Researchers sound alarm over AI hardware vulnerabilities that expose training data

A newly uncovered hardware flaw in widely used AI accelerators could allow attackers to infer which data was used to train machine learning models—undermining privacy promises and potentially enabling broader attacks. The issue, dubbed GATEBLEED by researchers at North Carolina State University, stems from how accelerator hardware manages power and may take years to fully fix across the industry.

What the researchers found

AI accelerators—specialized blocks embedded in CPUs, GPUs, and increasingly in consumer “AI PCs” via NPUs—speed up neural network computations while saving energy. To conserve power, these chips frequently toggle internal regions on and off depending on workload, a technique known as power gating.

The NC State team discovered that this power behavior creates a measurable side-channel. When an accelerator processes inputs that resemble a model’s training data, its power usage pattern subtly differs compared to when it sees unfamiliar data. By monitoring these fluctuations, an attacker can perform a kind of membership inference—determining whether specific data points were part of a model’s training set.

According to co-authors Darsh Asher and Azam Ghanbari, the leakage can be observed without special privileges, using a lightweight program that tracks accelerator activity indirectly. In practice, that means even restricted environments could be at risk if unprivileged processes can observe performance or power-related signals closely enough.

Why it matters

Revealing training membership erodes a model’s privacy guarantees and can expose sensitive data that organizations assumed was protected. It also opens the door to follow-on attacks:

• Model jailbreaking and targeted prompting, aided by knowledge of what the model has seen.
• Training data poisoning, by identifying and polluting datasets likely used to refresh or fine-tune models.
• Targeted attacks on mixture-of-experts (MoE) models and AI agents, which may exhibit more distinct activation—and thus power—signatures.

Because GATEBLEED arises from hardware-level behavior rather than a software bug, it cannot be patched with a simple update. The researchers warn that fully addressing the flaw could require architectural changes and multi-year hardware refresh cycles across CPUs and accelerators.

Hard to patch, easy to bypass safeguards

Hardware side-channels are notoriously difficult to mitigate because they can bypass traditional defenses such as encryption, sandboxing, and privilege separation. If an attacker can co-locate on the same machine—or in some cases the same socket or package—they may glean sensitive signals despite software boundaries.

The NC State team evaluated the attack against Intel’s Advanced Matrix Extensions (AMX), which function as an AI accelerator on 4th Gen Intel Xeon Scalable processors. While the study focused on AMX, the underlying mechanism—power gating in response to workload demand—is widely used across modern processing units, suggesting broader exposure across vendors and device classes.

Interim defenses and trade-offs

Short-term mitigations are possible, but they come with costs. The researchers note that operating-system-level defenses—such as restricting access to performance counters, coarsening or randomizing timing and power signals, or scheduling policies that reduce co-location—can dampen the signal an attacker sees. However, these countermeasures often reduce system performance or increase energy consumption, eroding the very benefits accelerators are meant to deliver.

Enterprises deploying on-prem AI workloads can also revisit isolation models: limit untrusted code execution on machines running sensitive inference or training tasks; review multi-tenant policies; and audit low-level telemetry exposure to user space. Cloud providers will likely need to reexamine how fine-grained hardware metrics are exposed to guests and whether new noise-injection or partitioning strategies are warranted. None of these measures, however, constitute a silver bullet.

The bigger picture

GATEBLEED joins a lineage of hardware side-channel issues that trade secrecy for speed and efficiency. Much like past speculative execution and cache side-channel revelations, the vulnerability highlights the security debt accrued when power management and performance optimizations intersect with sensitive AI workloads.

As AI adoption accelerates—from datacenters to laptops—the finding underscores a growing reality: securing models isn’t just about better training pipelines or robust prompting policies. It also requires hardening the silicon beneath them. Until hardware-level mitigations are designed and deployed at scale, organizations will need to weigh performance gains against potential leakage and adopt layered, defense-in-depth strategies for AI operations.

For now, the takeaway is blunt: widely used accelerators can unintentionally reveal what models were trained on, and a comprehensive, low-overhead fix may be years away. Planning for that gap—through careful workload isolation, limited telemetry exposure, and prudent threat modeling—will be crucial for anyone running sensitive AI systems.