If you’re building on shared GPU infrastructure (cloud inference, multi-tenant training jobs, edge AI), ETSI TS 104 033 just defined what your platform security baseline looks like. Published 2026, the spec covers data center and edge AI deployments with mandatory requirements across identity management, data protection, secure boot, and incident response.
Headline requirements: GPU and NPU shared accelerators should provide workload isolation between tenants. Remote access to root-level accounts is prohibited. Platforms should detect attacks targeting inference processes and maintain tamper-proof AI-related logs. The requirement most teams haven’t budgeted for: Model Bill of Materials, a verifiable record of how every model on the platform was developed and trained.
Scott Cadzow, Chair of ETSI’s Technical Committee Securing AI, called this a “significant step forward in establishing concrete and actionable security requirements for the platform itself.”
The stakes follow ETSI’s track record. EN 303 645, the body’s IoT security spec, became the backbone for UK consumer device legislation. TS 104 033 fills the compute layer gap that prior ETSI AI security specs left untouched: the GPU cluster, the training job, the inference endpoint. Cloud providers that treat GPU tenant isolation as a feature request, rather than a security requirement, are reading the regulatory direction wrong.
Monday morning: ask your cloud GPU vendor whether they publish a Model BoM for models running in your environment. Most don’t yet. That gap is now a documented, citable compliance risk.
— Nathan Zakhary