training runs can be detected while retaining developer privacy, for example from processor-utilization signatures, and whether compute workloads can be reliably classified as training, inference, or non-AI-related. Its dedicated open problems are privacy-preserving workload classification from high-level provider data despite changing hardware/software/algorithms, and robustness to adversarial gaming such as noisy resource use or splitting workloads across accounts, providers, or clusters.
July 2026 Update & Trajectory
- Commerce’s Jan. 2024 NPRM proposed requiring U.S. IaaS providers to verify foreign customers and, for EO 14110 implementation, to report when they know they will engage or have engaged in a transaction with a foreign person that could allow that person to train a large AI model with potential capabilities usable in malicious cyber-enabled activity. - EO-era compute-threshold reporting and Commerce’s proposed IaaS reporting rule use training-run/technical-condition concepts, creating demand for workload identification; separate BIS advanced-computing export-control guidance governs items involving D:5/Macau-headquartered entities and briefly addresses bona fide data-center operators rather than technically classifying customer workloads. - Privacy-preserving GPU-telemetry classification has been demonstrated in a research setting for NVIDIA NVML telemetry, including adversarial monitor-evader testing. The demonstrated system is not a deployed regulatory classifier and, for stronger hardware-operator adversaries, depends on trustworthy telemetry / hardware-enabled-monitoring assumptions that remain deployment questions.
Deployed / Operationalized
- No items recorded in this class.
New Tractable Vectors
- Extend content-agnostic GPU-telemetry classifiers from NVIDIA NVML research prototypes toward regulator-auditable provider deployments, while making telemetry trust, sampling, false-positive/false-negative, and appeals assumptions explicit.
- Explore combining technical classifier outputs with lawful, provider-held governance context—such as KYC/customer identity, beneficial-ownership/account/reseller links, and other non-content operational metadata—while avoiding inspection of raw customer code, data, or semantic content.
- Prototype privacy-preserving aggregate compute-trend reporting at provider or data-center level; the original paper identifies compute-trend visibility as a governance goal, but deployment evidence remains to be established.
- Prototype stronger adversarial-resilience tests for workload shaping, utilization noise, workload splitting, geographically distributed training, telemetry tampering, and low-level evasion.
Key Open Questions
- Validated classifier distinguishing training, inference, and non-AI accelerator workloads across real provider environments, plus finer categories such as pretraining, fine-tuning, scientific HPC, rendering, or cryptomining where a governance regime actually needs those distinctions.
- Cross-vendor generality beyond NVIDIA NVML and validation on large, multi-node training systems rather than only the hardware/workload corpus tested in the June 2026 paper.
- Robustness against workload shaping, throttling, dummy jobs, account splitting, geographic distribution, encrypted/orchestrated training, telemetry tampering, and custom low-level evasion.
- International/legal standards for what telemetry and non-content operational metadata providers may collect, retain, disclose, and use in regulatory deployment.
- Still open: detecting malicious-cyber inference workloads without content surveillance or overbroad blocking of benign security research.