Nvidia’s Vera Rubin NVL72, announced at CES 2026, encrypts each bus across 72 GPUs, 36 CPUs, and the entire NVLink fabric. It is the first rack-scale platform to provide confidential computing across CPU, GPU and NVLink domains.
For security leaders, this fundamentally changes the conversation. Instead of attempting to secure complex hybrid cloud configurations through contractual trust with cloud providers, they can verify them cryptographically. This is an important distinction that matters when nation-state adversaries have proven that they are capable of launching targeted cyberattacks at the speed of a machine.
The Cruel Economics of Unsafe AI
Epoch AI research shows that Frontier training costs have increased 2.4x annually since 2016, meaning billion-dollar training runs could be a reality in just a few years. Yet the infrastructure protecting these investments remains fundamentally insecure in most deployments. Security budgets designed to protect marginal training models do not keep up with the exceptionally fast pace of model training. The result is that more models are at risk because existing approaches cannot measure up and keep up with the trading skills of opponents.
IBM’s 2025 Data Breach Cost Report found that 13% of organizations experienced a breach of AI models or applications. Of those breached, 97% lacked proper AI access controls.
Shadow AI incidents cost an average of $4.63 million, or $670,000 more than standard breaches, with one in five breaches now involving unapproved tools that disproportionately expose customer PII (65%) and intellectual property (40%).
Think about what this means for organizations spending $50 million or $500 million on a training program. Their model weights sit in a multi-tenant environment where cloud providers can inspect the data. Hardware-level encryption that proves the environment has not been tampered with completely changes the financial equation.
GTG-1002 Wake-up Call
In November 2025, Anthropic revealed something unprecedented: a Chinese state-sponsored group designated GTG-1002 had manipulated the Cloud code, in what the company described as the first documented case of a large-scale cyberattack without any human intervention.
State-sponsored adversaries turned it into an autonomous intrusion agent that discovered vulnerabilities, designed exploits, gathered credentials, moved it laterally through the network, and classified stolen data based on intelligence value. Human operators intervene only at critical times. According to Anthropic’s analysis, AI performed approximately 80 to 90% of all tactical tasks independently.
The implications extend beyond this single incident. The attack surface that once required teams of experienced attackers can now be probed at machine speed by adversaries with access to foundation models.
Blackwell vs Rubin performance comparison
| specifications |
Blackwell GB300 NVL72 |
Rubin NVL72 |
|
Estimate Calculation (FP4) |
1.44 exaflops |
3.6 exaflop |
|
NVFP4 per GPU (estimate) |
20 PFLOPS |
50 PFLOPS |
|
Per-GPU NVLink Bandwidth |
1.8 TB/s |
3.6 TB/s |
|
rack nvlink bandwidth |
130 TB/s |
260 TB/s |
|
HBM bandwidth per GPU |
~8 TB/sec |
~22 TB/sec |
Industry momentum and AMD’s choice
Nvidia is not working in isolation. Research from the Confidential Computing Consortium and IDC released in December found that 75% of organizations are adopting confidential computing, with 18% already in production and 57% piloting deployments.
"Confidential computing has evolved from a niche concept into a key strategy for data security and trusted AI innovation," said Nellie Porter, governing board chair of the Confidential Computing Consortium. Real barriers remain: verification validation challenges impact 84% of respondents, and skills gaps impact 75%.
AMD’s Helios rack takes a different approach. Building on META’s Open Rack Wide specification announced at the OCP Global Summit in October 2025, it delivers approximately 2.9 exaflops of FP4 compute with 31 TB of HBM4 memory and 1.4 PB/s aggregate bandwidth. Where Nvidia designs confidential computing into every component, AMD prioritizes open standards through the Ultra Accelerator Link and Ultra Ethernet consortia.
The competition between Nvidia and AMD is giving security leaders more options than they otherwise would have. It’s important to compare the tradeoff of open-standards flexibility for Nvidia’s integrated approach versus AMD’s specialized infrastructure and business-specific threat models.
What are security leaders doing now
Hardware-level privacy does not replace zero-trust principles; It gives them teeth. What Nvidia and AMD are building lets security leaders verify trust cryptographically rather than treating it as a contract.
This is a meaningful change for anyone handling sensitive workloads on shared infrastructure. And if validation claims survive in production, this approach could allow enterprises to expand zero-trust enforcement across thousands of nodes without the policy extension and agent overhead, requiring only software implementation.
Before deployment: Verify validation to confirm that the environment has not been tampered with. Cryptographic proof of compliance should be a prerequisite for signing contracts, not an afterthought or, worse, a nice idea. If your cloud provider can’t demonstrate verification capabilities, this is a question worth raising in your next QBR.
During operation: Maintain separate enclaves for training and inference, and involve security teams in the model pipeline from the beginning. IBM’s research showed that 63% of breached organizations had no AI governance policy. You cannot increase security after development; This translates into an onramp for mediocre security design-ins and lengthy red teaming that catches bugs that need to be engineered out of a model or app early.
Throughout the organization: Run joint exercises between security and data science teams to uncover vulnerabilities before they are discovered by attackers. Shadow AI is responsible for 20% of breaches and exposes customer PII and IP at higher rates than other breach types.
ground level
The GTG-1002 campaign demonstrated that adversaries can now automate large-scale infiltration with minimal human oversight. Almost every organization that experienced an AI-related breach lacked proper access controls.
Nvidia’s Vera Rubin NVL72 transforms racks from potential liabilities to cryptographically verified assets by encrypting each bus. AMD’s Helios offers an open-standard alternative. Hardware secrecy alone cannot stop a determined adversary, but combined with strong governance and realistic threat practices, rack-scale encryption gives security leaders the foundation they need to protect investments measured in the hundreds of millions of dollars.
The question facing CISOs is not whether a certified infrastructure is worth it. The question is whether organizations that create high-value AI models can operate without it.
<a href