Introduction

The SL5 Task Force is a non-profit cross-industry effort working to ensure frontier AI infrastructure can achieve nation-state-level security by 2028/2029. Founded in March 2025, we are a core team of engineers and security strategists leading a 70-person technical track (comprising security engineers from frontier AI labs, government security specialists, and datacenter colocation providers) alongside an executive track of AI industry security leaders providing steering input.

Over the past nine months, we have conducted a series of workshops and research programs to clarify what it takes to reach Security Level 5 in a way that is sensitive to competitive pressures, the need to maintain speed of innovation, and the reality of a rapidly shifting threat landscape. Our mission is to create the optionality for frontier AI labs to reach Security Level 5 in the coming years, and to be able to activate that security level within six months of choosing to do so.

In service of that mission, we have convened this broad task force to clarify what needs to be done, and in particular what needs to be done early, to preserve that optionality. This standard represents one output of that collaborative effort.

For more information or to engage with our work, contact us at info@sl5.org or visit sl5.org.

Security Level 5 (SL5) is a security posture for AI systems that could plausibly thwart top-priority operations by the world's most cyber-capable institutions: those with extensive resources, state-level infrastructure, and expertise years ahead of the public state of the art. The SL5 terminology originates from the RAND Corporation's 2024 report "Securing AI Model Weights" [1].

This first revision of the SL5 standard focuses on requirements with long lead times: interventions that must be planned years in advance, such as facility construction, hardware procurement, and organizational capability development. We prioritize these requirements because preserving optionality for SL5 by 2028/2029 requires starting now. These capabilities cannot be retrofitted on short notice when the need becomes urgent. Some requirements represent significant departures from current day standard practice. We believe bold measures are necessary for this level of security and see clear opportunities to apply optimization pressure to existing and novel solutions to customize them for the AI industry and address the practical operational requirements as much as possible. Our organization exists to begin paving this path. Some requirements approximate government security capabilities where private-sector approaches may be insufficient. We identify these gaps and note where government involvement may ultimately be necessary.

This standard was developed collaboratively with frontier AI laboratories, government partners, and security experts through sustained engagement over several months. As version 0.1, significant refinement is expected through continued stakeholder engagement. We explicitly invite frontier AI labs, government agencies, datacenter operators, and security researchers to engage with this work, whether through direct collaboration, feedback, or implementation experience. Please reach out through info@sl5.org.

The control specifications in this standard are structured as an overlay on NIST SP 800-53. We chose this approach for three reasons. First, NIST SP 800-53 is a battle-tested framework and the standard choice for high-security organizations. Second, structuring as an overlay enables ease of adoption for organizations already implementing NIST controls. Third, the overlay format clearly expresses the "diff" from existing baselines, highlighting what is new or different for SL5 rather than restating established requirements.

Many other security controls are necessary for SL5, including most controls from existing high-security baselines. Future revisions will provide detailed mapping from DoD Impact Level 6 (IL6) and its reference frameworks (FedRAMP High, CNSSI 1253) to SL5 requirements [4], [5]. Physical security requirements draw on ICD 705 SCIF standards as a basis [6], [7], [22], [23]. Hardware supply chain requirements reference NIST SP 800-161 Rev 1 [3].