Nvidia Rubin’s rack-scale encryption marks a turning point for enterprise AI security
Nvidia’s Vera Rubin NVL72, announced at CES 2026, encrypts each bus across 72 GPUs, 36 CPUs, and the entire NVLink framework. It is the first rack-scale platform that offers confidential computing in the areas of CPU, GPU and NVLink.
For security leaders, this fundamentally changes the conversation. Rather than trying to secure complex hybrid cloud setups through contractual trust with cloud providers, they can verify them cryptographically. This is a crucial distinction that becomes important as nation-state adversaries have proven capable of launching targeted cyberattacks at machine speed.
The brutal economics of unprotected AI
Epoch AI research shows that border training costs have increased 2.4 times per year since 2016, meaning billion-dollar training courses could become a reality within a few years. Yet the infrastructure protecting these investments remains fundamentally insecure in most deployments. Security budgets created to protect border training models are not keeping up with the exceptionally fast pace of model training. The result is that more models are at risk because existing approaches cannot scale and keep up with adversaries’ trade.
IBM’s 2025 Cost of Data Breach Report reveals that 13% of organizations experienced breaches of AI models or applications. Of the breaches, 97% lacked appropriate AI access controls.
Shadow AI incidents cost an average of $4.63 million, or $670,000 more than standard breaches, with one in five breaches now involving unauthorized tools that disproportionately expose customers’ personal information (65%) and intellectual property (40%).
Think about what this means for organizations spending $50 million or $500 million on training. Their model weights are in multi-tenant environments where cloud providers can inspect the data. Hardware-level encryption that proves the environment has not been tampered with completely changes the financial equation.
The awakening of the GTG-1002
In November 2025, Anthropic revealed something unprecedented: a Chinese state-sponsored group designated GTG-1002 had manipulated Claude Code to carry out what the company described as the first documented case of a large-scale cyberattack executed without substantial human intervention.
State-sponsored adversaries transformed it into an autonomous intrusion agent that discovered vulnerabilities, designed exploits, harvested credentials, moved laterally across networks, and classified stolen data according to its intelligence value. Human operators only intervened at critical moments. According to Anthropic’s analysis, the AI independently performed about 80-90% of all tactical work.
The implications extend beyond this single incident. Attack surfaces that once required teams of experienced attackers can now be probed at machine speed by adversaries with access to base models.
Comparison of Blackwell and Rubin performances
|
Specification |
Blackwell GB300 NVL72 |
Rubin NVL72 |
|
Inference Computing (FP4) |
1.44 exaFLOPS |
3.6 exaFLOPS |
|
NVFP4 by GPU (inference) |
20 PFLOPS |
50 PFLOPS |
|
NVLink bandwidth per GPU |
1.8 TB/s |
3.6 TB/s |
|
NVLink In-Rack Bandwidth |
130 TB/s |
260 TB/s |
|
HBM bandwidth per GPU |
~8 TB/s |
~22 TB/s |
Industry dynamics and AMD alternative
Nvidia does not operate in isolation. A study by the Confidential Computing Consortium and IDC, released in December, found that 75% of organizations are adopting confidential computing, with 18% already in production and 57% testing deployments.
"Confidential computing has evolved from a niche concept to a vital strategy for data security and trusted AI innovation," said Nelly Porter, board chair of the Confidential Computing Consortium. Real obstacles remain: difficulties in validating certificates affect 84% of those questioned, and a skills gap hinders 75%.
AMD’s Helios rack takes a different approach. Built on Meta’s Open Rack Wide specification, announced at the OCP Global Summit in October 2025, it provides approximately 2.9 exaflops of FP4 compute with 31 TB of HBM4 memory and 1.4 PB/s of overall bandwidth. While Nvidia builds confidential computing into every component, AMD prioritizes open standards through the Ultra Accelerator Link and Ultra Ethernet consortia.
Competition between Nvidia and AMD gives security managers more choices than they otherwise would have had. Comparing the trade-offs between Nvidia’s integrated approach and the flexibility of AMD’s open standards is critical for their specific infrastructure and enterprise-specific threat models.
What security managers are doing now
Hardware-level privacy does not replace zero trust principles; it gives them teeth. What Nvidia and AMD are building allows security managers to verify trust cryptographically rather than assuming it contractually.
This is a significant change for anyone running sensitive workloads on shared infrastructure. And if the attestation claims hold up in production, this approach could allow companies to scale Zero Trust to thousands of nodes without the policy proliferation and agent overhead that software-only implementations require.
Before deployment: Review the attestation to confirm that the environments have not been tampered with. Cryptographic proof of compliance should be a prerequisite for signing contracts, not an afterthought or, worse, a treat. If your cloud provider can’t demonstrate its attestation capabilities, that’s a question worth raising at your next QBR.
During operation: Maintain separate enclaves for training and inference, and include security teams in the model pipeline from the start. IBM research showed that 63% of organizations experiencing a breach had no AI governance policy. You can’t tighten security after development; this results in an on-ramp to poor security designs and a lengthy red team catching bugs that needed to be created quickly from a template or application.
Across the organization: Organize joint exercises between security and data science teams to reveal vulnerabilities before attackers find them. Shadow AI accounted for 20% of breaches and exposed customers’ personal information and IP at higher rates than other breach types.
Conclusion
The GTG-1002 campaign demonstrated that adversaries can now automate large-scale intrusions with minimal human oversight at scale. Almost every organization facing an AI-related breach lacked appropriate access controls.
Nvidia’s Vera Rubin NVL72 turns racks of potential liabilities into cryptographically attested assets by encrypting each bus. AMD’s Helios offers an alternative to open standards. Hardware confidentiality alone won’t be enough to stop a determined adversary, but combined with strong governance and realistic threat exercises, rack-scale encryption gives security leaders the foundation they need to protect investments measured in the hundreds of millions of dollars.
The question for CISOs is not whether certified infrastructure is worth it. The question is whether organizations that create high-value AI models can afford to operate without them.
