Who developed Safetensors?

Safetensors was developed and maintained by Hugging Face.

What is the purpose of Safetensors in AI model distribution?

Acting as a table of contents for an AI model's data, Safetensors prevents arbitrary code execution and is used for distributing models across all modalities in machine learning.

What are the benefits of using Safetensors?

The benefits of using Safetensors include minimized security risks, enhanced model performance, and a trusted path to production.

Safetensors Joins PyTorch Foundation for Enhanced AI Model Security

Q: What is Safetensors and why is it significant?

Safetensors is a widely adopted tensor serialization format that prevents arbitrary code execution risks, enhancing model performance across multi-GPU and multi-node deployments. Its significance lies in minimizing security risks associated with model architectures and execution.

Q: Why did Safetensors join the PyTorch Foundation?

Safetensors joined the PyTorch Foundation to provide a vendor-neutral home for the project, ensuring that progress reflects the breadth of the community building on top of it.

The widely-adopted tensor serialization format Safetensors, developed by Hugging Face, has joined the PyTorch Foundation as a foundation-hosted project. This move aims to scale production-grade AI models and minimize security risks.

The PyTorch Foundation has announced that Safetensors, a widely adopted tensor serialization format, has joined its community-driven hub as a foundation-hosted project. Developed and maintained by Hugging Face, Safetensors prevents arbitrary code execution risks and enhances model performance across multi-GPU and multi-node deployments.

What Happened

Safetensors joining the PyTorch Foundation marks an important step towards scaling production-grade AI models, according to Mark Collier, Executive Director of the PyTorch Foundation. The move minimizes security risks associated with model architectures and execution, providing developers with a trusted path to production.

The announcement was made at the PyTorch Conference EU on April 8, 2026. Safetensors has become one of the most widely adopted tensor serialization formats in the open source machine learning (ML) ecosystem, developed and maintained by Hugging Face. In previous pickle formats, opportunities existed for developers or bad actors to execute arbitrary, untrusted code within model files when shared.

Acting as a table of contents for an AI model's data, Safetensors prevents arbitrary code execution and is now one of the most widely used metadata formats for model distribution. The format has been adopted by tens of thousands of models across all modalities in ML, making it a crucial piece of the open source AI stack.

Background and Context

Safetensors started as a Hugging Face project born out of a concrete need: a way to store and share model weights that couldn't execute arbitrary code. The pickle-based formats that dominated the ecosystem at the time meant that there was a very real risk you'd be running malicious code.

The format built by Safetensors is intentionally simple, consisting of a JSON header with a hard limit of 100MB describing tensor metadata, followed by raw tensor data. Zero-copy loading maps tensors directly from disk, and lazy loading allows for reading individual weights without deserializing an entire checkpoint.

Why it Matters to the Industry

The adoption of Safetensors as a foundation-hosted project under the Linux Foundation is significant for several reasons. Firstly, it provides a vendor-neutral home for the project, ensuring that progress reflects the breadth of the community building on top of it.

Secondly, joining the PyTorch Foundation means that Safetensors now has a stable, long-term foundation entirely community-driven. This will provide developers with a trusted path to production and minimize security risks associated with model architectures and execution.

What Comes Next

The coming months will see significant growth for Safetensors, according to Luc Georges, one of the maintainers of the project. The roadmap ahead includes device-aware loading and saving, so tensors can load directly onto CUDA, ROCm, and other accelerators without unnecessary CPU staging.

Additionally, first-class APIs for Tensor Parallel and Pipeline Parallel loading will be built, allowing each rank or pipeline stage to load only the weights it needs. Formalizing support for FP8, block-quantized formats like GPTQ and AWQ, and sub-byte integer types is also on the horizon.

Key Facts

Safetensors has joined the PyTorch Foundation as a foundation-hosted project under the Linux Foundation.
The format prevents arbitrary code execution risks and enhances model performance across multi-GPU and multi-node deployments.
Safetensors is developed and maintained by Hugging Face.
The format has become one of the most widely adopted tensor serialization formats in the open source ML ecosystem.
Tens of thousands of models have adopted Safetensors across all modalities in ML.
The PyTorch Foundation provides a vendor-neutral home for the project and ensures community-driven progress.