The Definitive Guide toAI Data Centers
Ask the Guide
Guide Security11.1

Chapter 11.1

Threat Model, Assets & Security Levels for AI Infrastructure

An AI data center is the rare facility that concentrates nation-state-grade IP, allocation-constrained silicon, and recognized war infrastructure inside one fence line — so the first security decision is not which controls to buy but which adversary tier you intend to survive, because that single target level deterministically derives the entire control stack and its cost.

POWER-BOUNDGOODPUTDENSITY-RAMP

What you'll decide here

  1. Which RAND Weights Security Level (SL1–SL5) you are designing the campus to reach — the target that derives every downstream control, and the single number that separates a defensible posture from theater.
  2. Which assets are actually crown jewels (frontier weights, allocation-locked silicon, the management plane) versus merely valuable, because over-defending the wrong asset strands capital the top-tier assets needed.
  3. Which adversary tier (RAND OC1–OC5) is in your threat model — opportunistic, insider, cybercrime syndicate, or top-tier nation-state — since eight of the 38 attack vectors are infeasible below OC4 and dominate the cost of the top two levels.
  4. Where you sit on the security-vs-goodput frontier: every isolation, attestation, and egress control you add taxes throughput and operability, and the level you pick prices that tax in advance.
  5. Which controls are irreversible substrate (siting standoff, network trust zones, the root-of-trust and attestation plane) versus reversible policy you can ratchet later — because the substrate must be over-built to the highest level the campus might ever host.
Defense in depth — concentric zones Every layer outward guards the weights. The real question: does your build match your attacker? SITE PERIMETER fence · guards · access control — ch. Physical PHYSICAL SECURITY ZONES cages · mantraps · escorted halls — ch. Physical NETWORK MICROSEGMENTATION east-west firewalls · zero trust — ch. Network HOST & FIRMWARE ROOT-OF-TRUST secure boot · attestation — ch. Host CONFIDENTIAL COMPUTE / TEE encrypted in use — ch. Compute MODEL WEIGHTS crown jewels at the center guarded by every ring outward The matchup that decides it How high you build vs. who you face 5 3 1 SL2 you build OC4 you face SL1–5 build · OC1–5 attacker exposure gap Layers stop the attacker only if you out-build their tier. Weights are protected by every layer outward. The only question that matters: does the security level (SL) you build match the attacker tier (OC) you face?
Model weights are protected by every layer outward; the real question is whether your build-level matches the attacker you face.

Most security chapters open with a list of controls. This one opens with a question, because in an AI data center the controls are downstream of an answer almost nobody states explicitly: which adversary are you actually trying to stop? Not "hackers" in the abstract. A specific, named tier — from a bored insider with a USB stick to a top-priority operation run by the most cyber-capable state on earth. That answer is the master variable of Part 11, exactly as the workload archetype was the master variable of Part 1. Pick it and the firewall rules, the standoff distance, the attestation flow, the egress cap, and the two-person rule all follow as consequences. Skip it and you buy a pile of expensive controls that defend the wrong asset against the wrong attacker, and you discover the gap the day a competitor's frontier weights show up on someone else's cluster.

This chapter builds the threat model in three moves. First, why AI data centers are a special case — the asset-value density, the IP concentration, and the strategic targeting that together make a generic cloud-security posture inadequate. Second, the asset taxonomy and adversary tiers, anchored on the RAND Securing AI Model Weights framework — five Weights Security Levels, five operational-capacity adversary tiers, and the 38 attack vectors that map between them. Third, the defense-in-depth reference architecture and the discipline of setting a target level and deriving controls from it. Every control buys protection against a named tier and charges for it in capex, performance, or operability, and the target level is what prices that trade before you commit steel, silicon, or staff.

Why an AI data center is a special case

A hyperscale e-commerce hall and a frontier-training campus can look identical from the road and run the same SOC 2 controls — and be in completely different threat models. Three properties make the AI facility a special case, and each one breaks an assumption that generic data-center security quietly relies on.

Asset-value density. A single GB200 NVL72 rack is roughly $3M+ of allocation-constrained, lead-time-gated silicon — and the constraint, not the dollar figure, is what changes the economics. Generic cloud hardware is fungible and insured; a stolen or destroyed NVL72 is not replaced by a purchase order, it is replaced by waiting at the back of an allocation queue measured in quarters. That inverts the loss function: the asset is worth more because it cannot be re-bought quickly, which makes physical theft and physical destruction rational adversary goals in a way they never were for commodity servers. The March 2026 drone strikes (below) proved the destruction case is no longer hypothetical.

IP concentration. The frontier model weights resident on the cluster are arguably the single highest-value digital asset in existence — a multi-hundred-million-dollar training run compressed into a few terabytes that, once exfiltrated, hand a competitor or an adversary state a capability they did not pay to build. RAND treats frontier weights as a national-security asset warranting defenses up to nation-state grade. The crucial property is that the loss is silent and complete: unlike a stolen database, a copied weight file leaves the original in place, so there is no outage, no missing inventory, no obvious tell — the first signal may be a rival model that is suspiciously similar. This is why egress control, not perimeter control, becomes the linchpin (→ Chapter 11.8).

Strategic targeting. AI compute is now treated as strategic infrastructure by states, which means the adversary set includes actors with intelligence services, kinetic reach, and supply-chain access — not just criminals. On 1 March 2026, IRGC Shahed drones struck three AWS facilities in the UAE and Bahrain, causing structural damage, power loss, and fire/water damage from suppression, and taking down multiple availability zones simultaneously so that standard redundancy models failed (CNBC; The Conversation, March 2026). It was the first time a state deliberately targeted commercial data centers in wartime. The planning consequence is blunt: "kinetic attack on a data center" moved from a tail risk you accept to a design case you must address — and most legacy physical controls (fences, cameras, ground access control) were never designed for an aerial threat (→ Chapter 11.2).

Asset taxonomy: what you are actually protecting

You cannot derive controls from a target level until you know which assets the level is protecting, and the most common scoping error is treating every asset as equally precious. It is not. An AI data center has a clear hierarchy of crown jewels, and the discipline is to spend the heaviest controls on the top tier and accept lighter controls below it — because a budget spread evenly defends nothing well. Five asset classes, ranked by what an adversary actually wants and what its loss actually costs.

Asset taxonomy → adversary goal → dominant control
Asset classWhy it is valuedPrimary adversary goalLoss signatureDominant control (→ chapter)
Model weights & training IPHighest-value digital asset; multi-$100M run compressed to TB-scaleSilent exfiltration (theft, not destruction)None — original stays in place; first tell is a rival modelEgress caps + attestation-gated key release (→ 11.8, 11.5)
Accelerator siliconAllocation-constrained; ~$3M+/NVL72 rack; not re-buyable on demandTheft for resale/diversion, or destruction to deny capabilityMissing/damaged inventory; outagePhysical zones, standoff, counter-UAS (→ 11.2)
The management & control planeBMC/IPMI, EPMS/BMS, schedulers, key brokers — keys to everythingPrivileged foothold; lateral movement; sabotageOften none until used; anomalous control actionsManagement-plane isolation + root of trust (→ 11.4, 11.7)
Customer & training dataRegulated PII, proprietary corpora, contractual confidentialityExfiltration; privacy/compliance breachSometimes none; surfaces in audit or breachTenant isolation + data governance (→ 11.6, 10.10)
Facility availability itselfGoodput and SLA revenue; war-infrastructure statusDisruption, ransom, or kinetic denialOutage — the one loud, obvious signaturePhysical resilience + OT hardening (→ 11.2, 11.10)
Ranked by crown-jewel priority. The dominant-control column names where the heaviest spend belongs; lighter controls below the top tier are a deliberate economy, not an oversight. Detailed control treatments live in the cross-referenced chapters.

Read the table top-down as a budgeting instrument. Weights sit at the top because their loss is silent, complete, and strategically catastrophic — so they justify controls (confidential computing, attestation, hard egress caps) that you would never spend on the bottom row. Facility availability sits at the bottom of the confidentiality hierarchy not because outages are cheap but because they are loud — you will know immediately and can fail over — whereas a copied weight file is the loss you never see. The management plane is the sleeper: it is rarely the adversary's objective, but it is almost always the path, which is why it earns crown-jewel-grade controls despite holding no IP of its own. Misranking these is how budgets get spent on hardening the loud, recoverable asset while the silent, unrecoverable one walks out an unmonitored egress.

Adversary tiers: the RAND operational-capacity ladder

The RAND Securing AI Model Weights report (RRA2849-1) is the field's shared vocabulary, and its central insight is that you cannot reason about "is this secure" without naming the adversary. RAND defines five operational-capacity (OC) tiers of attacker, from OC1 (amateurs) to OC5 (the top cyber-capable states running their highest-priority operations), and enumerates 38 distinct attack vectors across them — from social engineering and supply-chain implants to side-channels and human intelligence. The decisive finding for design: a subset of those vectors (RAND counts eight) are simply infeasible for OC1–OC3 actors but become available to OC4–OC5, which is why defending against a nation-state is not "more of the same" but a categorically different and dramatically more expensive problem.

Mapped onto those adversaries are five Weights Security Levels (SL1–SL5), each defined operationally: an SL is the posture that can likely thwart an adversary trying to steal the weights within a roughly two-month window. SL1 thwarts amateurs; SL2 thwarts professional opportunistic attackers running moderate-effort, non-targeted operations; SL3 thwarts cybercrime syndicates and capable insiders; SL4 thwarts the standard operations of leading cyber-capable institutions; and SL5 could plausibly claim to thwart the top-priority operations of the most capable states (RAND, 2024). The reason this framework won is that it turns an unfalsifiable claim ("we're secure") into a falsifiable one ("we defend against OC-N within two months"), and it gives a campus a single target number to design toward.

RAND Weights Security Levels → adversary → what it takes to get there
LevelThwarts (RAND OC tier)Defining new capabilityDominant cost added at this level
SL1Amateurs / opportunists (OC1)Basic hygiene: patching, MFA, access loggingNegligible — table stakes
SL2Professional, non-targeted attackers (OC2)Hardened perimeter, encrypted storage, vuln mgmtModest — standard enterprise security
SL3Cybercrime syndicates & capable insiders (OC3)Insider controls, segmentation, confidential compute beginsReal — isolation taxes goodput; insider program is org-wide
SL4Leading cyber-capable institutions (OC4)Hardware root of trust, attestation-gated keys, hard egress, air-gap-adjacent designHigh — performance overhead, operational drag, supply-chain vetting
SL5Top-priority nation-state operations (OC5)Near-air-gap, exhaustive supply-chain provenance, two-person everything, side-channel mitigationSevere — usability, throughput, and cost all pay; arguably not yet fully achieved
Per RAND RRA2849-1 (2024). The cost column is the dominant new burden each level adds; controls are cumulative. Frontier labs are publicly assessed around SL2–SL3 as of 2026 — the gap to SL4/SL5 is the central security story of the AI-DC era.
SL1–SL5 / OC1–OC5
RAND Weights Security Levels and adversary operational-capacity tiers; 38 distinct attack vectors enumerated
2024RAND, Securing AI Model Weights (RRA2849-1)
8 of 38
attack vectors infeasible for OC1–OC3 but feasible for OC4–OC5 — why nation-state defense is categorically harder
2024RAND RRA2849-1
~SL2–SL3
assessed posture of frontier labs vs OC4–OC5 adversaries that want the weights — the central gap
2026RAND RRA2849-1; IFP / IST SL5 Task Force
~$3M+
allocation-constrained silicon per GB200 NVL72 rack — theft/destruction economics differ from generic cloud hardware
2025Guide domain research; OEM rack pricing
<2 months
RAND theft-window benchmark: a Security Level is defined by thwarting weight theft within roughly this horizon
2024RAND RRA2849-1
1 Mar 2026
IRGC drones struck 3 AWS facilities in UAE/Bahrain — first deliberate state targeting of commercial data centers in wartime
2026CNBC; The Conversation
~$4B
projected data-center physical-security spend by 2030 (roughly doubling) as kinetic/drone threats enter the planning case
2030 (proj.)Guide domain research; industry security forecasts
4 zones
concentric physical model (perimeter → facility → data hall → cage/rack) with escalating MFA at each boundary
2026NIST / DCK physical-security guidance

The defense-in-depth reference architecture

In an AI data center, defense in depth is a stack of independent boundaries, each owned by a different chapter of Part 11, arranged so that defeating one layer does not defeat the asset. The architecture is best read from the outside in, because that is the order an adversary must traverse and the order in which a missing layer turns a partial compromise into a total one.

  • Physical perimeter and zones — siting standoff, the four concentric zones (perimeter → facility → data hall → cage/rack) with escalating MFA, surveillance, and now counter-UAS for the aerial threat the March 2026 strikes made real (→ Chapter 11.2).
  • Supply-chain and provenance — vetting silicon and firmware before it enters the fence, tamper-evident logistics, HBOM/SBOM, and OCP S.A.F.E. firmware audits, because an implant or counterfeit defeats every layer above it from inside (→ Chapter 11.3).
  • Hardware root of trust and firmware — a silicon RoT (Caliptra, DICE identity on DC-SCM), secure/measured boot, and a hardened, segmented BMC, so that the foundation every higher control trusts is itself attestable and not the soft underbelly (→ Chapter 11.4).
  • Confidential computing and tenant isolation — GPU TEE with encrypted HBM and attestation, plus the MIG/vGPU isolation boundary whose documented limits set how much you can trust a shared GPU (→ Chapter 11.5, Chapter 11.6).
  • Network segmentation and zero trust — DPU-enforced microsegmentation, management-plane isolation, and egress control as the anti-exfiltration choke point (→ Chapter 11.7).
  • Model and weight protection — the crown-jewel layer: at-rest encryption, in-transit protection, attestation-gated in-use keys, and the egress caps that catch the silent loss (→ Chapter 11.8).
  • The human layer and OT plane — insider-threat controls, two-person rules, and the hardening of the facility's OT/ICS (BMS/EPMS/CDU/BESS) against cyber-physical sabotage, the layers that no amount of cryptography can substitute for (→ Chapter 11.9, Chapter 11.10).

The point of arranging them this way is the independence property: a compromised BMC should not yield the weights if confidential computing and egress caps still stand; a defeated fence should not yield the silicon if the data hall and cage zones still gate access. Defense in depth fails not when one layer is breached — that is expected — but when layers share a single point of failure (a flat management network, a universal admin credential, an unmonitored egress) that lets one breach cascade.

Setting a target level and deriving controls

Here is the method, and it is the inverse of how security is usually bought. Do not start from a catalog of controls and ask which to adopt. Start from the target Weights Security Level — the adversary tier you have decided the campus must survive — and derive the controls as the necessary set to reach it. The level is the design basis; the controls are its consequences. This is the security analogue of the workload archetype driving the whole facility in Part 1: one upstream decision that collapses a hundred downstream ones.

The target level is itself a business decision, not a security one. A neocloud renting commodity inference capacity to many tenants may rationally target SL2–SL3: its assets are valuable but not frontier weights, and the cost of SL4 controls (performance overhead, operational drag, supply-chain vetting) would price it out of a margin-thin market. A frontier lab training a flagship model has no such luxury — its adversary is OC4–OC5 by definition, so anything below SL4 is a posture mismatched to its actual threat, and the over-investment is the only rational investment. The error to avoid is choosing a level by budget and hoping the adversary cooperates. The adversary is set by what you hold, not by what you can afford.

Two consequences make the level a substrate decision, not a policy one. First, the irreversible layers must be built to the highest level the campus might ever host, because you cannot retrofit standoff distance, network trust zones, or a hardware root of trust into a running cluster without tearing it down — the same density-ramp logic that governs floor loading and water (→ Chapter 11.4; the ramp framing in Chapter 1.1). Second, every level above SL2 taxes goodput and operability: isolation strands capacity, attestation adds latency, egress caps constrain legitimate data movement, two-person rules slow operations. The target level prices that tax up front, which is precisely why it must be decided before the controls are bought — so the trade is made with eyes open rather than discovered control-by-control after the cluster is live.

Deep dive: why eight attack vectors make nation-state defense a different problem

The instinct is to treat security as a continuum — more budget, more controls, more protection — so that defending against a nation-state is just defending against a criminal with the dial turned up. RAND's vector analysis says that instinct is wrong at a specific, identifiable threshold. Of the 38 enumerated attack vectors, a subset (RAND counts eight) are infeasible for OC1–OC3 adversaries and only become available at OC4–OC5. These are the vectors that require resources only states reliably possess: running a sustained human-intelligence operation to place or coerce an insider; compromising the hardware supply chain upstream of the buyer; mounting multi-year, multi-team campaigns that outlast any single defensive posture; and exploiting side-channels that need physical access or fabrication-grade capability.

The consequence is a discontinuity, not a slope. Reaching SL3 is largely about doing enterprise security exceptionally well — hygiene, segmentation, insider controls, the first layer of confidential computing. Reaching SL4 and SL5 means defending against vectors that cannot be bought away with more of the same: you need a hardware root of trust because the supply chain itself is in play; you need attestation-gated keys because a privileged insider is assumed; you need near-air-gap design because the network is assumed to be patiently surveilled. This is why the SL2-to-SL4 jump dominates the cost of any serious AI-DC security program, and why a campus that wants to host frontier training cannot incrementally drift into the right posture — it has to be designed for the discontinuity from the start. → adversary-specific controls thread through Chapter 11.3 (supply chain), Chapter 11.4 (root of trust), and Chapter 11.9 (insiders).

Deep dive: the security-vs-goodput frontier, made explicit

Part 12 frames AI-cluster reliability as goodput — useful work delivered — rather than raw availability. Security sits on the same axis, and every control in Part 11 is a withdrawal from the goodput account. Confidential computing adds encryption and attestation overhead to every protected transfer (the Blackwell generation narrows but does not eliminate it). MIG and single-tenancy strand capacity that time-slicing would have packed (→ Chapter 11.6). Hard egress caps constrain legitimate large-scale data movement, not just exfiltration. Two-person rules and privileged-access workflows slow every operation a single admin used to do alone. Microsegmentation trades east-west throughput and operational simplicity for blast-radius containment.

None of these are arguments against the controls — they are the price of the controls, and the target level is what decides whether the price is worth paying. At SL2 you pay little because you are defending against opportunists who fold at the first hardened boundary. At SL5 you pay heavily across throughput, usability, and cost because you are defending against an adversary who will spend years and a state's resources to get in, and stranding 20% of a GPU's capacity to deny a side-channel is a rational trade when the asset is frontier weights. The mistake is paying SL5's tax for SL2's threat (capital that returns more as goodput) or, far worse, paying SL2's price and believing you have SL4's protection. The frontier is real; the target level is how you choose your point on it deliberately rather than by accident. → goodput framing in Chapter 12.2.

Anti-patterns

The same mis-scopes recur, because each comes from skipping the target-level question and reasoning from a control catalog or a compliance checkbox instead. Four are worth naming:

  • Compliance as security. Treating SOC 2 / ISO 27001 attestation as evidence of an SL4 posture. These frameworks verify that controls exist and are operated; they say nothing about whether those controls thwart an OC4 adversary. A clean audit and a copied weight file are fully compatible.
  • Perimeter thinking for a silent asset. Spending the security budget on fences, badges, and ingress controls while the egress path that the weights would actually leave through goes unmonitored and uncapped. You are guarding the entrance to a building whose crown jewel walks out the exit (→ Chapter 11.8).
  • Over-defending the loud asset, under-defending the silent one. Hardening facility availability (which announces its own loss via an outage) to 2N-grade resilience while the weights (whose loss is silent and permanent) sit behind SL2 controls. Match the control to the loss signature, not to the dollar value alone.
  • Budget-chosen levels. Picking a security level the organization can comfortably afford and assuming the adversary will scale down to match. The adversary is set by what you hold; choosing SL2 because SL4 is expensive does not make your OC4 adversary go away — it just guarantees they win.
This chapter sets the threat model and the target level; the rest of Part 11 derives the stack. Physical zones and the kinetic/drone case in Chapter 11.2; supply-chain provenance in Chapter 11.3; the hardware root of trust and firmware/BMC plane in Chapter 11.4; GPU confidential computing and attestation (the canonical TEE home) in Chapter 11.5; multi-tenant isolation and its documented limits in Chapter 11.6; segmentation, zero trust, and egress control in Chapter 11.7; the crown-jewel weight-protection treatment in Chapter 11.8; the insider vector that dominates the SL-gap in Chapter 11.9; and cyber-physical/OT attacks in Chapter 11.10. The security-vs-goodput frontier is the reliability-rethink lens of Chapter 12.2; the irreversible-substrate logic mirrors the density ramp of Chapter 1.1; and tenant data governance distinct from weight security lives in Chapter 10.10.