Google's VaultGemma: Pioneering Privacy-Preserving AI with Differential Privacy

Google releases VaultGemma, its first privacy-preserving LLM

The companies seeking to build larger AI models have been increasingly stymied by a lack of high-quality training data. As tech firms scour the web for more data to feed their models, they could increasingly rely on potentially sensitive user data. A team at Google Research is exploring new techniques to make the resulting large language models (LLMs) less likely to "memorize" any of that content. LLMs have non-deterministic outputs, meaning you can't exactly predict what they'll say. While the output varies even for identical inputs, models do sometimes regurgitate something from their training data -- if trained with personal data, the output could be a violation of user privacy. In the event copyrighted data makes it into training data (either accidentally or on purpose), its appearance in outputs can cause a different kind of headache for devs. Differential privacy can prevent such memorization by introducing calibrated noise during the training phase. Adding differential privacy to a model comes with drawbacks in terms of accuracy and compute requirements. No one has bothered to figure out the degree to which that alters the scaling laws of AI models until now. The team worked from the assumption that model performance would be primarily affected by the noise-batch ratio, which compares the volume of randomized noise to the size of the original training data. By running experiments with varying model sizes and noise-batch ratios, the team established a basic understanding of differential privacy scaling laws, which is a balance between the compute budget, privacy budget, and data budget. In short, more noise leads to lower-quality outputs unless offset with a higher compute budget (FLOPs) or data budget (tokens). The paper details the scaling laws for private LLMs, which could help developers find an ideal noise-batch ratio to make a model more private. Building VaultGemma This work on differential privacy has led to a new open-weight Google model called VaultGemma. The model uses differential privacy to reduce the possibility of memorization, which could change how Google builds privacy into its future AI agents. For now, though, the company's first differential privacy model is an experiment. VaultGemma is based on the Gemma 2 foundational model, which is a generation behind Google's latest open model family. The team used the scaling laws derived from its initial testing to train VaultGemma with the optimal differential privacy. This model isn't particularly large in the grand scheme, clocking in at just 1 billion parameters. However, Google Research says VaultGemma performs similarly to non-private models of a similar size. The team hopes this work on differential privacy scaling laws will help others efficiently allocate resources to train private AI models. This probably won't change the way the largest and most capable AI models operate -- performance is everything in supersized general models. And regardless, the research suggests that differential privacy works better with smaller LLMs, like the purpose-built models that power specific AI features. You can download VaultGemma now from Hugging Face and Kaggle. Like other Gemma models, this one has open weights, but it's not quite open source. While Google will let you modify and distribute Gemma models, you must agree not to use them for nefarious purposes and to distribute a copy of the Gemma license with any and all modified versions.

How Google's new AI model protects user privacy without sacrificing performance

AI developers have long faced a dilemma: The more training data you feed a large language model (LLM), the more fluent and human-like its output will be. However, at the same time, you run the risk of including sensitive personal information in that dataset, which the model could then republish verbatim, leading to major security compromises for the individuals affected and damaging PR scandals for the developers. How does one balance utility with privacy? Also: Does your generative AI protect your privacy? Study ranks them best to worst New research from Google claims to have found a solution -- a framework for building LLMs that will optimize user privacy without any major degradations in the AI's performance. Last week, a team of researchers from Google Research and Google DeepMind unveiled VaultGemma, an LLM designed to generate high-quality outputs without memorizing its training data verbatim. The result: Sensitive information that makes it into the training dataset won't get republished. The key ingredient behind VaultGemma is a mathematical framework known as differential privacy (DP), which is essentially digital noise that scrambles the model's ability to perfectly memorize information found in its training data. Crucially, the researchers embedded DP at the level of sequences of tokens. This means that at the most fundamental level, VaultGemma will not be able to perfectly memorize or reproduce the details on which it's been trained. Also: 4 ways I save money on my favorite AI tool subscriptions - and you can too "Informally speaking, because we provide protection at the sequence level, if information relating to any (potentially private) fact or inference occurs in a single sequence, then VaultGemma essentially does not know that fact: The response to any query will be statistically similar to the result from a model that never trained on the sequence in question," Google wrote in a blog post summarizing its findings. There was a delicate balance to strike, here: The Google researchers had to add this digital noise without catastrophically compromising the model's performance. The better an AI model is able to memorize and thus perfectly replicate its training data, the better it should perform -- at least, assuming your metric for "better" is generating human-like responses to user prompts. But if your metric is optimizing user privacy, then the memorization-only paradigm is a problem, because most of us don't want to live in a world in which huge AI models are just hoovering up carbon copies of our personal information that can then be unpredictably republished by those same models. Google's new research, then, focused on comprehensively mapping out the optimal formula for balancing compute, privacy, and model utility. Built upon the Gemma 2 family of open models, which Google debuted in 2024, VaultGemma clocks in at just 1 billion parameters, according to the company -- a relatively paltry size compared to the largest and most powerful models on the market, some of which are reported to be built with upward of a trillion parameters. However, VaultGemma still performed across key benchmarks roughly on par with some older models, including OpenAI's GPT-2. This suggests that a compute-privacy-utility optimization framework could eventually be a viable alternative to leading proprietary models, even though it has a long way to go before it comes close to catching up. Also: How people actually use ChatGPT vs Claude - and what the differences tell us "This comparison illustrates that today's private training methods produce models with utility comparable to that of non-private models from roughly 5 years ago, highlighting the important gap our work will help the community systematically close," Google wrote in the blog post. The model weights and training methods behind VaultGemma have been published in a research paper to allow the AI community to refine private models further. The weights can also be accessed via HuggingFace and Kaggle.

Google's VaultGemma sets new standards for privacy-preserving AI performance - SiliconANGLE

Google's VaultGemma sets new standards for privacy-preserving AI performance Google LLC's two major research units have made a significant advance in the area of large language model privacy with the introduction of a new model called VaultGemma, the world's most powerful "differentially private LLM". It's a one-billion parameter model built on Google's Gemma architecture that uses advanced mathematical algorithms to prevent sensitive data from being leaked. Differential privacy is a mathematical algorithm that's used to protect privacy when sharing data by ensuring that the inclusion or exclusion of an individual piece of information does not significantly affect the overall results. This is achieved by adding controlled noise to the dataset, which makes it difficult for anyone to identify specific information within it. The technique has long been used in regulated industries to secure sensitive information, and it has enormous potential for AI privacy too. However, applying it to LLMs has proven to be challenging, leading to trade-offs in the stability and efficiency of models. VaultGemma is designed to overcome these issues and enables the use of differential privacy without any performance hit. VaultGemma was developed by Google Research in collaboration with Google DeepMind. The researchers said in a blog post that they focused on eliminating the compute-privacy-utility trade-offs that are inherent in differentially private training. The challenge they faced is that traditional scaling laws, which predict AI model performance based on compute resources and data size, don't stand up when differential privacy is applied, because of the increased noise and larger batch sizes. As a result, the team designed new scaling laws that take into account these factors to enable the development of larger, more capable private LLMs. VaultGemma was trained from scratch using a differential privacy framework to ensure that it cannot remember or leak sensitive data. This is a critical feature that can have serious implications for AI applications in regulated industries such as finance and healthcare, the researchers said. In Google's evaluations on several benchmarks, like MMLU and Big-Bench, VaultGemma demonstrated a level of performance that far surpasses earlier differentially private models, more comparable with non-private LLMs with similar numbers of parameters, without sacrificing privacy. For instance, the results showed that it rivals the capabilities of earlier non-private Gemma models on tasks such as reasoning and question answering, but without any risk of exposing its training data. One of the key innovations in VaultGemma saw the researchers adapt its training protocols to deal with the instability caused by the addition of noise. Google's research shows how differential privacy alters the learning dynamics of LLMs. As such, differentially private models require larger batch sizes with millions of examples to stabilize training. This usually means greater computational demands, but the researchers came up with a few tricks to mitigate these costs that could potentially lower the barrier to adoption of private models. Architecturally, VaultGemma is a decoder-only transformer model based on Google's Gemma 2 architecture, featuring 26 layers and using Multi-Query Attention. One of the key design choices was to limit the sequence length to just 1024 tokens, which helps to manage the intense computational requirements of private training, the researchers said. The development was guided by a novel set of "DP Scaling Laws", which provides a framework for balancing the trade-off between compute power, privacy budget and model utility. Google's researchers said they're making VaultGemma , along with its weights and codebase, available under an open-source license on Hugging Face and Kaggle, in order to democratize access to private AI. This step is in direct contrast with Google's usual approach, with its most powerful proprietary LLMs such as Gemini Pro classic examples of an AI "black box". Likely, the decision to open source VaultGemma is a strategic move by Google to try and establish a lead in AI privacy ahead of evolving regulations and accelerate innovation in industries where data sensitivity concerns typically prevent it. Google's scaling laws for differential privacy should be applicable to much larger private LLMs, potentially up to trillions of parameters, the researchers say. As enterprises grapple with data privacy concerns, VaultGemma can serve as a blueprint for secure AI innovation. Already, Google is looking at the possibility of collaborating with major healthcare providers, and envisages VaultGemma being used to analyze sensitive patient data without any risk of a privacy breach. VaultGemma may also have implications for ethical AI. By refusing to reveal its training data, the model mitigates the risk of misinformation and bias amplifications, which could help to further the advancement of responsible AI models, Google's researchers said.

Google releases VaultGemma 1B with differential privacy

Amer S and Ryan McKenna from Google Research announced VaultGemma on September 12, 2025, as the most capable language model trained from scratch with differential privacy. This 1-billion-parameter open model addresses privacy challenges in AI training by incorporating calibrated noise, while a new research paper outlines scaling laws for compute-privacy-utility trade-offs, with weights released on Hugging Face and Kaggle. Differential privacy adds calibrated noise during training to prevent memorization of individual data points, ensuring that the model's outputs remain statistically similar whether or not any single training example is included. This approach provides a mathematically rigorous framework for protecting user data in large language models. However, implementing differential privacy in language model training introduces specific challenges. The noise disrupts the traditional scaling laws, which describe how model performance improves with increases in model size, data volume, and computational resources. In particular, the noise reduces training stability, making it harder for the model to learn consistently without encountering issues such as sudden spikes in loss or complete divergence during optimization. To counteract this instability, practitioners must use significantly larger batch sizes, which in turn demand more computational power and memory, elevating the overall costs of training. The research paper titled "Scaling Laws for Differentially Private Language Models," developed in partnership with Google DeepMind, establishes equations that precisely model these compute-privacy-utility trade-offs for differentially private large language models. These equations capture the intricate relationships between the amount of computation, the privacy level achieved, and the resulting model utility, offering a predictive tool for optimizing training configurations. The paper's development involved extensive analysis to quantify how differential privacy alters the dynamics of model training compared to non-private methods. By deriving these laws, the authors provide a foundation for designing efficient private models, enabling researchers to forecast performance without exhaustive experimentation. Guided by the insights from these scaling laws, the team constructed VaultGemma as a 1-billion-parameter model based on the Gemma 2 architecture, trained entirely from scratch under differential privacy constraints. The model's weights are now publicly available on platforms such as Hugging Face and Kaggle, accompanied by a detailed technical report that explains the training process, hyperparameters, and evaluation results. This release marks the largest such open model to date, allowing developers and researchers worldwide to access and build upon a production-quality differentially private language model. The Gemma series itself emphasizes responsibility and safety in AI development, which aligned well with the goals of incorporating privacy protections from the outset. The experimental methodology in the research focused on quantifying the impacts of varying model sizes, batch sizes, and training iterations within the differential privacy framework. To manage the vast number of possible combinations, the authors made simplifying assumptions, centering their analysis on the noise-batch ratio. This ratio measures the relative scale of the privacy-induced noise against the batch size used in stochastic gradient descent. The assumption holds because the deliberate noise added for privacy dominates over any inherent randomness from data sampling, allowing the model's learning effectiveness to be primarily determined by this single metric. Through this lens, the methodology enabled systematic evaluation of how adjustments in these parameters affect overall performance. Comprehensive experiments evaluated model performance across diverse model sizes and noise-batch ratios, generating empirical data that, when combined with deterministic relationships between variables like compute budget and data budget, supports targeted queries. For example, the scaling laws can determine the optimal training setup to minimize loss given fixed compute, privacy, and data budgets. The predicted loss is modeled using the model size, number of iterations, and the noise-batch ratio, which simplifies the navigation of complex interactions among budgets. This structure provides a clear pathway for practitioners to balance resources effectively during private model training. From a privacy accounting perspective, the dynamics between the compute budget, privacy budget, and data budget reveal key interactions for a fixed model size and iteration count. Increasing the privacy budget, denoted by the parameter ε, reduces the noise level but yields diminishing returns if not paired with expansions in compute or data budgets. Specifically, without corresponding increases in floating-point operations (FLOPs) or tokens processed, the noise-batch ratio improves only marginally, limiting gains in utility. This synergy underscores the need for coordinated scaling: enhancing privacy alone does not sufficiently lower the effective noise unless supported by more computational resources or additional training data. Visualizations in the research illustrate how optimal configurations shift with changing budgets. As privacy and compute constraints vary, the preferred allocation moves between larger model sizes, expanded batch sizes, or additional iterations. For instance, under tighter privacy budgets, prioritizing larger batches often proves more effective than scaling the model size, as it directly mitigates the noise impact. These plots detail the minimum achievable loss for various budget combinations, alongside breakdowns of hyperparameters such as iterations, batch size, and model dimensions. Such granularity helps identify not only the best setup but also ranges of viable alternatives that deliver comparable utility, offering flexibility in resource-constrained environments. A central insight from the scaling laws is the recommendation to train smaller models with substantially larger batch sizes compared to non-private scenarios. This approach leverages the importance of oversized batches in stabilizing differential private stochastic gradient descent (DP-SGD), a common optimization method in this domain. The insight applies broadly across different settings, though exact optima adjust based on specific privacy and data budgets. Understanding these trade-offs ensures efficient use of compute and privacy allocations, preventing wasteful configurations. The analysis also highlights flexibility in choices, where multiple model sizes can achieve similar losses when matched with appropriate iterations and batch adjustments. To construct VaultGemma, the team applied the scaling laws to calculate the total FLOPs required for a compute-optimal 1-billion-parameter model derived from Gemma 2. They then distributed these FLOPs across batch size, iterations, and sequence length to maximize utility under privacy constraints. This allocation process involved iterative simulations using the predictive equations to test various distributions, ensuring the final setup aligned with the lowest projected loss. The resulting configuration balanced the need for noise mitigation through large batches with sufficient iterations to converge effectively, all while adhering to the target parameter count. A notable challenge in bridging the scaling law research to actual training was handling Poisson sampling, a key element of DP-SGD that ensures robust privacy guarantees by randomizing data selection. Initially, the team loaded data in uniform batches, but this method offered suboptimal privacy protections due to higher effective noise. Switching to Poisson sampling improved guarantees but introduced variability: batches varied in size, and data processing required a randomized order. To resolve these issues, they adopted techniques from recent work on Scalable DP-SGD, which processes data in fixed-size batches by padding shorter ones or trimming longer ones. This adaptation preserves the privacy benefits of Poisson sampling without disrupting the training pipeline's efficiency. The training of VaultGemma confirmed the accuracy of the scaling laws, with the final training loss aligning closely to predictions from the equations. This validation demonstrates the reliability of the framework for forecasting outcomes in private model development, providing a dependable guide for future efforts. The process involved monitoring loss curves throughout training to ensure stability, adjusting hyperparameters as needed within the predefined budget, and verifying that the noise-batch ratio remained optimal. Such close correspondence between theory and practice reinforces the laws' utility in practical applications. In performance evaluations, VaultGemma 1B with differential privacy achieves utility levels comparable to the non-private Gemma3 1B and the GPT-2 1.5B model. These comparisons quantify the resource demands of privacy-preserving training, showing that current methods produce models on par with non-private architectures from approximately five years prior. The evaluations included perplexity metrics on held-out data, where VaultGemma's scores reflect effective learning despite the added noise, highlighting progress in closing the utility gap through optimized scaling. Downstream assessments on standard benchmarks further validate VaultGemma's capabilities. On HellaSwag, the model performs at levels matching its non-private counterpart, demonstrating strong commonsense inference. BoolQ results indicate reliable question answering on boolean queries, while PIQA shows competence in physical interaction predictions. SocialIQA evaluations reveal solid understanding of social norms, TriviaQA confirms knowledge retention for factual recall, ARC-C handles complex reasoning challenges, and ARC-E addresses easy science questions effectively. Including GPT-2 1.5B in these comparisons underscores that VaultGemma's benchmark scores align with older non-private models of similar scale, illustrating the state of private training advancements. VaultGemma provides a formal sequence-level differential privacy guarantee of ε ≤ 2.0 and δ ≤ 1.1 × 10⁻¹⁰ for sequences of 1024 tokens drawn from heterogeneous data sources. The training mixture mirrors that of Gemma 2, comprising documents of varying lengths preprocessed by splitting long ones into multiple sequences and packing short ones together. This sequence-level unit suits the data format, though user-level privacy would be preferable when data ties directly to individuals. In practice, this guarantee ensures that the model's responses to queries remain statistically indistinguishable whether a particular sequence is included in training or not, effectively preventing the model from learning any isolated fact within a single sequence. However, facts appearing across multiple sequences can still be learned, allowing general knowledge acquisition without compromising individual privacy. Complementing the theoretical guarantees, empirical tests assessed memorization risks by prompting VaultGemma with 50-token prefixes from training documents and checking for reproduction of the subsequent 50 tokens. The model exhibited no detectable memorization, generating unrelated continuations that did not match the original suffixes. This outcome verifies the practical effectiveness of differential privacy in suppressing verbatim recall, even for potentially sensitive training excerpts. The test protocol involved selecting diverse prefixes from various data sources to cover a broad sample, ensuring comprehensive coverage of potential vulnerabilities. Acknowledgements for the project extend to the Gemma and Google Privacy teams, with specific thanks to Peter Kairouz, Brendan McMahan, and Dan Ramage for feedback on the announcement. Mark Simborg and Kimberly Schwede assisted with visualizations, while broader Google teams supported algorithm design, infrastructure, and production maintenance. Direct contributors, listed alphabetically, include Borja Balle, Zachary Charles, Christopher A. Choquette-Choo, Lynn Chua, Prem Eruvbetine, Badih Ghazi, Steve He, Yangsibo Huang, Armand Joulin, George Kaissis, Pritish Kamath, Ravi Kumar, Daogao Liu, Ruibo Liu, Pasin Manurangsi, Thomas Mesnard, Andreas Terzis, Tris Warkentin, Da Yu, and Chiyuan Zhang.

VaultGemma Is Google's Most Private AI Model Yet: 5 Things You Should Know

The model's privacy approach comes with some performance trade-offs Privacy has been a long-debated topic in the artificial intelligence (AI) space. While companies have taken steps to safeguard user privacy in the post-deployment phase, not a lot has been done in the pre-deployment or pre-training phase of AI models. To tackle this, Google, on Friday, released a privacy-centric large language model (LLM), which has been trained using a new privacy differential technique to ensure that the model cannot memorise sensitive information in the training phase. This measure ensures that prompt hackers cannot trick the AI into spilling identifiable information. Google's VaultGemma: 5 Things You Should Know 1. Google's VaultGemma is a one-billion-parameter AI model. The tech giant used privacy differentiation in the pre-training phase, combining sensitive data, where the identifiers such as people's names, addresses, emails, and similar information, with calibrated noise. The noise prevents the AI model from memorising the identifier. 2. So, what does it really protect? VaultGemma prevents the model from memorising and regurgitating sensitive snippets such as credit card numbers or someone's address that were present in the training data. The noise-batch ratio also ensures that one document, sentence, or person's data does not influence the response generated by the model. Essentially, this training strategy would not let an attacker reliably figure out whether or not the target's data was present in the dataset. 3. The Privacy focus comes with certain performance trade-offs. The first thing it impacts is the accuracy. To increase privacy, the researchers will have to add more noise to the dataset. This means the AI model is not able to learn finer details, reducing the accuracy of responses somewhat when compared to non-private models. For instance, without privacy, an AI model might know exact Shakespeare quotes, but with the differential privacy strategy, it will only capture the style but struggle in identifying the exact words. 4. There are trade-offs with compute and model size as well. To balance out the noise with performance, a model needs to be trained with larger datasets and more powerful computers. This makes differential privacy training slower and more expensive, and requires more compute. Coming to the model size, Google noted that with differential privacy, a larger model size does not mean better performance, unlike what has been observed in traditional model training with scaling laws. Smaller models, when trained with the right settings, can outperform a model with more parameters. This requires a rethinking of the scaling laws of an LLM. However, not changing anything would give diminished results. Google has also compared the performance of VaultGemma with Gemma 3 (a non-privacy model with the same parameters), and GPT-2, an older baseline model. VaultGemma performance Photo Credit: Google 5. So, what is the advantage to the end consumer? One privacy-focused model in itself is not going to change anything for the consumer. However, what Google has shown here is that it is possible to train and build a privacy-focused AI model that still delivers relatively decent performance. If this standard is adopted by all major AI players, it will significantly contribute to protecting the data of people globally. This is important at a time when companies such as Google, OpenAI, and Anthropic are training their models on users' conversations.

What is VaultGemma: World's most privacy conscious AI LLM explained

World's most privacy-conscious LLM explained: how VaultGemma balances privacy and utility Artificial intelligence has raced ahead in capability, but the question of privacy lingers like a shadow over every large language model (LLM). What happens when models memorise personal data from their training sets? How can developers assure users that their queries won't resurface in some future output? In a bid to answer these pressing concerns, Google DeepMind has unveiled VaultGemma, a new family of models it calls the world's most capable differentially private LLM. VaultGemma represents more than just another entry in the Gemma series. It is the first large-scale attempt to train an open model from scratch with differential privacy at its core, a mathematical framework that limits the influence of any individual data point on the final model. In plain terms, it is a system built to learn without memorising, to generate without exposing. Also read: Gemma 3n: Google's open-weight AI model that brings on-device intelligence The breakthrough lies in the training method. VaultGemma uses a technique known as DP-SGD (differentially private stochastic gradient descent), where random noise is added to the training updates. This ensures that no single training sequence, defined as 1,024 consecutive tokens, can be uniquely identified or reproduced by the model. The privacy guarantee is strict: VaultGemma achieves an epsilon of 2.0 with delta set to 1.1e-10. These figures may sound abstract, but they reflect a guarantee that the model's outputs are nearly indistinguishable whether or not a specific sequence was present in the training data. That makes it almost impossible for malicious users to extract verbatim text or private details. To make this feasible at scale, Google researchers developed new scaling laws for private training. These laws help determine the optimal balance between model size, training steps, and the amount of noise injected all under a fixed compute and privacy budget. Without this tuning, differentially private training would simply be too unstable and resource-intensive. The big question is whether privacy compromises ability. VaultGemma, with around 1 billion parameters, performs surprisingly well across benchmark tests such as HellaSwag, PIQA, BoolQ, and TriviaQA. It does not yet rival state-of-the-art non-private LLMs, but it closes the gap with models from just a few years ago. Also read: Sam Altman on AI morality, ethics and finding God in ChatGPT Perhaps more importantly, it shows no detectable memorisation. When researchers attempted to feed VaultGemma partial snippets from its training data, the model failed to reproduce the original text, an intentional outcome, and one that underscores its privacy promise. Still, trade-offs exist. Training with DP is costly in both compute and time. Models also tend to plateau earlier in performance compared to their non-private peers. For VaultGemma, the result is a capable but not cutting-edge assistant. Yet as privacy laws and user expectations tighten, the compromise may be worthwhile. The release of VaultGemma marks a turning point in how AI companies think about trust. Instead of retrofitting filters or relying solely on governance frameworks, Google is building privacy guarantees into the model's architecture itself. This shift could have far-reaching consequences. In areas such as healthcare, education, or financial services, domains where user data is deeply sensitive, VaultGemma-like systems could pave the way for responsible AI adoption. For researchers, the open release of the model and its training recipe provides a crucial testbed for exploring better private training methods. It is also a subtle challenge to competitors. While most LLMs today, from OpenAI's GPT to Anthropic's Claude, are trained without differential privacy, VaultGemma positions itself as a glimpse into a future where privacy is not optional but foundational. VaultGemma is not perfect. Its guarantees apply at the sequence level, not across entire user histories. Its utility is strong but not state-of-the-art. And the overhead of DP training still makes scaling to trillion-parameter models a formidable task. Yet as the debate around AI safety, security, and compliance intensifies, VaultGemma's debut feels timely. It demonstrates that high-quality language models and strong privacy protections are not mutually exclusive. The real test now is whether others in the AI industry follow suit or whether VaultGemma remains a pioneering, if solitary, experiment in making large language models more privacy conscious.