[WTL] RSP Security mitigations: GDM
How GDM will secure model weights according to their FSF
In this post I’ll go through Google DeepMind’s Frontier Safety Framework and describe how they intend to secure their model weights. Any commitments that exist outside the FSF are out of scope. I will only restate or paraphrase the commitments in their own language. I’ll leave further analysis for later.
Note: This is a “writing to learn” exercise. See the following article for details.
Unlike Anthropic and OpenAI, GDM is part of a larger company that is itself a cloud provider. Google has already described its security practices at length elsewhere and the FSF refers to it. The FSF also refers to the Secure AI Framework which goes into the specific details of how Google plans to secure “AI systems”, which includes the model weights. To avoid biting off more than I can chew, I’ll save any review of these resources for another day. However, I expect much of what I find under-explained here is fleshed out in other documents so I’ll make a point to revisit them in later posts.
The latest FSF (Version 3.1; April 17, 2026) groups mitigations “against exfiltration or unauthorized modification” of model weights under “security mitigations”. For each “capability level” the FSF describes a recommended “security level” based on those described in RAND’s "Securing AI Model Weights" report. These levels mean different things here than in the RAND report. The RAND report has a detailed benchmarks for each level. The FSF states it uses the “goals” of the report rather than its benchmarks. In other words SLN only means “can defend weights against an OCN attacker”. I hope to learn more about how these details differ from the RAND report from SAIF and other Google whitepapers but I consider that out of scope for this post.
The recommended security levels for different “critical” capabilities are organized below.
SL2+: CBRN uplift level 1, Cyber uplift level 1, Harmful manipulation level 1.
SL3: ML R&D acceleration level 1
SL4: ML R&D automation level 1
SL2+ is a new level defined as RAND SL2 but with additional measures for OC3 attackers (“insider threats and well-resourced non-state external actors”). It is mentioned in a footnote that SL3 includes “additional mitigations designed to prevent unilateral access, harden infrastructure, and prevent data exfiltration” that aren’t in SL2+ which hints that SL2+ is SL3 without those mitigations. SL4 adds to both of these “additional mitigations aimed to isolate model weights, enhanced data center security, further hardening of infrastructure and minimizing potential attack surface”. I assume “enhanced data center security” applies to physical security and personnel. The “hardening of infrastructure and minimizing potential attack surface” is very vague and I don’t hold out much hope the SAIF docs fill in the details here.
The applier of the Framework (and I’m unsure who in GDM is responsible for performing this assessment) may still recommend that a given version of Gemini is safe to release if one of the following hold:
“[I]f [Google security infrastructure] match[es] or exceed[s] the level of security applied to other models with similar capabilities or risk profiles”. This seems reasonable given they are assessing the “residual risk”. If a similarly capable model is already deployed by another lab but is less secure then overall risk can’t be said to be increased by release by GDM. I am curious how they assess other labs though. It’s easy to get third-party info about model capabilities but it seems more difficult to determine what “level of security [is] applied to other models”.
If “we assess that the benefits of the open release of model weights outweigh the risks”. This seems to just be describing open source models like Gemma.
Or “based on mitigations already in place”. This is the part that causes me the most confusion. I suppose this describes a case in which they revise downwards the recommended security level for a given capability but only after having achieved that capability.
Some things I almost missed until Claude pointed them out to me:
Section 3.1.1 explicitly calls out the risk of model self-exfiltration rather than being focused exclusively on nation state attackers. That isn’t very relevant for this essay but it’s something I plan to lookout for in other RSPs.
The RAND SL levels are applied only to critical capabilities but “tracked” capabilities may also cause reviewers to recommend against deployment or development. I originally read the distinction between “critical” and “tracked” capabilities as similar to OpenAI’s “tracked” and “research” capabilities i.e. GDM’s “tracked” (confusingly) maps onto OpenAI’s “research” capabilities and are reported but aren’t used to gate releases.
The FSF is pretty explicit about running capability assessments during development rather than just before deployment. These “early warning evaluations” are somewhat of a surprise to me since I assumed GDM leaned on the expectation that capability growth will be smooth enough these wouldn’t be necessary. At least, that’s the vibe I got from Samuel Albanie’s appearance on AXRP Podcast and Rohin Shah’s appearance on the 80,000 Podcast.
Remaining questions
All of the capabilities only describe a level 1. I assume they will define additional levels in their RSP as they approach or exceed level 1. Am I correct in that assumption? In that case one could imagine SL3 being required to deploy a model that provides “CBRN uplift level 2”.
What RAND SL are Gemini external deployments at? The FSF suggests that SL2+ may be below existing Google security practice but doesn’t state it outright.
What RAND SL can GDM feasibly reach in a short timeline?
