Techniques are disclosed for processing rendering engine workload of a graphics system in a secure fashion, wherein at least some security processing of the workload is offloaded from software-based security parsing to hardware-based security parsing. In some embodiments, commands from a given application are received by a user mode driver (UMD), which is configured to generate a command buffer delineated into privileged and/or non-privileged command sections. The delineated command buffer can then be passed by the UMD to a kernel-mode driver (KMD), which is configured to parse and validate only privileged buffer sections, but to issue all other batch buffers with a privilege indicator set to non-privileged. A graphics processing unit (GPU) can receive the privilege-designated batch buffers from the KMD, and is configured to disallow execution of any privileged command from a non-privileged batch buffer, while any privileged commands from privileged batch buffers are unrestricted by the GPU