SL5

Open Questions

Areas of genuine uncertainty and active research

This is a first draft and we value transparency about areas of genuine uncertainty, whether due to conflicting expert perspectives or limited access to relevant information. Our goal is to achieve both strong security and operational effectiveness. We seek input to resolve these uncertainties directly—evidence that changes our assessment may change the requirements—as well as creative approaches that accomplish both. The following questions have significant architectural or policy implications:

Personnel vetting limitations: Whether private-sector vetting is sufficient for SL5, or whether government involvement (through classified contract pathways, information sharing, or new legal authority) is required to achieve adequate personnel security. We welcome input from organizations with experience in either approach.

Adversarial detection feasibility: Whether robust detection of adversarial content is achievable against sophisticated adversaries, given that this remains an active research problem. This standard mandates staging isolation and investment in detection research, but it is uncertain whether breakthroughs sufficient to address the threat will materialize. We welcome detection approaches or architectural mitigations.

Inter-enclave network security: Whether long-distance network connections can be adequately secured against nation-state adversaries, even with multiple validated inline encryptors in series. If such connections cannot be secured, the physical media requirement for high-bandwidth transfers would significantly constrain or preclude geographically distributed training. We seek both security analysis on network connection viability and, if the constraint stands, creative approaches to distributed training under physical media requirements.

Additional open questions are documented in Appendix A.

Additional Open Questions (Appendix A)

Organized by security stream:

Machine Security

  • Availability of accelerators meeting SL5 hardware security requirements in time for deployment
  • Feasibility of workload integrity mechanisms (e.g., task sequence attestation, kernel fusion) for expected workloads such as training, inference, fine-tuning, and mechanistic interpretability

Cryptographic Protection

  • NSA Type 1 vs FIPS 140-3 Level 3 sufficiency for the stated threat model

Physical Security

  • TEMPEST zone classification for Red Zones
  • Shared infrastructure isolation (power, cooling, fire suppression) between distributed Red Zones
  • Required attenuation levels for shielded racks (full NSA 94-106 vs reduced spec)
  • Level of physical isolation required for Weight Enclaves (rack, room, or building level separation)
  • ICD 705 private accreditation: This standard specifies self-certification by CSO or Site Security Manager. Whether private self-certification provides meaningful security assurance compared to government accreditation, and what this implies for actual security posture

Network Security

  • Specific bandwidth thresholds for exfiltration prevention (calibrated to model size and threat model)
  • Redundancy architectures for fail-closed encryptors

Personnel Security

  • Screening equivalency standards for non-US citizens and international offices
  • Monitoring feasibility in high-restriction states (California CPRA/ICRAA, Illinois BIPA)

Supply Chain Security

  • Testing/certification approaches for adversarial content detection system robustness
  • Processing state tracking for new modality onboarding