Chapter 11.1
Threat Model, Assets & Security Levels for AI Infrastructure
An AI data center is the rare facility that concentrates nation-state-grade IP, allocation-constrained silicon, and recognized war infrastructure inside one fence line — so the first security decision is not which controls to buy but which adversary tier you intend to survive, because that single target level deterministically derives the entire control stack and its cost.
What you'll decide here
- Which RAND Weights Security Level (SL1–SL5) you are designing the campus to reach — the target that derives every downstream control, and the single number that separates a defensible posture from theater.
- Which assets are actually crown jewels (frontier weights, allocation-locked silicon, the management plane) versus merely valuable, because over-defending the wrong asset strands capital the top-tier assets needed.
- Which adversary tier (RAND OC1–OC5) is in your threat model — opportunistic, insider, cybercrime syndicate, or top-tier nation-state — since eight of the 38 attack vectors are infeasible below OC4 and dominate the cost of the top two levels.
- Where you sit on the security-vs-goodput frontier: every isolation, attestation, and egress control you add taxes throughput and operability, and the level you pick prices that tax in advance.
- Which controls are irreversible substrate (siting standoff, network trust zones, the root-of-trust and attestation plane) versus reversible policy you can ratchet later — because the substrate must be over-built to the highest level the campus might ever host.
Most security chapters open with a list of controls. This one opens with a question, because in an AI data center the controls are downstream of an answer almost nobody states explicitly: which adversary are you actually trying to stop? Not "hackers" in the abstract. A specific, named tier — from a bored insider with a USB stick to a top-priority operation run by the most cyber-capable state on earth. That answer is the master variable of Part 11, exactly as the workload archetype was the master variable of Part 1. Pick it and the firewall rules, the standoff distance, the attestation flow, the egress cap, and the two-person rule all follow as consequences. Skip it and you buy a pile of expensive controls that defend the wrong asset against the wrong attacker, and you discover the gap the day a competitor's frontier weights show up on someone else's cluster.
This chapter builds the threat model in three moves. First, why AI data centers are a special case — the asset-value density, the IP concentration, and the strategic targeting that together make a generic cloud-security posture inadequate. Second, the asset taxonomy and adversary tiers, anchored on the RAND Securing AI Model Weights framework — five Weights Security Levels, five operational-capacity adversary tiers, and the 38 attack vectors that map between them. Third, the defense-in-depth reference architecture and the discipline of setting a target level and deriving controls from it. Every control buys protection against a named tier and charges for it in capex, performance, or operability, and the target level is what prices that trade before you commit steel, silicon, or staff.
Why an AI data center is a special case
A hyperscale e-commerce hall and a frontier-training campus can look identical from the road and run the same SOC 2 controls — and be in completely different threat models. Three properties make the AI facility a special case, and each one breaks an assumption that generic data-center security quietly relies on.
Asset-value density. A single GB200 NVL72 rack is roughly $3M+ of allocation-constrained, lead-time-gated silicon — and the constraint, not the dollar figure, is what changes the economics. Generic cloud hardware is fungible and insured; a stolen or destroyed NVL72 is not replaced by a purchase order, it is replaced by waiting at the back of an allocation queue measured in quarters. That inverts the loss function: the asset is worth more because it cannot be re-bought quickly, which makes physical theft and physical destruction rational adversary goals in a way they never were for commodity servers. The March 2026 drone strikes (below) proved the destruction case is no longer hypothetical.
IP concentration. The frontier model weights resident on the cluster are arguably the single highest-value digital asset in existence — a multi-hundred-million-dollar training run compressed into a few terabytes that, once exfiltrated, hand a competitor or an adversary state a capability they did not pay to build. RAND treats frontier weights as a national-security asset warranting defenses up to nation-state grade. The crucial property is that the loss is silent and complete: unlike a stolen database, a copied weight file leaves the original in place, so there is no outage, no missing inventory, no obvious tell — the first signal may be a rival model that is suspiciously similar. This is why egress control, not perimeter control, becomes the linchpin (→ Chapter 11.8).
Strategic targeting. AI compute is now treated as strategic infrastructure by states, which means the adversary set includes actors with intelligence services, kinetic reach, and supply-chain access — not just criminals. On 1 March 2026, IRGC Shahed drones struck three AWS facilities in the UAE and Bahrain, causing structural damage, power loss, and fire/water damage from suppression, and taking down multiple availability zones simultaneously so that standard redundancy models failed (CNBC; The Conversation, March 2026). It was the first time a state deliberately targeted commercial data centers in wartime. The planning consequence is blunt: "kinetic attack on a data center" moved from a tail risk you accept to a design case you must address — and most legacy physical controls (fences, cameras, ground access control) were never designed for an aerial threat (→ Chapter 11.2).
Asset taxonomy: what you are actually protecting
You cannot derive controls from a target level until you know which assets the level is protecting, and the most common scoping error is treating every asset as equally precious. It is not. An AI data center has a clear hierarchy of crown jewels, and the discipline is to spend the heaviest controls on the top tier and accept lighter controls below it — because a budget spread evenly defends nothing well. Five asset classes, ranked by what an adversary actually wants and what its loss actually costs.
| Asset class | Why it is valued | Primary adversary goal | Loss signature | Dominant control (→ chapter) |
|---|---|---|---|---|
| Model weights & training IP | Highest-value digital asset; multi-$100M run compressed to TB-scale | Silent exfiltration (theft, not destruction) | None — original stays in place; first tell is a rival model | Egress caps + attestation-gated key release (→ 11.8, 11.5) |
| Accelerator silicon | Allocation-constrained; ~$3M+/NVL72 rack; not re-buyable on demand | Theft for resale/diversion, or destruction to deny capability | Missing/damaged inventory; outage | Physical zones, standoff, counter-UAS (→ 11.2) |
| The management & control plane | BMC/IPMI, EPMS/BMS, schedulers, key brokers — keys to everything | Privileged foothold; lateral movement; sabotage | Often none until used; anomalous control actions | Management-plane isolation + root of trust (→ 11.4, 11.7) |
| Customer & training data | Regulated PII, proprietary corpora, contractual confidentiality | Exfiltration; privacy/compliance breach | Sometimes none; surfaces in audit or breach | Tenant isolation + data governance (→ 11.6, 10.10) |
| Facility availability itself | Goodput and SLA revenue; war-infrastructure status | Disruption, ransom, or kinetic denial | Outage — the one loud, obvious signature | Physical resilience + OT hardening (→ 11.2, 11.10) |
Read the table top-down as a budgeting instrument. Weights sit at the top because their loss is silent, complete, and strategically catastrophic — so they justify controls (confidential computing, attestation, hard egress caps) that you would never spend on the bottom row. Facility availability sits at the bottom of the confidentiality hierarchy not because outages are cheap but because they are loud — you will know immediately and can fail over — whereas a copied weight file is the loss you never see. The management plane is the sleeper: it is rarely the adversary's objective, but it is almost always the path, which is why it earns crown-jewel-grade controls despite holding no IP of its own. Misranking these is how budgets get spent on hardening the loud, recoverable asset while the silent, unrecoverable one walks out an unmonitored egress.
Adversary tiers: the RAND operational-capacity ladder
The RAND Securing AI Model Weights report (RRA2849-1) is the field's shared vocabulary, and its central insight is that you cannot reason about "is this secure" without naming the adversary. RAND defines five operational-capacity (OC) tiers of attacker, from OC1 (amateurs) to OC5 (the top cyber-capable states running their highest-priority operations), and enumerates 38 distinct attack vectors across them — from social engineering and supply-chain implants to side-channels and human intelligence. The decisive finding for design: a subset of those vectors (RAND counts eight) are simply infeasible for OC1–OC3 actors but become available to OC4–OC5, which is why defending against a nation-state is not "more of the same" but a categorically different and dramatically more expensive problem.
Mapped onto those adversaries are five Weights Security Levels (SL1–SL5), each defined operationally: an SL is the posture that can likely thwart an adversary trying to steal the weights within a roughly two-month window. SL1 thwarts amateurs; SL2 thwarts professional opportunistic attackers running moderate-effort, non-targeted operations; SL3 thwarts cybercrime syndicates and capable insiders; SL4 thwarts the standard operations of leading cyber-capable institutions; and SL5 could plausibly claim to thwart the top-priority operations of the most capable states (RAND, 2024). The reason this framework won is that it turns an unfalsifiable claim ("we're secure") into a falsifiable one ("we defend against OC-N within two months"), and it gives a campus a single target number to design toward.
| Level | Thwarts (RAND OC tier) | Defining new capability | Dominant cost added at this level |
|---|---|---|---|
| SL1 | Amateurs / opportunists (OC1) | Basic hygiene: patching, MFA, access logging | Negligible — table stakes |
| SL2 | Professional, non-targeted attackers (OC2) | Hardened perimeter, encrypted storage, vuln mgmt | Modest — standard enterprise security |
| SL3 | Cybercrime syndicates & capable insiders (OC3) | Insider controls, segmentation, confidential compute begins | Real — isolation taxes goodput; insider program is org-wide |
| SL4 | Leading cyber-capable institutions (OC4) | Hardware root of trust, attestation-gated keys, hard egress, air-gap-adjacent design | High — performance overhead, operational drag, supply-chain vetting |
| SL5 | Top-priority nation-state operations (OC5) | Near-air-gap, exhaustive supply-chain provenance, two-person everything, side-channel mitigation | Severe — usability, throughput, and cost all pay; arguably not yet fully achieved |
The defense-in-depth reference architecture
In an AI data center, defense in depth is a stack of independent boundaries, each owned by a different chapter of Part 11, arranged so that defeating one layer does not defeat the asset. The architecture is best read from the outside in, because that is the order an adversary must traverse and the order in which a missing layer turns a partial compromise into a total one.
- Physical perimeter and zones — siting standoff, the four concentric zones (perimeter → facility → data hall → cage/rack) with escalating MFA, surveillance, and now counter-UAS for the aerial threat the March 2026 strikes made real (→ Chapter 11.2).
- Supply-chain and provenance — vetting silicon and firmware before it enters the fence, tamper-evident logistics, HBOM/SBOM, and OCP S.A.F.E. firmware audits, because an implant or counterfeit defeats every layer above it from inside (→ Chapter 11.3).
- Hardware root of trust and firmware — a silicon RoT (Caliptra, DICE identity on DC-SCM), secure/measured boot, and a hardened, segmented BMC, so that the foundation every higher control trusts is itself attestable and not the soft underbelly (→ Chapter 11.4).
- Confidential computing and tenant isolation — GPU TEE with encrypted HBM and attestation, plus the MIG/vGPU isolation boundary whose documented limits set how much you can trust a shared GPU (→ Chapter 11.5, Chapter 11.6).
- Network segmentation and zero trust — DPU-enforced microsegmentation, management-plane isolation, and egress control as the anti-exfiltration choke point (→ Chapter 11.7).
- Model and weight protection — the crown-jewel layer: at-rest encryption, in-transit protection, attestation-gated in-use keys, and the egress caps that catch the silent loss (→ Chapter 11.8).
- The human layer and OT plane — insider-threat controls, two-person rules, and the hardening of the facility's OT/ICS (BMS/EPMS/CDU/BESS) against cyber-physical sabotage, the layers that no amount of cryptography can substitute for (→ Chapter 11.9, Chapter 11.10).
The point of arranging them this way is the independence property: a compromised BMC should not yield the weights if confidential computing and egress caps still stand; a defeated fence should not yield the silicon if the data hall and cage zones still gate access. Defense in depth fails not when one layer is breached — that is expected — but when layers share a single point of failure (a flat management network, a universal admin credential, an unmonitored egress) that lets one breach cascade.
Setting a target level and deriving controls
Here is the method, and it is the inverse of how security is usually bought. Do not start from a catalog of controls and ask which to adopt. Start from the target Weights Security Level — the adversary tier you have decided the campus must survive — and derive the controls as the necessary set to reach it. The level is the design basis; the controls are its consequences. This is the security analogue of the workload archetype driving the whole facility in Part 1: one upstream decision that collapses a hundred downstream ones.
The target level is itself a business decision, not a security one. A neocloud renting commodity inference capacity to many tenants may rationally target SL2–SL3: its assets are valuable but not frontier weights, and the cost of SL4 controls (performance overhead, operational drag, supply-chain vetting) would price it out of a margin-thin market. A frontier lab training a flagship model has no such luxury — its adversary is OC4–OC5 by definition, so anything below SL4 is a posture mismatched to its actual threat, and the over-investment is the only rational investment. The error to avoid is choosing a level by budget and hoping the adversary cooperates. The adversary is set by what you hold, not by what you can afford.
Two consequences make the level a substrate decision, not a policy one. First, the irreversible layers must be built to the highest level the campus might ever host, because you cannot retrofit standoff distance, network trust zones, or a hardware root of trust into a running cluster without tearing it down — the same density-ramp logic that governs floor loading and water (→ Chapter 11.4; the ramp framing in Chapter 1.1). Second, every level above SL2 taxes goodput and operability: isolation strands capacity, attestation adds latency, egress caps constrain legitimate data movement, two-person rules slow operations. The target level prices that tax up front, which is precisely why it must be decided before the controls are bought — so the trade is made with eyes open rather than discovered control-by-control after the cluster is live.
Deep dive: why eight attack vectors make nation-state defense a different problem
The instinct is to treat security as a continuum — more budget, more controls, more protection — so that defending against a nation-state is just defending against a criminal with the dial turned up. RAND's vector analysis says that instinct is wrong at a specific, identifiable threshold. Of the 38 enumerated attack vectors, a subset (RAND counts eight) are infeasible for OC1–OC3 adversaries and only become available at OC4–OC5. These are the vectors that require resources only states reliably possess: running a sustained human-intelligence operation to place or coerce an insider; compromising the hardware supply chain upstream of the buyer; mounting multi-year, multi-team campaigns that outlast any single defensive posture; and exploiting side-channels that need physical access or fabrication-grade capability.
The consequence is a discontinuity, not a slope. Reaching SL3 is largely about doing enterprise security exceptionally well — hygiene, segmentation, insider controls, the first layer of confidential computing. Reaching SL4 and SL5 means defending against vectors that cannot be bought away with more of the same: you need a hardware root of trust because the supply chain itself is in play; you need attestation-gated keys because a privileged insider is assumed; you need near-air-gap design because the network is assumed to be patiently surveilled. This is why the SL2-to-SL4 jump dominates the cost of any serious AI-DC security program, and why a campus that wants to host frontier training cannot incrementally drift into the right posture — it has to be designed for the discontinuity from the start. → adversary-specific controls thread through Chapter 11.3 (supply chain), Chapter 11.4 (root of trust), and Chapter 11.9 (insiders).
Deep dive: the security-vs-goodput frontier, made explicit
Part 12 frames AI-cluster reliability as goodput — useful work delivered — rather than raw availability. Security sits on the same axis, and every control in Part 11 is a withdrawal from the goodput account. Confidential computing adds encryption and attestation overhead to every protected transfer (the Blackwell generation narrows but does not eliminate it). MIG and single-tenancy strand capacity that time-slicing would have packed (→ Chapter 11.6). Hard egress caps constrain legitimate large-scale data movement, not just exfiltration. Two-person rules and privileged-access workflows slow every operation a single admin used to do alone. Microsegmentation trades east-west throughput and operational simplicity for blast-radius containment.
None of these are arguments against the controls — they are the price of the controls, and the target level is what decides whether the price is worth paying. At SL2 you pay little because you are defending against opportunists who fold at the first hardened boundary. At SL5 you pay heavily across throughput, usability, and cost because you are defending against an adversary who will spend years and a state's resources to get in, and stranding 20% of a GPU's capacity to deny a side-channel is a rational trade when the asset is frontier weights. The mistake is paying SL5's tax for SL2's threat (capital that returns more as goodput) or, far worse, paying SL2's price and believing you have SL4's protection. The frontier is real; the target level is how you choose your point on it deliberately rather than by accident. → goodput framing in Chapter 12.2.
Anti-patterns
The same mis-scopes recur, because each comes from skipping the target-level question and reasoning from a control catalog or a compliance checkbox instead. Four are worth naming:
- Compliance as security. Treating SOC 2 / ISO 27001 attestation as evidence of an SL4 posture. These frameworks verify that controls exist and are operated; they say nothing about whether those controls thwart an OC4 adversary. A clean audit and a copied weight file are fully compatible.
- Perimeter thinking for a silent asset. Spending the security budget on fences, badges, and ingress controls while the egress path that the weights would actually leave through goes unmonitored and uncapped. You are guarding the entrance to a building whose crown jewel walks out the exit (→ Chapter 11.8).
- Over-defending the loud asset, under-defending the silent one. Hardening facility availability (which announces its own loss via an outage) to 2N-grade resilience while the weights (whose loss is silent and permanent) sit behind SL2 controls. Match the control to the loss signature, not to the dollar value alone.
- Budget-chosen levels. Picking a security level the organization can comfortably afford and assuming the adversary will scale down to match. The adversary is set by what you hold; choosing SL2 because SL4 is expensive does not make your OC4 adversary go away — it just guarantees they win.