Deploy Bravely — Secure your AI transformation with Prisma AIRS
Table of contents

What Is Federated Learning? A Guide to Privacy-Preserving AI

6 min. read
Table of contents

Federated learning is a distributed method for training machine learning models in which multiple devices or organizations collaboratively learn a shared model without transferring their raw data.

Each participant trains the model locally on its own dataset and shares only model updates or parameters with a central server. The server securely aggregates these updates to improve the global model while keeping individual data private.

 

How does federated learning work?

Federated learning uses a simple but powerful cycle. It trains a shared model across many participants—like devices, organizations, or data centers—without ever moving the raw data.

Here's how it works.

Architecture diagram titled 'How federated learning works' shows three participants on the left, each represented by a gray square containing an icon of a person and a device such as a laptop, computer, or smartphone. Each participant connects to a small neural network graphic made of gray and blue nodes, labeled respectively as 'w₁', 'w₂', and 'w₃'. Arrows point from these networks toward a central blue rectangular box labeled 'Aggregation', which contains the notation '(w₁, w₂, …, wₙ)'. From this box, another arrow extends right to a smaller network labeled 'w′'. The process is outlined in three numbered steps displayed in black boxes: 'Step 1: Model initialization' appears near the top right, 'Step 2: Local model training & upload' appears next to the participant networks, and 'Step 3: Global model aggregation & update' is shown next to the aggregation box. Curved arrows connect the steps in a loop to illustrate the training cycle.

  • The process begins with initialization.

    A central server creates a global model. It then sends that model to each participating client.

  • Each client performs local training.

    It uses its own data to improve the model on its device or system. The data never leaves that environment. Only model updates—such as adjusted weights or gradients—are prepared for sharing.

  • Next comes secure aggregation.

    Each client encrypts its updates before sending them to the central server. The server can combine these encrypted updates without viewing individual contributions. Technologies like secure multiparty computation, homomorphic encryption, and differential privacy make this step possible.

  • After aggregation, the server performs a global update.

    It averages the clients' contributions and creates a new global model. That improved model is sent back to the clients for another training round. The cycle repeats until the model reaches the desired performance.

There are two main deployment types:

Architecture diagram titled 'Cross-device vs. cross-silo federated learning' compares two deployment models side by side. On the left, under the heading 'Cross-device federated learning', three vertical lines connect small rectangular icons of mobile and edge devices labeled 'Train model on local data' to a gray box labeled 'Aggregation server' at the bottom. Blue arrows pointing downward indicate 'Receive aggregated model' while yellow arrows pointing upward indicate 'Send trained model'. A short note above reads 'Small node size (smartphones, edge devices), might not be available at each iteration'. On the right, under the heading 'Cross-silo federated learning', three vertical lines connect larger purple icons representing organizations and data centers labeled 'Train model on local data' to another gray box labeled 'Aggregation server'. The same blue and yellow arrows show bidirectional data flow between nodes and the server. A note above reads 'Large node size (companies, organizations), necessary to participate in each iteration'.
  1. Cross-device federated learning involves millions of small devices, such as smartphones, each training briefly when idle.
  2. Cross-silo federated learning uses fewer but more capable participants—like hospitals or banks—where each represents an entire organization.

Federated learning also has three key variants:

Architecture diagram titled 'Categories of federated learning' is divided into three vertical sections labeled 'Horizontal federal learning', 'Vertical federal learning', and 'Federated transfer learning'. In the first section, a central gray server icon connects by two-way purple arrows to three circular client icons labeled 'Client 1', 'Client 2', and 'Client 3', with text underneath reading 'Upload encryption parameters' and 'Distribute the latest model'. The middle section shows two clients connected to a server by blue arrows labeled 'Model encryption training'. Between the clients are icons of neural networks with text describing 'Data feature alignment' and 'Intermediate result exchange', as well as smaller arrows labeled 'Upload encryption parameters' and 'Send the public key & model update results'. The right section shows three clients in a vertical line labeled 'Client 1', 'Client 2', and 'Client 3', each connected by arrows between pairs of models labeled 'Current model' and 'Updated model'. Text alongside the arrows reads 'Exchange data representation'.
  1. Horizontal FL (HFL) combines data from participants with similar features but different users, such as multiple hospitals training on patient records.
  2. Vertical FL (VFL) merges participants with shared users but different data types. Like a bank and retailer sharing insights about the same customers.
  3. Federated transfer learning (FTL) connects organizations with little overlap in either users or features.

In simplified form, the process looks like this: clients train locally → encrypted updates → central server aggregates → new global model.

 

Why is federated learning considered privacy-preserving?

"The application of federated learning with GenAI is reshaping industries and creating new opportunities for leveraging data without compromising privacy. Federated learning enables the training of generative models across decentralized data sources. Rather than centralizing data in one location, the model is trained across multiple devices, and only the model updates are shared. This means that sensitive data never leaves the local device, providing an additional layer of security."
- K. Huang et al. (eds.)​, ​Generative AI Security​, ​Future of Business and Finance

Federated learning is built on a simple idea: keep the data where it is.

It applies the principle of data minimization. Which means raw data never leaves the devices or servers that create it. Only model updates or learned parameters are shared.

Architecture diagram titled 'How data minimization reduces exposure in machine learning' illustrates the stages of data processing, training, and privacy risk. On the left, a gray icon labeled 'Raw data collected from users or systems' connects by an arrow to a section labeled 'Data minimization'. Inside this section are two white boxes with icons and text reading 'Remove personal identifiers & unnecessary details' and 'Resulting reduced dataset used for training'. An arrow leads right to a circle labeled 'Model training', followed by a vertical blue line labeled 'No direct access to raw data beyond this point'. To the right of the line, a blue box labeled 'Measuring utility' contains two smaller boxes labeled 'Model trained using reduced dataset' and 'Model evaluated with separate test data'. Below, a red bar highlights 'Residual privacy risks: possible re-identification, data reconstruction, or inference attacks', accompanied by three icons labeled 'Re-identifying individuals', 'Reconstructing missing data', and 'Inferring membership'. A caption at the bottom reads that data minimization ensures only the smallest necessary portion of data is retained for AI training, reducing access to raw data and limiting re-identification or inference risk.

Here's why that matters.

In traditional machine learning, data is pooled in one place for training. That centralization increases exposure risk.

But federated learning removes that single point of failure. Each participant trains locally and contributes only to model improvements. Not data collection.

Now, privacy in this system comes from multiple protective layers.

Architecture diagram titled 'Layered privacy architecture in federated learning' displays four vertically stacked layers connected by a dotted line. Each layer is represented by a diamond-shaped icon with text labels to the right. From top to bottom, the labels read 'Output layer: Differential privacy (DP)' with the description 'Adds noise to the aggregated results to hide individual contributions'; 'Aggregation layer: Secure multi-party computation (SMPC)' with the description 'Allows clients to jointly compute updates without sharing individual inputs'; 'Encryption layer: Homomorphic encryption (HE)' with the description 'Enables computations on encrypted data'; and 'Hardware layer: Trusted execution environments (TEEs)' with the description 'Protect computations inside secure hardware enclaves'. On the left side of the diagram, a paragraph explains that privacy mechanisms in federated learning operate across system layers, with trusted execution environments protecting computation at the hardware level, homomorphic encryption securing encrypted operations, secure multi-party computation safeguarding updates during aggregation, and differential privacy anonymizing the final model output.

  • The first is secure multi-party computation (SMPC).

    It allows several parties to jointly compute results—like combining model updates—without revealing their individual inputs. No participant can view another's data.

  • The second is homomorphic encryption (HE).

    It enables computations on encrypted data. In other words, the system can process updates while they remain unreadable to anyone, even the central server.

  • The third is differential privacy (DP). It introduces small amounts of statistical noise to model updates. That makes it mathematically difficult to trace any update back to a specific user or record.

  • And finally, trusted execution environments (TEEs) provide hardware-level protection.

    They isolate sensitive computations within secure enclaves that prevent tampering or unauthorized access.

Together, these methods form a layered defense. Each technique covers gaps the others leave open, providing stronger overall privacy.

Note:
Federated learning isn't immune to every risk. Adversaries can still attempt gradient inversion or model inference attacks to reconstruct sensitive details from shared updates. That's why privacy-preserving techniques must keep evolving as the technology matures.
| Further reading: How to Build a Generative AI Security Policy

 

What are the main challenges of federated learning?

Architecture diagram titled 'Primary federated learning challenges' shows four rectangular sections arranged horizontally, each describing a key challenge and corresponding solutions. The first section, in blue, is labeled 'Data heterogeneity (non-IID data)' with text stating 'Client data varies in quality and distribution, making it difficult for the global model to perform equally across users' and a subheading 'Solutions' followed by 'Data harmonization, personalized federated learning, meta-learning.' The second section, in orange, is labeled 'System heterogeneity' with text stating 'Clients differ in hardware, memory, and network conditions, causing uneven training performance' and a subheading 'Solutions' followed by 'Adaptive scheduling and resource-aware aggregation.' The third section, in teal, is labeled 'Communication overhead' with text stating 'Frequent model updates across clients create heavy network traffic and delay' and a subheading 'Solutions' followed by 'Compression, selective updates, asynchronous aggregation.' The fourth section, in purple, is labeled 'Security & trust threats' with text stating 'Attackers can exploit shared updates to inject malicious data or infer private information' and a subheading 'Solutions' followed by 'Robust aggregation, secure multiparty computation, differential privacy.' A note beneath the four sections reads 'These challenges reflect the distributed nature of federated learning and ongoing research to improve reliability, efficiency, and security.'

Federated learning has clear privacy benefits, but it also introduces new technical and operational challenges. These challenges come from how distributed the system is and how much it depends on consistent communication, performance, and trust.

Data heterogeneity (non-IID data)

Each participant's data looks different. Some have large, clean datasets. Others have small, inconsistent, or biased ones. That difference—called non-independent and identically distributed (non-IID) data—makes it harder for a single global model to perform equally well across all users.

Here's why.

When data distributions differ, local model updates may conflict. That slows convergence and reduces overall accuracy.

Researchers are exploring data harmonization, personalized federated learning, and meta-learning to make models adapt better to each client's unique data.

Note:
Non-IID data can also lead to fairness gaps, where models perform better for dominant data sources and worse for underrepresented ones. Weighted aggregation and client clustering are emerging as potential ways to reduce these disparities.

System heterogeneity

Devices in a federated network don't all look the same. Some are high-end servers. Others are low-power edge devices or mobile phones. Which means training speeds, memory, and network conditions vary.

This variation leads to inconsistent participation and dropped connections during training. Adaptive scheduling and resource-aware aggregation techniques now help balance workload and keep models learning efficiently across different environments.

Communication overhead

Federated learning depends on repeated message exchanges between clients and the server. Each training round involves sending and receiving model updates. At scale, that's a lot of network traffic.

Compression, selective update sharing, and asynchronous aggregation methods are reducing the bandwidth burden. But communication efficiency remains a central focus of ongoing research.

Note:
In real-world deployments, communication costs often exceed computation costs. Engineers frequently adjust synchronization frequency—trading accuracy for network efficiency—to make large-scale training feasible.

Security and trust threats

Even though raw data stays local, federated systems can still be attacked through shared model updates. Malicious clients can inject poisoned data, alter gradients, or exploit patterns to infer private information.

Robust aggregation, secure multiparty computation, and differential privacy help defend against these risks. However, attacks like Byzantine faults and model inversion continue to challenge how securely federated systems can scale.

These security implications—and how they shape AI risk management more broadly—are explored later in this article.

 

Where is federated learning used today?

Infographic titled 'Federated learning across industries' contains four rectangular sections arranged in a two-by-two grid, each representing a different industry use case with text and illustrations. The top left section, labeled 'Healthcare', describes hospitals and research networks training diagnostic models on patient data that remains on local servers, accompanied by an illustration of a doctor operating an MRI machine with a patient lying inside. The top right section, labeled 'Smart devices', explains how applications like Google's Gboard and Apple's Siri use on-device personalization where each device learns from its user and contributes updates without sharing raw data; it is illustrated with a laptop, tablet, and smartphone displaying similar interfaces. The bottom left section, labeled 'Finance', describes banks and insurers improving fraud detection and credit risk models while maintaining data confidentiality, shown with an illustration of a bank building, coins, bills, and an upward-trending graph. The bottom right section, labeled 'Edge computing & IoT', states that distributed sensors, vehicles, and industrial systems support real-time optimization for sectors such as energy, manufacturing, and telecommunications, accompanied by an illustration of connected industrial tanks with a wireless signal above them.

Federated learning is no longer experimental. It's now part of how organizations handle sensitive data while still training effective AI models. The technology supports sectors where privacy, regulation, and distributed data make traditional centralized training impractical.

Healthcare

Hospitals and research networks use federated learning to train diagnostic models on patient data that never leaves their servers. That means predicting diseases, improving imaging analysis, or identifying treatment patterns without sharing confidential records.

For example(s), institutions can collaborate on cancer detection or medical imaging projects while maintaining compliance with privacy laws.

Finance

Banks and insurers use federated learning to improve fraud detection and credit risk models. It allows them to learn from transaction data held in different institutions without exposing customer information. This approach reduces regulatory risk while improving model accuracy across diverse datasets.

Smart devices

On-device applications like Google's Gboard and Apple's Siri use federated learning for personalization. Each device learns from its user—improving text prediction or voice recognition—while updates contribute to a shared model.

The data itself never leaves the device.

Edge computing and IoT

Federated learning extends to industrial systems, connected vehicles, and IoT networks. It enables models to learn from distributed sensors and devices where bandwidth is limited and data privacy is critical. That makes it suitable for real-time optimization in sectors like energy, manufacturing, and telecommunications.

Ongoing deployments by companies such as Google, Apple, and Meta—and partnerships with academic consortia—continue to expand how federated learning is applied across industries.

 

How is federated learning evolving?

Federated learning is entering a more mature phase.

The early goal was simple: keep data local.

Now the focus is expanding. Researchers are building systems that are not only private but also reliable, transparent, and auditable.

Here's where it's heading.

"In recent years, practical FL systems have harnessed significant advancements by the community: we can scale to millions of devices and many domains; we can apply secure multiparty computation protocols at scale and combine them with central or distributed DP; we can successfully train production models with meaningful DP guarantees while achieving high utility."
- Peter Kairouz et al., Federated Learning in Practice: Reflections and Projections (Google Research, 2024)

The field is moving toward what's known as trustworthy federated learning.

It combines privacy, robustness, and security into one unified framework. The idea is that a model should protect sensitive data, detect manipulation, and verify the integrity of updates before they're merged into the global model. In other words, it's about establishing measurable trust in how learning happens.

At the same time, federated learning is being connected to large-scale AI.

Researchers are exploring how to train or fine-tune foundation models—including vision and large language models—on distributed datasets. To support that scale, confidential computing is emerging as a key enabler. It provides isolated, verifiable environments for handling sensitive model updates.

The supporting infrastructure is evolving too.

Trusted execution environments (TEEs) now allow training steps to occur inside secure hardware enclaves that can be independently verified. When paired with ledger-based verification, these systems can record which computations occurred, under what privacy guarantees, and by whom. That gives organizations the ability to audit and prove compliance.

Finally, federated learning is branching into new areas such as federated analytics.

Which applies the same privacy-preserving approach to data analysis, and personalized federated learning, which adapts models to individual participants.

It's worth noting, though, that open research questions definitely remain. Scalability, fairness, and verifiability are still being refined as federated learning grows from a privacy technique into a broader framework for secure, distributed AI.

| Further reading: What Is LLM (Large Language Model) Security? | Starter Guide

 

How does federated learning impact AI security?

Federated learning strengthens AI security by changing where and how data is used.

Instead of pooling information in a central repository, it keeps data distributed across many devices or organizations. That shift limits the number of access points attackers can target.

Here's why that matters.

By enforcing data locality, federated learning reduces the risk of large-scale data breaches.

Attackers can't reach an entire dataset by compromising a single server because the data never leaves its source. It also aligns with secure AI design principles like least privilege and defense in depth—each participant only processes what it needs to contribute to the global model.

Plus, federated learning supports confidential computing, where sensitive workloads run inside secure hardware environments.

These systems protect training operations from tampering or interception, even by insiders. Together, these approaches make AI pipelines more resilient to unauthorized access and data exposure.

However:

Privacy doesn't eliminate risk. Federated learning does introduce new attack surfaces through shared model updates.

Malicious participants can inject poisoned data, manipulate gradients, or attempt inference attacks—techniques that reconstruct private information from model behavior. Defending against these threats requires strong cryptography, model validation, and anomaly monitoring.

It also demands trust in the aggregation process itself. Servers that combine updates must be verifiable and governed by strict policy controls to prevent manipulation.

In short: federated learning enhances AI security by decentralizing risk. But it also creates new responsibilities for organizations to secure distributed systems end to end. It's both an advancement and a challenge. And it's central to how privacy-preserving AI ecosystems are being built today.

| Further reading:

DIG DEEPER INTO GENAI SECURITY
Read The State of Generative AI 2025 for the latest data on GenAI adoption and usage.

Download report

 

Federated learning FAQs

Federated learning is a way to train AI models without moving the data they learn from. Each device or organization trains the model locally and sends only updates—not raw data—to a central server. The server combines those updates into a shared model that improves over time.
Traditional machine learning collects all data in one place for training. Federated learning does the opposite. It keeps data distributed across participants and only shares model parameters. This approach improves privacy, reduces central risk, and allows collaboration across organizations that can’t share data directly.
Smartphones use federated learning to improve features like text prediction and voice recognition. For example, Google’s Gboard keyboard learns from users’ typing patterns locally. It then contributes updates to a global model that improves suggestions for everyone—without uploading anyone’s personal messages.
Federated learning is grouped by how participants’ data overlaps. Horizontal federated learning combines data with similar features but different users. Vertical federated learning merges data about the same users from different sources. Federated transfer learning links organizations that share little overlap in either users or features.
Federated learning reduces centralized risk but isn’t invulnerable. It protects data through encryption, secure aggregation, and differential privacy. However, it still faces threats like data poisoning and model inversion. Security depends on strong cryptography, robust aggregation, and trustworthy servers that manage model updates safely.
It enforces data minimization. Raw data stays where it’s created, and only model updates are shared. Privacy-preserving tools—such as secure multiparty computation, homomorphic encryption, differential privacy, and trusted execution environments—add further protection. Together, they make it difficult for anyone to access or reconstruct individual data.
Related content
Report: Unit 42 Threat Frontier: Prepare for Emerging AI Risks
Get Unit 42's point of view on AI risks and how to defend your organization.
LIVEcommunity blog: Secure AI by Design
Discover a comprehensive GenAI security framework.
Threat research: How Good Are the LLM Guardrails on the Market?
Find out how effective LLM content filtering really is across major GenAI platforms.
Podcast: Threat Vector | How to Scale Responsible AI in the Enterprise
Hear why early-stage AI projects must move beyond hype to operational maturity.

Get the latest news, invites to events, and threat alerts