Safetensors Joins PyTorch Foundation: A Defensive Lock-In
Safetensors is moving under the PyTorch Foundation umbrella. This article argues it’s a defensive lock-in that benefits Hugging Face and PyTorch while marginalizing JAX and TensorFlow.
On April 8, 2026, the Hugging Face team announced that Safetensors, the serialization format for neural network weights, is joining the PyTorch Foundation. This is not a neutral technical decision—it is a strategic move to prevent PyTorch from building a competing format and to cement Hugging Face’s control over the model distribution pipeline.
- What happened: Safetensors, the serialization format for model weights, is joining the PyTorch Foundation as a hosted project.
- Why it matters: This move secures Safetensors as the default format in PyTorch, making it harder for other frameworks to adopt it neutrally.
- Key tension: The article resolves the question of whether this is a win for open standards or a power grab by Hugging Face—it’s the latter.
Why Did Hugging Face Move Safetensors Under the PyTorch Foundation?
According to the Hugging Face blog post (April 8, 2026), the stated reason is to "ensure long-term governance and community trust" for Safetensors. But the real reason is defensive. PyTorch has been developing its own serialization improvements (e.g., torch.save with zipfile enhancements). If PyTorch had shipped a native format, it would have marginalized Safetensors overnight. By joining the foundation, Hugging Face ensures that Safetensors becomes the official PyTorch format—not a competitor.
I see this as a classic "if you can't beat them, join them" play. Hugging Face is betting that foundation governance will slow down PyTorch’s internal format development, buying Safetensors years of dominance.
Who Actually Benefits From This Deal?
The immediate winners are Hugging Face and Meta (which backs PyTorch). Hugging Face gets its format enshrined in the most popular deep learning framework. Meta gets a standardized format that reduces fragmentation. The losers are JAX and TensorFlow users—Safetensors is now a PyTorch-first project, and any future enhancements will prioritize PyTorch compatibility. Google’s TensorFlow team, which has its own SavedModel format, now faces a harder sell for cross-framework interoperability.
I expect JAX users to see slower Safetensors adoption for non-PyTorch workflows, as foundation resources will flow to PyTorch integration.
What Does This Mean for Developers Using JAX or TensorFlow?
Developers on non-PyTorch frameworks lose. Safetensors was marketed as a neutral format. Now it’s under the PyTorch Foundation’s technical steering committee. While the foundation’s charter promises neutrality, the reality is that PyTorch contributors will dominate the roadmap. I predict that within 12 months, Safetensors will have features that require PyTorch-specific APIs (e.g., torch.Tensor metadata), making it harder to use with JAX’s jnp arrays or TensorFlow’s tf.Tensor.
This is a repeat of the ONNX story—a supposedly neutral format that became PyTorch-centric after Microsoft joined the Linux Foundation.
Is This a Win for Open Standards or a Power Grab?
It’s a power grab disguised as open governance. The PyTorch Foundation is not a neutral standards body—it’s a Meta-backed entity with a voting structure that favors large corporate members. Safetensors’ governance will now be subject to foundation politics, where Hugging Face has one vote among many. But Hugging Face retains de facto control because they own the reference implementation and the Hub integration. This is not decentralization; it’s centralization under a different banner.
For comparison, the ONNX standard is technically open but practically PyTorch-dominated. Safetensors will follow the same path.
| Dimension | Safetensors (Pre-Foundation) | Safetensors (Post-Foundation) |
|---|---|---|
| Governance | Hugging Face sole control | PyTorch Foundation voting |
| Framework Neutrality | De facto neutral | PyTorch-first |
| Speed of Changes | Fast (Hugging Face decides) | Slow (committee approval) |
| Competing Formats | None dominant | PyTorch native format killed |
| Community Trust | High (open source) | Higher (foundation brand) |
| Verdict | Neutral, flexible | PyTorch lock-in, slower |
My thesis: This move is a defensive lock-in that secures Hugging Face’s control over model distribution at the cost of framework neutrality.
In the short term (0–12 months), developers will celebrate the foundation move as a sign of maturity. In the long term (12–36 months), JAX and TensorFlow users will find Safetensors increasingly incompatible with their workflows. The biggest gainer is Hugging Face, which locks in its format as the default for the largest deep learning ecosystem. The biggest loser is the open-source community, which loses a neutral format to framework politics.
I predict that by Q2 2027, the PyTorch Foundation will reject a community proposal to add JAX-specific metadata to Safetensors, citing "scope creep"—a clear sign of lock-in.
- Prediction 1: By Q4 2026, the PyTorch Foundation will announce a Safetensors extension for PyTorch 3.0 that uses torch-specific APIs, making it non-portable to JAX or TensorFlow.
- Prediction 2: By Q2 2027, Google will announce a competing format for TensorFlow called "TensorPack" that is fully JAX-compatible, fragmenting the serialization ecosystem.
- Prediction 3: By 2028, the Hugging Face Hub will deprecate support for non-Safetensors formats (e.g., .bin, .pt) for new model uploads, citing "security and performance"—locking users into their ecosystem.
- 2022Safetensors announced
Hugging Face releases Safetensors as a fast, safe alternative to pickle for model weights.
- 2023Safetensors becomes default on Hugging Face Hub
Community adoption grows; Hub makes it the default format for new model uploads.
- 2024PyTorch Foundation formed
Meta announces the PyTorch Foundation to govern the framework's development.
- April 2026Safetensors joins PyTorch Foundation
Hugging Face transfers Safetensors governance to the foundation.
- Expected 2027PyTorch 3.0 with Safetensors-only features
Predicted release of PyTorch version with Safetensors-specific APIs.
- 2022: Safetensors announced by Hugging Face as a fast, safe alternative to pickle.
- 2023: Safetensors adopted by PyTorch community; Hugging Face Hub makes it default.
- 2024: PyTorch Foundation formed; Meta backs it.
- April 2026: Safetensors joins PyTorch Foundation.
- Expected 2027: PyTorch 3.0 ships with Safetensors-only features.
- Insight 1: The foundation move is a preemptive strike against PyTorch building its own format, not a gesture of openness.
- Insight 2: Non-PyTorch developers should start planning for a fragmented serialization landscape within 2 years.
- Insight 3: Hugging Face’s real moat is the Hub, not Safetensors—this move protects the Hub by making the format less portable.
- Insight 4: The PyTorch Foundation’s governance structure will slow innovation in Safetensors, benefiting Hugging Face’s own proprietary improvements.
- Insight 5: Expect a new industry consortium for model serialization standards within 3 years, led by Google and Apple.
Source and attribution
Hugging Face Blog
Safetensors is Joining the PyTorch Foundation
Discussion
Add a comment