Safeguard
AI Security

AI Chip Architecture: A Security Guide for Accelerated Compute

AI chip architecture shapes the security surface of accelerated compute. Here is how GPUs, TPUs, and NPUs are built and where the real risks live.

Safeguard Research Team
Research
6 min read

AI chip architecture describes how accelerators like GPUs, TPUs, and NPUs are built to run machine-learning workloads in parallel, and that design directly shapes their security surface — from firmware and drivers down to how memory is shared between tenants. Understanding the architecture is the prerequisite to reasoning about the risks, because most AI-hardware security problems live in the same places that make these chips fast: massive parallelism, shared memory, and a deep software stack sitting on top of proprietary silicon.

This guide walks through the architecture at a working level, then maps each layer to the security concerns that matter for teams deploying AI compute.

What makes an AI chip different from a CPU

A CPU is a latency machine: a few powerful cores optimized to finish one instruction stream as fast as possible. An AI accelerator is a throughput machine: thousands of simpler compute units running the same operation across enormous batches of data at once. Neural network training and inference are dominated by matrix multiplication, and matrix math is embarrassingly parallel, so the hardware is organized around doing many multiply-accumulate operations simultaneously.

That single design choice — trade single-thread speed for parallel throughput — drives everything else: many cores, wide high-bandwidth memory, and specialized units for the matrix operations at the heart of deep learning.

The main architectural families

GPUs (led by NVIDIA and AMD) started as graphics processors and became the default AI accelerator. Modern data-center GPUs pack thousands of shader cores plus dedicated matrix units — NVIDIA calls them Tensor Cores — that accelerate the mixed-precision matrix multiplies used in training. They pair with high-bandwidth memory (HBM) stacked next to the die to keep the compute units fed.

TPUs (Google's Tensor Processing Units) are application-specific chips built around a systolic array — a grid of multiply-accumulate cells through which data flows rhythmically, reusing each value across many operations. That structure is extremely efficient for the dense matrix math of neural networks but far less flexible than a GPU.

NPUs (neural processing units) are the accelerators increasingly embedded in phones and laptops for on-device inference. They prioritize performance-per-watt over raw throughput, running models locally so data never leaves the device.

Across all three, the recurring elements are the same: many parallel compute units, specialized matrix hardware, and a memory hierarchy engineered for bandwidth. Those shared traits are also where the shared risks come from.

Where the security surface actually lives

AI chips are not a single component you either trust or don't. They are a stack, and each layer has its own exposure.

Firmware and microcode. Accelerators run their own firmware, and it is updatable. Firmware sits below the operating system, so a compromise there is hard to detect and survives OS reinstalls. Signed firmware and a verified update path are the baseline defenses; treat vendor firmware updates as security-relevant patches, not optional maintenance.

The driver and userspace stack. The software you actually touch — CUDA, ROCm, vendor runtimes, and the many libraries layered on them — is large, privileged, and written mostly in C/C++. Driver vulnerabilities have historically enabled privilege escalation and, in shared environments, cross-tenant access. These are ordinary software dependencies with CVEs, and they belong in your vulnerability management like any other. An SCA workflow that inventories the accelerator libraries in your container images is the practical way to know which driver and runtime versions you are shipping.

Multi-tenancy and memory isolation. Cloud AI runs many customers on shared hardware. GPUs support partitioning (NVIDIA's Multi-Instance GPU, for example) to isolate tenants, but the isolation is only as strong as its implementation. Memory that is not properly cleared between workloads can leak model weights or inference data from one tenant to the next. If you run on shared accelerators, understand what isolation your provider guarantees and whether memory is scrubbed on release.

Side channels. Because these chips share caches, memory controllers, and power, researchers have repeatedly demonstrated side-channel attacks that infer information — sometimes model architecture or inputs — from timing, power, or contention. These are advanced attacks, but they matter for high-value models where the model itself is the asset worth stealing.

Supply-chain risk in AI hardware

The hardware is only part of the picture. An AI system is silicon plus firmware plus a tall stack of software, and the software half is where most exploitable, patchable risk sits. Vulnerable versions of accelerator runtimes, container base images bundling old CUDA libraries, and unpinned Python ML dependencies are all ordinary supply-chain problems that happen to run on exotic hardware. The Python security tooling that scans your ML dependencies applies directly here.

The defensible posture is to treat AI compute as a full stack: keep firmware signed and current, inventory and scan the driver/runtime libraries, pin your ML dependencies, and know your isolation guarantees on shared hardware.

Practical guidance for teams deploying AI compute

You do not design the silicon, but you own how you run on it:

  • Inventory the stack. Know which GPU/driver/runtime versions your images ship, and generate an SBOM so you can answer "are we affected?" when a driver CVE lands.
  • Patch firmware and drivers deliberately. Vendor updates for accelerators frequently carry security fixes; track them.
  • Understand isolation on shared hardware. Ask your cloud provider what partitioning and memory-scrubbing guarantees apply between tenants.
  • Protect the model as an asset. Where the model's weights or architecture are valuable, factor side-channel and extraction risk into where and how you host it.

AI chip architecture is optimized for one thing — parallel throughput — and its security story follows from that. Get the fundamentals of the stack right and the exotic hardware stops being a mystery box and becomes something you can actually reason about.

FAQ

What is the difference between a GPU, a TPU, and an NPU?

A GPU is a flexible, massively parallel processor (thousands of cores plus matrix units) that became the default AI accelerator. A TPU is Google's application-specific chip built on a systolic array, efficient for dense matrix math but less flexible. An NPU is a low-power accelerator embedded in devices for on-device inference.

Where are the main security risks in AI chips?

In the software and firmware stack more than the silicon itself: firmware/microcode below the OS, large privileged driver and runtime code with CVEs, weak memory isolation on shared multi-tenant hardware, and side-channel attacks that infer model or data information from timing and power.

Can one tenant read another tenant's data on a shared GPU?

It is possible if isolation is misconfigured or memory is not scrubbed between workloads. Cloud providers use partitioning like Multi-Instance GPU to separate tenants, but the guarantee is only as strong as the implementation, so confirm what your provider promises.

Do AI accelerator libraries need vulnerability scanning?

Yes. CUDA, ROCm, vendor runtimes, and the libraries built on them are ordinary software dependencies with CVEs. Inventory the versions in your container images and scan them the same way you scan any other dependency.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.