research papers

Data Center Security Standards for AI: A Gap Analysis

Bennett Tomlinson

February 25, 2026

The featured image for a post titled "Data Center Security Standards for AI: A Gap Analysis"

Executive Summary

Data centers used in the pursuit of training next-generation frontier AI models are a distinct class of infrastructure, one that is characterized by an unprecedented concentration of value. This value is represented in the investment in infrastructure and the data assets they contain: model weights, proprietary algorithms, and training data. Accordingly, the threat model for this new form of compute facility includes highly motivated and capable nation-state actors as well as sophisticated insider threats. The threat level scales as frontier models increase in capability, and the repercussions of compromise are equally unique. The exfiltration of valuable intellectual property (IP) such as model weights and training data, sabotage or poisoning during model training runs, and exploitation of the hardware and firmware that drive AI workflows are highly impactful security events with meaningful economic and national security implications.

This report provides a gap analysis through a survey of a set of the most widely used information security and data-center-specific security standards. It attempts to determine where their underlying assumptions about architecture, points of security enforcement, and visibility break down when applied to the AI context. Some of these standards include the NIST Cybersecurity Framework (CSF) 2.0, SP 800-53, SP 800-171; the AI Risk Management Framework, ISO/IEC 27001, SOC 2; and the Cloud Security Alliance’s control matrices.

The analysis is framed through its application to the specific case of single-tenant, single-ownership data centers whose function is the training of frontier AI models, and it attempts to remain as hardware-provider agnostic as possible. This agnosticism recognizes the complexity and multi-dimensionality of the problem set. As more architectures, hardware, ownership models, and data center functions such as inference are considered, the problem set becomes fractal and has cascading security implications. This report aims to serve as an initial contribution to the discussion and to help distill the considerable problem set of AI data center security into a useful mental model using a ground-up, data-driven approach. Further exploration of the topic can be pursued using this mental model as applied to other architectures and ownership models.

The primary finding of this report is that the most commonly used and applied security standards were not designed to secure the AI training context. This does not suggest that existing security standards are wrong or insufficient. On the contrary, they have proven to be effective for the environments for which they were designed. Many control families in these standards remain not only directly applicable but foundational to traditional data center and enterprise information technology (IT) environments.

Some of the emergent critical gaps that require further exploration include the definition of AI-specific assets such as model weights, checkpoints, and training runs as critical data; the inspection and enforcement points that simply don’t exist in accelerator fabrics; and a common vocabulary for AI-specific security events such as model weight exfiltration, checkpoint manipulation, and training run poisoning or sabotage.

The net result is that at present, frontier labs and data center operators are left to either treat their infrastructure like traditional data centers, or to improvise bespoke control sets without a consistent, proven basis for assurance, assessment, and standardization geared towards their specific use case. A potential solution to address the novel security concerns posed by AI infrastructure is to take advantage of the effective standards that currently exist, such as NIST SP 800-53, and to craft additional profiles or overlays through a process of explicit tailoring to the architectural realities of AI training clusters.

The identification of meaningful control gaps will allow for the creation of new fundamental mechanisms for AI-specific points of enforcement and telemetry collection, or at the very least provide the mental model through which we can begin to address them.

Key gaps identified in this analysis include:

Architectural and traffic flow assumptions: Training clusters shift security from a primarily north-south (traffic into and out of a data center) perimeter definition and associated defense strategy to extremely high-volume east-west (internal network) traffic within a network fabric, thereby reducing the usefulness of traditional segmentation and inline inspection.
Management plane: The control plane, which is composed of components such as Baseboard Management Controllers (BMCs), orchestration, firmware management, and fabric management, becomes a meaningful blast radius multiplier where compromise can cascade across a cluster.
Hardware, firmware, and supply-chain: Accelerator cards, Network Interface Cards (NICs) and Digital Processing Units (DPUs), switches, and all associated firmware expand the trusted computing base and reduce buyer leverage in procurement because of the relatively limited number of key AI-specific hardware vendors.
Model artifacts and checkpoints: Checkpoints are both the recovery mechanism for long training runs and a portable copy of the model. Ensuring integrity and sufficient access controls for checkpointing systems is not sufficiently covered in existing standards.
Detection and response: Monitoring techniques and related technologies that are effective in enterprise IT may be infeasible at the level of throughput required in the AI context, and containment and recovery decisions are complicated by the opportunity cost of lost compute time.
Physical security and emanations: When accounting for more sophisticated nation-state adversaries, physical and Operational Technology (OT) attack surfaces become more relevant and important to protect. Current data center standards rarely recommend sufficient emanations controls outside of application to classified environments.

The following near-term recommendations aim to address the identified gaps until an AI-specific data center standard is developed:

Take an overlay or profile approach by starting from a proven baseline, such as the National Institute of Standards and Technology (NIST)’s SP 800-53B high-impact control set, and document where accelerator fabrics and management networks require compensating controls or translation.
Define AI-specific assets and protect them through currently feasible means. Treat checkpoint storage locations as high-privilege systems and protect them using strong integrity and access controls.
Categorize the management plane as a Tier-0 network. Harden access paths to BMCs, and implement monitoring where possible, isolate management networks, and engage in firmware provider vetting. Define firmware update best practices that line up with the sensitivity of the environment.
Develop a taxonomy specifically for AI incidents and their corresponding incident response playbooks. These should cover scenarios unique to the AI context and include model weight theft, checkpoint poisoning, and training data manipulation or sabotage. Plan sufficiently for long recovery and dwell times.

Use profiles or overlays as the primary means for standardization. This aligns with the approach by NIST and Cloud Security Alliance (CSA) for Control Overlays for Securing AI Systems (COSAiS), the Cyber AI Profile, and AI Controls Matrix (AICM), while extending them to address the unique security requirements of AI infrastructure and threat models.