FORGE
Brought to you withbyLava

The Top 10 Data Center and AI Infrastructure Security Risks

Harden the metal beneath the model.

A targeted, actionable framework for the teams building, running, and buying, AI compute, neocloud providers, security architects, and CISOs.

What is FORGE

A security framework for AI Data Centers

A practical framework for identifying and reducing the most important risks in the infrastructure layer that trains, hosts, and serves AI.

Why FORGE?

AI security needs to go below the model.

FORGE focuses on the infrastructure layer where hardware, fabrics, management planes, and provider controls determine trust.

HOW IT IS USED

Providers harden. Customers evaluate.

FORGE gives both sides a shared language for assessing GPU clouds, neoclouds, AI datacenters, and internal AI clusters.

Executive Summary

AI datacenters are being built faster than they are being secured.

The rapid expansion of datacenters, GPU clouds, and specialized compute environments has introduced security risks across hardware, networking, storage, orchestration, identity, management planes, and physical operations. Many of these risks resemble traditional datacenter or cloud security issues, but modern data centers and AI infrastructure changes their severity: systems originally designed for trusted operators are now supporting high-value, multi-tenant workloads from unrelated customers.

The Top 10 Data Centers & AI Infrastructure Security Risks provides a practical framework for identifying, prioritizing, and reducing the most important security risks in the infrastructure layer that powers AI. The framework defines the most critical failure modes in AI infrastructure and helps translate them into concrete security requirements.

What This Framework Covers

This framework focuses on the security of AI infrastructure and the datacenters that house it: the physical hardware, networking fabrics, management planes, orchestration systems, storage systems, and operational environments on which AI workloads run.

It does not focus on AI models themselves or application-layer risks such as prompt injection, insecure agent behavior, model abuse, or model-level evaluation. Those risks are addressed by frameworks focused on other parts of the AI stack, including the OWASP Top 10 for LLM Applications, MITRE ATLAS, the NIST AI Risk Management Framework, and ISO/IEC 42001. Together, these resources give practitioners a more complete picture of AI security, from governance and application-layer risks down to the underlying compute infrastructure.

Some risks in this document also exist in traditional datacenter and cloud environments. They are included here because AI infrastructure makes them materially more severe: shared high-value compute, complex accelerator clusters, dense management layers, and multi-tenant operations can turn ordinary infrastructure weaknesses into more severe security risks because the likelihood and impact of any incident are much higher than in traditional enterprise level software and service deployments.

Who This Framework Is For

Neo-cloud providers can benefit from the framework as a practical guide to the AI infrastructure threat landscape, attack surface review, environment hardening, security prioritization, and maturity demonstration.

AI infrastructure customers can benefit from the framework as a practical guide for procurement, security reviews, contractual requirements, provider comparison, and assessing resilience against realistic tenant-to-infrastructure compromise.

Hybrid Cloud security teams can benefit from this framework as a practical guide for configuring, maintaining, and securing their on-premise footprint against modern attacks, which can quickly pivot between environments.

Reviewers

Tony ReaGlobal AI Infrastructure Lead

Daniel IziourovDirector of Platform Security

Vjaceslavs KlimovsSenior Technical Director

Assaf NamerHead of AI Security

Tyson MacaulayDeputy Director

Golan Ben-OniCIO/CISO

Florina CiorbaAssociate Professor, Head of High Performance Computing group

Arthur ReedSecurity Engineer

Deumens ErikDirector Research Computing

Saad MalikCTO

Selim AissiFormer Vice President, Global Information Security, Visa & Intel

Guy BilitskiLeading AI Operations

Dan FarmerSecurity Researcher

Individual Contributors

Michael BarguryCTO

Amir JerbiFormer CTO, Aqua Security

Bill StoutFormer Technical Director, AI Product Security, ServiceNow

Roey YaacoviCTO, DSPM & AI Security

Guy ShannyCo-Founder & CEO, Polar Security, acquired by IBM

Ziv KarlinerCTO

Assaf MoragSecurity Researcher

Individual Contributors

James BerthotyFounder & CEO

The rate at which the modern datacenter and AI infrastructure is being built is heavily outpacing the ability to secure it. When this infrastructure, GPU clusters, training pipelines, high-performance networking, and inference endpoints, is compromised, the blast radius is unlike conventional compute. Attackers gain access to proprietary models representing hundreds of millions of dollars, the power to poison foundational training data, and persistent footholds in the most highly privileged environments available.

This dynamic is reinforced by a structural market imbalance: GPU scarcity gives providers outsized leverage. When demand for accelerated compute far outstrips supply, customers often cannot choose their provider based on security posture - they take what is available. Providers face little market pressure to invest in security maturity, and customers accept risk they would not tolerate in conventional cloud. This imbalance is the backdrop against which every risk in this document should be read. This market pressure is becoming more dangerous as AI-enabled security research and exploitation capabilities compress the timeline for defenders. Weaknesses that might once have remained obscure for years may now be discovered, chained, and operationalized much faster.

At the same time, AI-enabled security research and exploitation capabilities are compressing the timeline for defenders: weaknesses that might once have remained obscure for years may now be discovered, chained, and operationalized much faster.

Why AI Infrastructure Security Is Different

AI infrastructure sits at the intersection of cloud computing, high-performance computing, and physical datacenter operations. It uses familiar components such as servers, storage, networks, schedulers, management planes, and identity systems, but combines them in ways that change the security model.

Traditional HPC environments were often designed for trusted users, research communities, or internal operators. Modern AI infrastructure increasingly supports commercial, high-value, multi-tenant workloads from unrelated customers. As a result, assumptions that were acceptable in trusted or single-organization environments can become serious security risks when applied to shared AI infrastructure.

Recent Reporting

Attackers have already begun targeting the infrastructure, supply chains, and datacenter ecosystems that support advanced AI and HPC workloads. In some cases, the objective is direct theft of sensitive research, models, or engineering data, in others, it is espionage, prepositioning, or the ability to disrupt strategically important compute environments. Recent reporting illustrates both patterns:

April 2025

Reported attacks on U.S. AI data centers

In April 2025, TIME reported that researchers speaking with national security officials and datacenter operators learned of one case in which a top U.S. technology company’s AI datacenter was attacked and intellectual property was stolen. They also described another case in which a similar facility was targeted through a specific unnamed component, had the attack succeeded, it could have taken the entire datacenter offline for months.

January 2026

Nation-state targeting of AI infrastructure IP

Federal prosecutions have confirmed that nation-states are directly targeting AI datacenter architecture at the hardware and systems level. In one case , a former engineer at a major U.S. technology company was convicted of economic espionage after stealing thousands of pages of AI datacenter designs, including chip architecture, systems integration specifications, and orchestration software for large-scale model training.

April 2025

Reported exfiltration from China’s National Supercomputing Center in Tianjin

In April 2026, public reporting described claims that more than 10 petabytes of data had been stolen from the Tianjin supercomputing hub, a facility that reportedly supports thousands of research, industrial, and government users. Data claimed to originate from the breach was advertised for sale on Telegram channels. The incident illustrates the concentration risk created when high-value workloads, data, and research outputs are pooled in a single advanced compute environment.

These are early examples. The attack surface is likely to expand as the stack matures, and this document will evolve alongside it.

Threat Model

The risk is best understood by looking at potential attackers. The threat model spans far more than the classic "outside attacker", and the controls in this document are calibrated against the full set.

External attacker

An unauthenticated or unauthorized actor with network access.

Compromised cloud customer

A legitimate customer account, tenant, or workload that has been compromised and is operating on the provider’s shared infrastructure.

Malicious enterprise insider

An employee or contractor of the AI-consuming organization with legitimate access.

Malicious or compromised insider

An employee, contractor, technician, system integrator, logistics provider, or break-fix vendor with legitimate access to the customer or provider environment.

In-transit adversary

An actor with access to hardware or components during manufacturing, staging, warehousing, shipping, or delivery before they reach the provider’s secured environment.

System integrator

An organization responsible for assembling, configuring, or shipping complete systems from individual components.

Supplier

An upstream hardware, firmware or driver vendor.

AI agents

Any AI agents acting on behalf of and impersonating any of the above.

Enterprise Compromise as an Initial Access Vector

The risks in this framework focus on AI infrastructure-specific or AI infrastructure-amplified failure modes. They do not replace the need for strong enterprise security controls. In practice, many attacks against AI infrastructure may begin through familiar enterprise compromise paths, including weak or missing MFA, phishing, credential theft, SaaS compromise, and weak identity controls.

These paths should be treated as cross-cutting initial access vectors. A compromised identity, endpoint, SaaS account, CI/CD system, or administrative credential can provide the foothold needed to reach several of the risks described in this framework. These specific sections therefore focus on what can happen once an attacker reaches, or can influence, the AI infrastructure environment itself.

The “Top 10 AI Infrastructure & Data Centers Security Risks” initiative

App & Serving

1

AI Application & Agent Layer

Chat UI, agents, tools, RAG workflows and application APIs

Out of scope
2

LLM Serving & Application-Facing Endpoint

Inference APIs, gateways, user authentication, request routing and application observability

Outside primary scope

Software & Operations

3

Provider Control Plane & Cluster Operations

Customer portal, provider APIs, Kubernetes, Slurm, Ray, schedulers, provisioning, automation, telemetry and administrative tools

FORGE-09FORGE-03
4

Model Artifacts, Registries & Deployment

Model weights, checkpoints, adapters, registries, serving images and deployment packages

FORGE-07
5

Tenant Workload & Isolation Layer

Bare metal, VMs, containers, MIG/vGPU, namespaces and device assignment

FORGE-03

Compute, storage & network

6

Shared Storage & Data Plane

Parallel filesystems, object storage, datasets, checkpoints, caches, backups and training outputs

FORGE-07FORGE-03
7

Backend Accelerator & Network Fabric

InfiniBand, RoCE, RDMA, NVLink, fabric switches, subnet managers and fabric control services

FORGE-02FORGE-03
8

Firmware & Out-of-Band Management

BIOS/UEFI, BMCs, OOB management networks, management switches, management APIs and fleet tools

FORGE-01FORGE-04FORGE-10

Facility & supply

9

Server & Accelerator Hardware

GPU servers, CPUs, GPUs, NICs, DPUs, local storage and device assignment

FORGE-01FORGE-03
10

Datacenter Facility & Physical Infrastructure

Racks, PDUs, power distribution, UPS and generators, cooling, BMS, EPMS, DCIM, environmental monitoring and physical access

FORGE-06
11

Supply Chain & Component Intake

OEMs, ODMs, system integrators, logistics, staging, refurbishment, hardware components, firmware images, drivers, runtimes

FORGE-05FORGE-01FORGE-10

How Risks Were Selected

Candidate risks were drawn from:

Analysis of security research, incident reports, and published CVEs affecting AI-specific components.

Review of vendor security documentation from NVIDIA, AMD, and major cloud providers.

Observed vulnerability patterns across GPU cloud environments and ML orchestration platforms.

Discussions with security practitioners working in AI infrastructure across multiple verticals.

Each candidate was evaluated against four dimensions, Likelihood, Impact, Exploitability, and Detection Difficulty, with the highest-scoring risks selected for inclusion.

Versioning and Contributions

This is a living document. AI infrastructure is evolving rapidly, and so are the attacks against it. Future revisions will add new risks, refine existing ones, and incorporate lessons learned from the field. Feedback and proposed additions from practitioners are welcome and will be credited upon publication of the new version.

The Five Domains of the FORGE Lens

FORGE domains define the evaluation lens: the infrastructure areas where AI security risk lives.
The Risk Matrix below maps individual risks into these domains.

F

Fleet integrity

Trust in the hardware, firmware, software artifacts, images, dependencies, and supply paths that make up the AI infrastructure fleet.

O

Operations & management planes

Privileged systems used to control, automate, and administer AI infrastructure, including BMCs, schedulers, orchestration, automation, and admin tooling.

R

Resource isolation

The boundaries that separate tenants, workloads, execution environments, and reused infrastructure across shared AI systems.

G

Grid

The networking fabrics and facility systems that connect AI clusters and keep them powered, cooled, and operational.

E

Evidence & exposure management

The evidence customers need to understand provider security maturity, architectural scope, exposed services, and patch velocity.

The FORGE Top 10 at a Glance

Critical

FORGE-01 Firmware & Hardware Integrity Compromise

Unauthorized firmware or hardware changes can create persistent compromise below the operating system, surviving rebuilds, disk wipes, and tenant reassignment.

Read More
Critical

FORGE-02 Network & Interconnect Vulnerabilities

Weak fabric isolation, management protection, and monitoring can expose InfiniBand, RoCE, and RDMA paths to discovery, abuse, or lateral movement.

Read More
Critical

FORGE-03 Unsafe Multi-Tenant Isolation and Resource Reuse

Failures in shared or reassigned infrastructure can let tenants cross boundaries, observe residual state, discover other workloads, or degrade neighboring jobs.

Read More
Critical

FORGE-04 Insecure Out-of-Band Management Plane

Weaknesses in BMCs, management protocols, networks, and fleet tools can give attackers hardware-level control outside the host OS.

Read More
Critical

FORGE-05 AI Infrastructure Supply Chain Compromise

Unverified hardware, firmware, images, drivers, packages, models, or infrastructure artifacts can introduce compromise through trusted supply paths.

Read More
High

FORGE-06 Insecure Facility & Datacenter Management Systems

Weaknesses in cooling, power, DCIM, access control, or facility networks can disrupt AI workloads, expose asset maps, or bypass server-side defenses.

Read More
Medium

FORGE-07 Insecure Data and Artifact Handling

Weak controls over datasets, prompts, logs, embeddings, checkpoints, model weights, caches, backups, and deployment artifacts can enable exposure or tampering.

Read More
Medium

FORGE-08 Certification Gaps & Provider Transparency Failures

Customers may rely on certifications, attestations, or provider claims that do not clearly cover the infrastructure actually running their workloads

Read More
Medium

FORGE-09 Insecure Operational Infrastructure Services

Compromise of schedulers, control planes, provisioning workflows, automation, or admin interfaces can give attackers broad control over AI workloads and nodes.

Read More
Medium

FORGE-10 Vendor Embargo Gaps & Patch Velocity Failures

Delayed disclosure, slow patching, disruptive updates, and version drift can leave AI infrastructure exposed to known vulnerabilities.

Read More

Risk Matrix

FORGE IDs are ordered by severity, from highest to lowest. The matrix groups each risk by domain and shows its likelihood, impact, and detection difficulty.

FORGE-01

F
Critical

Hardware & Firmware Integrity Compromise

Likelihood
Medium
Impact
Severe
Detection Difficulty
High

FORGE-02

G
Critical

Network & Interconnect Vulnerabilities

Likelihood
Medium
Impact
Severe
Detection Difficulty
High

FORGE-03

R
Critical

Unsafe Multi-Tenant Isolation and Resource Reuse

Likelihood
Low
Impact
Severe
Detection Difficulty
Very high

FORGE-04

O
Critical

Insecure Out-of-Band Management Plane

Likelihood
Medium
Impact
High
Detection Difficulty
Very high

FORGE-05

F
Critical

AI Infrastructure Supply Chain Compromise

Likelihood
High
Impact
High
Detection Difficulty
High

FORGE-06

G
High

Insecure Facility & Datacenter Management Systems

Likelihood
Low
Impact
High
Detection Difficulty
Very high

FORGE-07

R
High

Insecure Model Artifact Handling

Likelihood
High
Impact
High
Detection Difficulty
Medium

FORGE-08

E
High

Certification Gaps & Provider Transparency Failures

Likelihood
Medium
Impact
High
Detection Difficulty
Medium

FORGE-09

O
High

Insecure Operational Infrastructure Services

Likelihood
High
Impact
Medium
Detection Difficulty
Medium

FORGE-10

E
Medium

Vendor Embargo Gaps & Patch Velocity Failures

Likelihood
Medium
Impact
Medium
Detection Difficulty
Low

Acknowledgment

Built to evolve with the field, and kept open so the whole AI and security community can use it, challenge it, and improve it.

With thanks to the practitioners and reviewers below, whose feedback shaped this framework as it took form:

Have feedback or want to contribute?

research@lavalabs.io