Federated Averaging (FedAvg) is the canonical iterative optimization algorithm for federated learning where a central server periodically aggregates locally computed model updates from a subset of clients to form a new global model, all without centralizing the clients' private training data. The core mechanism involves multiple communication rounds, where selected clients perform several steps of stochastic gradient descent on their local datasets and transmit only the resulting model parameter updates—typically weight deltas or gradients—back to the coordinating server.
Glossary
Federated Averaging (FedAvg)

What is Federated Averaging (FedAvg)?
The foundational iterative algorithm for decentralized machine learning, enabling collaborative model training across distributed devices while keeping raw data localized.
The server then computes a weighted average of these client updates, often based on the number of local data samples, to produce an improved global model, which is broadcast back to the client population for the next round. This process directly addresses the core challenges of statistical heterogeneity (non-IID data) and systems heterogeneity across edge devices. FedAvg is the baseline upon which advanced techniques like secure aggregation, differential privacy, and client selection strategies are built to enhance privacy, security, and efficiency.
Core Characteristics of FedAvg
Federated Averaging (FedAvg) is the foundational iterative algorithm for federated learning where a central server averages model updates from a subset of clients to produce a new global model.
Decentralized Training Loop
FedAvg operates through synchronized communication rounds. In each round:
- The server selects a subset of available clients and broadcasts the current global model.
- Each selected client performs local stochastic gradient descent (SGD) on its private data.
- Clients send only their updated model parameters (or gradients) back to the server.
- The server computes a weighted average of these updates, based on the number of local training examples, to form a new global model. This loop continues until the model converges, ensuring raw training data never leaves the client device.
Statistical Heterogeneity (Non-IID Data)
A core challenge FedAvg is designed for is Non-Independent and Identically Distributed (Non-IID) data across clients. In real-world settings (e.g., different users' typing habits), each client's local dataset is not a representative sample of the overall population distribution. This can cause:
- Client drift: Local models diverge significantly from the global objective.
- Slower convergence and potential convergence to a sub-optimal model. FedAvg's robustness to this heterogeneity is a key research focus, often addressed by tuning the number of local epochs and client participation rates.
Communication Efficiency
FedAvg's primary optimization is reducing communication costs, which are often the bottleneck in distributed systems. It achieves this through local computation. By performing multiple SGD steps (local epochs) on a client device before communicating, it drastically reduces the total number of communication rounds required for convergence compared to a naive distributed SGD approach where gradients are sent after every batch. The trade-off is carefully managing the balance between local computation and global synchronization to avoid client drift.
Partial Client Participation
In practical deployments, not all clients are available, willing, or capable of participating in every training round due to factors like:
- Device charging status
- Network connectivity (e.g., unmetered Wi-Fi)
- Computational resource constraints FedAvg is designed for partial client participation, where the server randomly samples a fraction of the total client pool each round. This makes the system scalable to millions of devices. The algorithm must be robust to this stochastic sampling, which introduces variance into the update process.
Weighted Model Averaging
The aggregation step is not a simple mean. The server performs a weighted average of the client model updates, where the weight for each client is proportional to the size of its local dataset (n_k). The global update formula is: w_{t+1} = Σ (n_k / n) * w_{t+1}^k, where n is the total number of training examples across participating clients. This weighting gives clients with more data a proportionally larger influence on the global model, which is statistically sound when aiming to minimize the overall training loss.
Privacy as a Byproduct, Not a Guarantee
Critical Distinction: FedAvg provides data minimization by keeping raw data on-device, but it does not, by itself, provide formal privacy guarantees. The shared model updates (gradients or weights) can potentially leak information about the underlying training data through techniques like model inversion or membership inference attacks. Therefore, FedAvg is typically combined with Secure Aggregation to prevent the server from seeing individual updates and Differential Privacy to add statistical noise, creating a comprehensive privacy-preserving pipeline.
FedAvg vs. Centralized Training
A direct comparison of the core architectural paradigms for training machine learning models, contrasting the decentralized Federated Averaging approach with the traditional centralized method.
| Feature / Metric | Federated Averaging (FedAvg) | Centralized Training |
|---|---|---|
Data Location | Distributed across edge devices (clients). Never leaves local storage. | Centralized in a single data center or cloud storage. |
Primary Communication | Model parameters (weights/gradients) only. | Raw training data batches. |
Privacy Posture | Inherently higher; raw user data remains on-device. | Inherently lower; requires explicit privacy controls (e.g., encryption, access logs). |
Network Bandwidth Cost | Moderate; transmits compact model updates (e.g., ~10-100 MB per round). | Very High; requires uploading entire raw datasets (e.g., TBs). |
Client Compute Requirement | High; each client performs local stochastic gradient descent (SGD). | None; all compute is performed on centralized servers. |
Server Compute Requirement | Low; performs weighted averaging of received model updates. | Very High; performs full-batch or mini-batch SGD on the entire dataset. |
System Resilience | High; tolerant to client dropouts and intermittent connectivity. | Low; server failure halts all training. |
Scalability to Devices | High; designed for massive, heterogeneous client populations (e.g., millions). | Limited by data center compute and storage capacity. |
Regulatory Compliance (e.g., GDPR, HIPAA) | Easier to architect for compliance via data minimization. | Requires complex data governance, legal agreements, and access controls. |
Primary Optimization Challenge | Statistical heterogeneity (non-IID data) and communication efficiency. | Compute scalability and managing large, monolithic datasets. |
Typical Latency per Round | Bottlenecked by the slowest client in the selected cohort (straggler effect). | Determined by server GPU/TPU cluster performance. |
Model Personalization Potential | High; foundation for personalized federated learning techniques. | Low; produces a single global model unless explicitly retrained per user. |
Real-World Applications of Federated Averaging
Federated Averaging (FedAvg) enables collaborative machine learning across decentralized data silos. Its core value lies in applications where data privacy, regulatory compliance, or network constraints prevent centralized data collection.
Mobile Keyboard Prediction
FedAvg is the foundational algorithm for training next-word prediction models on smartphones without uploading personal typing data. Each device trains a local model on its own keystrokes, and only the aggregated model updates are sent to the cloud.
- Privacy Guarantee: User messages, passwords, and sensitive information never leave the device.
- Scale: Deployed across billions of devices, creating a globally intelligent model from highly private, distributed data.
- Example: Gboard's suggestion model is trained via federated learning, improving autocorrect and emoji predictions for all users while keeping individual data on-device.
Healthcare Diagnostic Models
Hospitals and research institutions use FedAvg to collaboratively train medical imaging models (e.g., for detecting tumors in X-rays or MRIs) without sharing patient records.
- Regulatory Compliance: Adheres to strict regulations like HIPAA and GDPR by avoiding the centralization of Protected Health Information (PHI).
- Data Diversity: Aggregates knowledge from diverse patient populations and imaging equipment across multiple institutions, improving model robustness and reducing bias.
- Use Case: The AI-ROI consortium and similar initiatives use federated learning to develop cancer detection algorithms by combining data from dozens of hospitals globally.
Financial Fraud Detection
Banks employ FedAvg to build more accurate anomaly detection models by learning from transaction patterns across multiple financial institutions, while keeping each bank's proprietary fraud data and customer information private.
- Competitive Collaboration: Banks benefit from a broader view of emerging fraud patterns without revealing their internal risk models or customer data to competitors.
- Real-Time Threat Intelligence: The global model can adapt faster to new, sophisticated attack vectors seen by any participating institution.
- Security Posture: Enhances defenses while maintaining strict data sovereignty and confidentiality requirements inherent to the financial sector.
Industrial IoT & Predictive Maintenance
Manufacturers use FedAvg to train predictive maintenance models on sensor data from fleets of machines (e.g., turbines, elevators, vehicles) deployed across different geographic locations or owned by different customers.
- Data Locality: Sensitive operational telemetry, which may reveal proprietary processes or failure rates, remains within the factory or on the edge device.
- Improved Uptime: The federated model learns from a wider range of failure modes and operational conditions than any single site could provide, leading to more accurate failure predictions.
- Bandwidth Efficiency: Only small model updates are transmitted, which is critical for environments with limited or expensive connectivity.
Autonomous Vehicle Fleet Learning
Automakers use FedAvg to improve the perception and decision-making models of self-driving cars. Each vehicle learns from its local driving experiences, and insights are aggregated to improve the global model for the entire fleet.
- Handling Edge Cases: Vehicles in different climates, cities, and road conditions contribute unique data, helping the system learn rare but critical scenarios (e.g., obscured traffic signs, unusual obstacles).
- Privacy & Security: Personally identifiable information, precise location trails, and video footage are processed locally and never uploaded in raw form.
- Continuous Deployment: New model versions can be pushed to vehicles over-the-air, which then continue to learn and contribute improvements in a privacy-preserving loop.
Cross-Silo Enterprise AI
Enterprises in regulated industries (e.g., pharmaceuticals, insurance) use FedAvg for cross-organizational analytics and model training. For example, multiple pharmaceutical companies could collaborate on a drug discovery model using their respective molecular datasets.
- Protecting Intellectual Property: Each company's proprietary chemical libraries and experimental data remain within its secure silo.
- Vertical Federated Learning: A specialized form where different parties hold different features about the same entities (e.g., a hospital holds patient outcomes, a lab holds genomic data). FedAvg principles are extended to coordinate learning across these vertical partitions.
- Consortium Models: Enables the creation of industry-wide benchmarks and models that no single entity could develop alone, accelerating innovation while preserving competitive advantage.
Frequently Asked Questions
Federated Averaging is the foundational iterative algorithm for federated learning where a central server averages model updates from a subset of clients to produce a new global model. These questions address its core mechanics, security context, and practical implementation.
Federated Averaging (FedAvg) is the canonical iterative algorithm for training a machine learning model across decentralized data held by multiple clients (e.g., edge devices) without exchanging the raw data. It works through repeated rounds of local computation on client devices followed by secure aggregation on a central server. In each round: 1) The server selects a subset of clients and sends them the current global model. 2) Each selected client performs local stochastic gradient descent on its private data to compute a model update. 3) Clients send their updated model parameters (or gradients) back to the server. 4) The server computes a weighted average of these updates, typically based on the number of data points per client, to produce a new global model. This cycle repeats until convergence.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Federated Averaging (FedAvg) relies on secure aggregation protocols to protect individual client updates. These cryptographic techniques ensure the server learns only the aggregated model, not the contributions of any single participant.
Secure Aggregation
Secure Aggregation is a cryptographic protocol that allows a central server in federated learning to compute the sum or average of client model updates without learning any individual client's contribution. It is the primary privacy-enhancing wrapper around FedAvg.
- Core Mechanism: Clients encrypt or mask their local model updates before transmission. The server aggregates these masked values, and the masks are designed to cancel out, revealing only the final aggregated update.
- Key Property: Provides privacy against an honest-but-curious server that follows the protocol but tries to infer individual data.
- Example: The Bonawitz Protocol uses pairwise masking between clients to achieve this, tolerating client dropouts during the round.
Differential Privacy
Differential Privacy (DP) is a rigorous mathematical framework that quantifies and bounds the privacy loss from an individual's participation in a computation. In federated learning, it is often applied alongside FedAvg.
- Core Mechanism: Adds carefully calibrated random noise to the model updates or the final aggregate before the server uses it. The noise is scaled to the sensitivity of the function (the maximum influence a single client's data can have).
- Key Metric: The privacy budget (epsilon, ε). A smaller ε means stronger privacy but typically reduces model accuracy.
- Common Technique: The Gaussian Mechanism adds Gaussian noise and is frequently used for privatizing high-dimensional gradient vectors in federated settings.
Homomorphic Encryption
Homomorphic Encryption (HE) is a form of encryption that allows computations to be performed directly on ciphertext. When decrypted, the result matches the outcome of operations performed on the plaintext.
- Role in FedAvg: Enables the server to aggregate encrypted model updates from clients without decrypting them first, providing a very strong confidentiality guarantee.
- Types: Partially Homomorphic Encryption (e.g., Paillier cryptosystem) supports only addition, which is sufficient for averaging. Fully Homomorphic Encryption (FHE) supports arbitrary computations but is computationally intensive.
- Trade-off: Provides stronger cryptographic security than masking-based secure aggregation but incurs significant computational and communication overhead.
Secure Multi-Party Computation
Secure Multi-Party Computation (MPC) is a cryptographic subfield that enables multiple parties to jointly compute a function over their private inputs while revealing only the final output.
- Relation to FedAvg: FedAvg with secure aggregation is a specific instance of MPC. The function is the averaging of model weights, and the private inputs are the clients' local model updates.
- Building Blocks: MPC protocols often use techniques like Additive Secret Sharing or Shamir's Secret Sharing to distribute computation across parties without any single party seeing the whole data.
- Security Models: Can provide security against honest-but-curious or even malicious adversaries, depending on the protocol design.
Byzantine Robust Aggregation
Byzantine Robust Aggregation refers to algorithms designed to produce a correct aggregate model update even when a bounded number of clients are malicious (Byzantine) and send arbitrary, adversarial updates.
- Problem it Solves: Standard FedAvg is vulnerable to model poisoning if a client sends manipulated gradients. Byzantine robust methods filter or bound the influence of outliers.
- Common Techniques: Includes coordinate-wise median, trimmed mean, and Krum. These methods statistically identify and exclude updates that deviate significantly from the norm.
- Key Distinction: While secure aggregation protects privacy, Byzantine robustness protects the integrity and correctness of the global model from sabotage.
Trusted Execution Environment
A Trusted Execution Environment (TEE) is a secure, isolated area within a main processor (e.g., Intel SGX enclaves) that guarantees the confidentiality and integrity of code and data loaded inside it.
- Role in Federated Learning: Can be used to create a "trusted aggregator" on the server. Clients send their encrypted updates to the TEE, which decrypts, aggregates, and re-encrypts the result, shielding the plaintext updates from the server's operating system.
- Security Model: Assumes the hardware is trusted, but the host software (OS, hypervisor) is potentially malicious. This provides a strong alternative to pure cryptographic protocols.
- Trade-off: Reduces complex cryptographic overhead but introduces reliance on specific hardware vendors and potential side-channel attack vectors.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us