Field Guide

Protecting AI Training and Evaluation Data

How AI teams can add long-term confidentiality, clear access boundaries, and key management discipline to training datasets and evaluation pipelines.

The problem

AI teams often treat training data security as an infrastructure question: private storage bucket, IAM access controls, done. That works until a breach, a compromised credential, or a future adversary with better hardware. Training data produced for a model released in 2026 may be relevant to adversaries in 2036.

Application-layer encryption adds a second defense. Even if storage access is compromised, ciphertext without the right keys is useless. For teams building with personal data, proprietary examples, or commercially sensitive information, encryption at the application layer is becoming a design requirement — not an audit afterthought.

Clear access boundaries also matter in practice. Third-party evaluators, external researchers, and contracted annotators all need scoped, time-limited access to specific data. Managing that at the API key level — with audit trails — is more reliable than sharing bucket credentials and cleaning up afterward.

Example workflow

An AI research team processes proprietary evaluation datasets. Each dataset is encrypted before storage with a dataset-specific key. Access to each key is identity-scoped — a researcher with access to dataset A cannot use that credential to decrypt dataset B. A third-party evaluator gets a time-limited API key scoped to a specific workspace. After the engagement ends, that key is rotated.

The team has an audit log showing exactly who decrypted what and when. If a dataset is later found to contain sensitive personal data that should not have been included, the key can be retired and the data rendered inaccessible without deleting it from storage.

Where VellumGuard fits

  • Encrypting training samples, evaluation payloads, model outputs, and research data before storage
  • Scoping access by dataset, pipeline stage, or contributor identity
  • Time-limited, workspace-scoped API keys for third-party evaluators or contractors
  • Audit events for every access to sensitive data
  • Key rotation when team composition or data sensitivity changes
  • Hybrid post-quantum crypto by default — data encrypted today remains protected longer

What teams can test in beta

  • Encrypting synthetic or non-sensitive training examples and measuring throughput impact
  • Building a key-per-dataset or key-per-pipeline-stage access pattern
  • Rotating a dataset key and confirming old credentials no longer decrypt
  • Walking through a simulated external evaluator engagement with scoped access
  • Reviewing the audit event log for a complete training or evaluation run

What VellumGuard does not replace

VellumGuard encrypts data and manages keys. It does not replace:

  • Model output security and alignment controls
  • Training infrastructure access management (IAM, VPC, compute policies)
  • Data governance programs and legal agreements around data provenance and use
  • Compliance with privacy regulations applicable to the training data (GDPR, CCPA, etc.)
  • Consent mechanisms or data subject rights workflows

Not currently SOC 2 certified. Not currently HIPAA compliant. No BAA is currently available. No formal SLA during beta. Use test, synthetic, or non-regulated data unless VellumGuard has separately approved your use case in writing.

Request design partner access

If you are building AI infrastructure or research pipelines and want to add post-quantum application-layer encryption to sensitive data in a controlled beta, apply for design partner access. Beta is free unless otherwise agreed in writing.

Apply for access →

Questions? Email beta@vellumguard.com or browse other field guides.