Nvidia’s Vera Rubin NVL72, announced at CES 2026, encodes each bus across 72 GPUs, 36 CPUs, and the full NVLink fabric. It is the first rack-scale platform to deliver confidential computing for CPU, GPU, and NVLink domains.
For security leaders, this fundamentally changes the conversation. Instead of trying to secure complex hybrid cloud configurations through contractual trust with cloud providers, they can cryptographically verify them. That’s a crucial distinction that matters when nation-state adversaries have proven their ability to conduct targeted cyberattacks at machine speed.
The brutal economics of unprotected AI
Epoch AI research shows that border training costs have increased 2.4x per year since 2016, meaning billion-dollar training sessions could become a reality within a few years. Yet the infrastructure that protects these investments remains fundamentally insecure in most deployments. Security budgets created to protect cutting-edge training models are not keeping pace with the exceptionally rapid pace of model training. The result is that more and more models are under threat as existing approaches fail to scale and keep up with adversaries’ prowess.
IBM’s 2025 Cost of Data Breach Report found that 13% of organizations experienced breaches of AI models or applications. Of breaches, 97% did not have proper AI access controls in place.
Shadow AI incidents cost an average of $4.63 million, or $670,000 more than standard breaches, with one in five breaches now involving unapproved tools that disproportionately expose customer PII (65%) and intellectual property (40%).
Think about what this means for organizations that spend $50 to $500 million on a training session. Their model weights reside in multi-tenant environments where cloud providers can inspect the data. Hardware-level encryption that proves the environment hasn’t been tampered with changes that completely impact the financial equation.
The GTG-1002’s wake-up call
In November 2025, Anthropic revealed something unprecedented: a Chinese state-sponsored group called GTG-1002 had manipulated Claude Code into carrying out what the company described as the first documented case of a large-scale cyberattack carried out without substantial human intervention.
State-sponsored adversaries turned it into an autonomous intrusion agent that discovered vulnerabilities, crafted exploits, collected credentials, moved laterally through networks, and categorized stolen data based on intelligence value. Only at critical moments did human operators intervene. According to Anthropic’s analysis, the AI performed approximately 80 to 90% of all tactical work independently.
The implications extend beyond this one incident. Attack surfaces that once required teams of skilled attackers can now be explored at machine speed by adversaries with access to foundation models.
Comparing the performance of Blackwell vs. Rubin
Specification | Blackwell GB300 NVL72 | Rubin NVL72 |
Inference Calculation (FP4) | 1.44 exaFLOPS | 3.6 exaFLOPS |
NVFP4 per GPU (inference) | 20 PFLOPS | 50 FLOPS |
Per-GPU NVLink bandwidth | 1.8TB/s | 3.6 TB/sec |
Rack NVLink bandwidth | 130TB/s | 260 TB/sec |
HBM bandwidth per GPU | ~8 TB/s | ~22 TB/s |
Industry momentum and AMD’s alternative
Nvidia does not operate in isolation. Research from the Confidential Computing Consortium and IDCThe report, released in December, shows that 75% of organizations are adopting confidential computing, with 18% already in production and 57% experimenting with deployments.
“Confidential Computing has grown from a niche concept to an essential strategy for data security and trusted AI innovation,” said Nelly Porter, Chairman of the Board of Directors of the Confidential Computing Consortium. Real barriers remain: problems with validation of certificates affect 84% of respondents, and a skills shortage hinders 75%.
AMD’s Helios rack takes a different approach. Built on Meta’s Open Rack Wide specification, announced at the OCP Global Summit in October 2025, it delivers approximately 2.9 exaflops of FP4 computing power with 31 TB of HBM4 memory and a total bandwidth of 1.4 PB/s. Where Nvidia designs confidential computing into every component, AMD prioritizes open standards through the Ultra Accelerator Link and Ultra Ethernet consortia.
The competition between Nvidia and AMD gives security leaders more choices than they would otherwise have had. Comparing the tradeoffs between Nvidia’s integrated approach and AMD’s open standards flexibility for their specific infrastructures and enterprise-specific threat models is critical.
What safety leaders are doing now
Confidentiality at the hardware level does not replace zero-trust principles; it gives them teeth. With what Nvidia and AMD are building, security leaders can cryptographically verify trust instead of contractually assuming it.
That’s a meaningful shift for anyone running sensitive workloads on shared infrastructure. And if the attestation claims hold up in production, this approach could allow companies to extend zero-trust enforcement across thousands of nodes without the proliferation of policies and agent overhead that software-only deployments require.
Before implementation: Verify the attestation to confirm that the environments have not been tampered with. Cryptographic proof of compliance should be a prerequisite for signing contracts, not an afterthought or worse, a ‘nice-to-have’. If your cloud provider can’t demonstrate attestation capabilities, that’s a question worth asking in your next QBR.
During operation: Create separate enclaves for training and inference, and involve security teams in the model pipeline from the very beginning. IBM’s research found that 63% of affected organizations had no AI governance policies in place. You can’t screw security on after development; that translates into a push for mediocre security designs and lengthy red teamwork that catches bugs that needed to be developed early from a model or app.
Within the entire organization: Conduct joint exercises between security and data science teams to uncover vulnerabilities before attackers find them. Shadow AI was responsible for 20% of breaches and exposed customer PII and IP more often than other types of breaches.
In short
The GTG-1002 campaign demonstrated that adversaries can now automate large-scale intrusions with minimal human oversight at scale. Nearly every organization that experienced an AI-related breach did not have proper access controls in place.
Nvidia’s Vera Rubin NVL72 transforms racks of potential liabilities into cryptographically confirmed assets by encrypting every bus. AMD’s Helios offers an open standards alternative. Hardware confidentiality alone won’t stop a determined adversary, but when combined with strong governance and realistic threat exercises, rack-scale encryption gives security leaders the foundation they need to protect hundreds of millions of dollars worth of investments.
The question CISOs face isn’t whether the proven infrastructure is worth it. The issue is whether organizations building high-quality AI models can afford to operate without AI models.
#Nvidia #Rubins #rackscale #encryption #marks #turning #point #enterprise #security