6.3.2 Shared Model Governance
Original Problem in the Paper
Motivation: shared model governance means distributing control over model training or inference across multiple parties so that the relevant operation requires agreement by those parties. The source paper gives examples such as pooled investment in a shared model, actor-specific training requirements, and international collaboration. It identifies model splitting, SMPC, HE, and TEEs as possible technical approaches, while treating the area as open: model splitting needs proof-of-concept and efficacy work; SMPC/HE approaches face high performance overhead; and TEE-based approaches need demonstrations.
July 2026 Update & Trajectory
TEE/attestation and secure-key-release building blocks have become more practical, but the sources reviewed here do not establish a production frontier-model training or inference system in which independent parties technically co-authorize every operation. H100 confidential computing, Caliptra, OpenTitan, and confidential-container/key-release architectures provide attestation/root-of-trust primitives that could support prototypes. HE/SMPC-based shared control remains a separate performance-and-operations challenge; the evidence here supports that as a problem framed by the source paper, not as a fresh 2026 benchmark claim.
Deployed / Operationalized
- Model splitting, SMPC, HE, and confidential-computing approaches are primarily evidenced here as privacy/confidentiality tools or attestation substrates, not as deployed multi-party governance of frontier-model training or inference.
- Confidential-container/key-release architectures describe policy-based release of model decryption keys into attested environments, but the cited NVIDIA architecture is for protecting confidential AI workloads from untrusted infrastructure, not for independent parties jointly authorizing every model operation.
- Anthropic's RSP states that ASL-3 security safeguards include multi-party authorization and mandatory code review for production code/model-weight access; this is internal access governance, not distributed control of each training or inference operation.
New Tractable Vectors
- Prototype policy-enforced enclave workflows in which each party reviews approved measurements/attestation evidence and releases keys, weights, or shares only if its own policy is satisfied.
- Explore hybrid TEE-plus-SMPC/HE systems that use attested enclaves to reduce pure-cryptographic overhead while attempting to preserve auditability and threshold veto rights.
- Design governance protocols for shared international model projects that combine cryptographic logs, threshold controls, attestation, and explicit dispute/revocation rules.
Key Open Questions
- Efficient shared control for frontier-scale training or inference without large HE/SMPC-style slowdowns or unacceptable latency.
- Preventing one party from reconstructing, distilling, or side-channel extracting the model from a share, enclave interaction, or API access remains an open security problem.
- The sources reviewed here do not specify legal and accountability rules for threshold-governed model projects—e.g., disagreement, key revocation, audit duties, liability, and cross-jurisdiction conflicts—alongside the technical controls.
Evidence & Primary Sources
- The source paper defines shared model governance as distributing control over a model's training or inference across multiple parties so that training or inference requires agreement of all parties; it discusses model splitting, SMPC, HE, and TEEs as possible approaches; it calls for proof-of-concept demonstrations; and it reports performance concerns for HE/SMPC, including around 100x slowdown in cited encrypted deep-learning work. (arXiv version current in 2025): https://arxiv.org/pdf/2407.14981
- NVIDIA H100 confidential computing provides a hardware-based TEE anchored in an on-die root of trust, secure/measured boot, SPDM session establishment, signed attestation reports, tenant/relying-party attestation, NRAS or local verification, and CC-On mode. This supports attested-execution prototypes, not deployed shared model governance. (2023-08-03): https://developer.nvidia.com/blog/confidential-computing-on-h100-gpus-for-secure-and-trustworthy-ai/
- Caliptra supplies IP and firmware for an integrated Root of Trust block targeting datacenter-class SoCs, including CPUs, GPUs, DPUs, and TPUs; a Caliptra integration provides identity, measured boot, and attestation capabilities, which could help parties verify the measured hardware/firmware/software state exposed by that integration. https://github.com/chipsalliance/Caliptra
- OpenTitan is an open-source secure-silicon ecosystem producing silicon IP and top-level designs that support Root of Trust functionality, secure boot, and DICE attestation. This supports the OpenTitan/root-of-trust building-block claim, not shared model governance deployment. https://opentitan.org/book/doc/introduction.html
- NVIDIA's 2026 confidential AI factory architecture describes hardware-enforced TEEs, cryptographic attestation, Confidential Containers, Kata Containers, KBS/key release, NVIDIA confidential GPUs, and policy-based release of model decryption keys into protected memory. It also states limits: application vulnerabilities, availability attacks, non-hardware enclaves, and network/storage security are outside the protected scope. (2026-03-23): https://developer.nvidia.com/blog/building-a-zero-trust-architecture-for-confidential-ai-factories/
- Anthropic's RSP page is last updated May 26, 2026 and states that ASL-3 security safeguards include multi-party authorization and mandatory code review for production code/model-weight access, temporary access with least necessary permissions, hardware authentication device prompt, justification, and employee approval. This supports internal access governance, not distributed inference/training control. (2026-05-26): https://www.anthropic.com/responsible-scaling-policy