EPS
← All batches·2605.08449

SL5 Standard for AI Security

topic: general_safetytop score: 100released: 2026-05-12first surfaced: 2026-05-12arXivPDFlinked_to_results2026-05-12

Authors: Lisa Thiergart, Yoav Tzfati, Peter Wagstaff et al.

arXiv · PDF

Summary

This paper proposes Security Level 5 (SL5), a new security standard for AI datacenters designed to withstand attacks from the world's most capable adversaries — nation-states with years-ahead expertise and massive resources. The first version focuses on requirements with long lead times (facility construction, hardware procurement, organizational capabilities) that must be planned years in advance. Some requirements are major departures from current practice and may require government-level security capabilities that private companies can't achieve alone.

Main takeaways:

  • SL5 targets threats from top-tier state actors with cutting-edge cyber capabilities
  • Focuses on interventions that take years to implement and can't be retrofitted quickly
  • Originated from RAND's 2024 report on securing AI model weights
  • Some security measures approximate government-level capabilities beyond typical private-sector practice
  • Authors argue these bold measures are necessary and that planning must start now to have options by 2028-2029

Relevance

Not related to my behavioral-installation research — this is physical and operational security for AI infrastructure. Only tangentially relevant if model weight security ever intersects with behavioral backdoor persistence, but that's a stretch.

Abstract

arXiv:2605.08449v1 Announce Type: new Abstract: Security Level 5 (SL5) is a security posture for AI systems that could plausibly thwart top-priority operations by the world's most cyber-capable institutions: those with extensive resources, state-level infrastructure, and expertise years ahead of the public state of the art. The SL5 terminology originates from the RAND Corporation's 2024 report "Securing AI Model Weights". Frontier AI development requires use-case-specific, productivity-optimised and updateable AI datacenter security standards. This first revision of the SL5 standard focuses on requirements with long lead times: interventions that must be planned years in advance, such as facility construction, hardware procurement, and organizational capability development. We prioritize these requirements because preserving optionality for SL5 by 2028/2029 requires starting now. These capabilities cannot be retrofitted on short notice when the need becomes urgent. Some requirements represent significant departures from current day standard practice. We believe bold measures are necessary for this level of security and see clear opportunities to apply optimization pressure to existing and novel solutions to customize them for the AI industry and address the practical operational requirements as much as possible. Our organization exists to begin paving this path. Some requirements approximate government security capabilities where private-sector approaches may be insufficient. We identify these gaps and note where government involvement may ultimately be necessary.