Recently, an AI system identified a vulnerability in OpenBSD, an open-source operating system widely considered among the most security-hardened in the world. The flaw had gone undetected for nearly three decades. That same wave of automated discovery surfaced thousands of zero-days across major operating systems and browsers in a matter of weeks. The median time from vulnerability discovery to active exploitation has collapsed from days to hours. Some industry projections for 2026 put that window inside an hour.

I’ve been a CISO at a hyperscaler, at a fintech, and at consumer scale. I’ve worked with federal customers and seen what compliance looks like when the stakes are existential. None of those seats fully prepared me for the speed of the current shift. We’ve seen security inflection points before. Cloud was one. Mobile was another. SaaS too. AI is the next, and the curve is steeper than any of them. So I want to be direct about what I think the new bar should be, for CoreWeave and for every cloud running AI workloads.

What machine-speed exploitation changes

The structural assumptions behind the security model most of us grew up with are under pressure. Patches that ship in thirty days don’t help against an exploitation window measured in hours. Detection that depends on signature updates is behind before it deploys. Workload isolation that depends on policy configurations is only as strong as the last drift event no one caught. And the AI-specific risks, like model supply chain compromise, training data integrity, prompt injection, and over-permissive agents, don’t map to the frameworks we already have. We are writing those playbooks live.

The shared responsibility model has stretched too. It used to be a clean line between security of the cloud and security in the cloud. AI added new layers on top. Who owns model weight integrity? Who owns training data lineage? Who owns inference protection? Who owns agent permissioning? CISOs need those lines drawn explicitly before procurement closes. Renegotiating after the fact rarely goes well.

The new bar

Enforcement is automated. Security decisions that can be encoded should not wait for a human. When a node drifts from its baseline at 3 a.m., the platform should bring it back before the operator wakes up. The operator gets the receipts in the morning. At fleet scale, anything else is wishful thinking.

Visibility is continuous, and it flows into the security tooling you already run. No CISO wants AI workloads sitting in a separate console no one watches. Telemetry, audit logs, and configuration state should land in your existing SIEM and detection stack in real time. Waiting for a forensic export after an incident is already too late. If our platform makes your AI environment a blind spot in your SOC, we have failed.

Process isolation has to be enforced in hardware. Software-defined compute separation matters, and we use plenty of it. But its assurances rest on configurations being correct and the underlying software not being compromised. For frontier AI workloads, where the value and density on a single node can be enormous, the boundary needs to sit lower in the stack. On CoreWeave, infrastructure, networking, storage, and security functions run on NVIDIA BlueField-3 DPUs. That’s separate hardware from the customer workload on the host. The boundary becomes a property of the silicon, which means a config file cannot grant it and a misconfiguration cannot weaken it. 

Trust has to be earned with evidence. Claims are not enough. We hold ourselves to current SOC 2 Type II certification for Bare Metal and CoreWeave Kubernetes Service, alignment with ISO 27001, ISO 27017, and ISO 27018, a public Trust Center, independent third-party penetration testing with documented remediation, and written documentation on data handling, residency, key management, and the shared responsibility model. All of that needs to be available while customers are still evaluating whether we belong on the short list, well before procurement engages.

How this shows up under pressure

I wrote about the foundations in November, this is the stress test. So how do these four requirements behave when the threat environment moves at the speed it is now moving?

When the exploitation window is one hour, the patch itself is no longer the only question. The harder question is whether the platform keeps enforcing a security state across thousands of nodes while we patch. That is what fleet automation, DPU-level enforcement, and telemetry-driven operations are for. When a customer scales from hundreds of nodes to thousands, the operational model has to scale with them. If it can’t, calling it a security model is generous.

When a customer’s security team asks whether they’ll be flying blind in our environment, the answer has to be no. Audit logs, operational events, and configuration state all have to flow into the tooling they already operate. Telemetry Relay and the operational interfaces around CoreWeave Mission Control^TM are built for that handoff.

When a node or workload is compromised, the question becomes blast radius. The DPU isolation model changes the math. Customer workloads stay isolated from CoreWeave operational functions, and the trust model survives a bad day instead of collapsing into it.

When procurement asks for evidence, we should be able to hand it over the same week. SOC 2 Type II report on request. Current ISO alignment documentation. Trust Center materials available up front. Written shared-responsibility documentation in your hands before the NDA conversation begins.

Questions every CISO should be asking

If you take one thing from this, take a list. These are the questions I would ask any AI infrastructure provider, including us, before signing.

1. Is tenant isolation enforced in hardware, or only in software policy?
2. Where does the shared responsibility line sit, specifically, for model weights, training data, and inference?
3. Can you produce a current SOC 2 Type II report on request?
4. When AI-assisted vulnerability discovery hits your stack, what is your disclosure-to-patch cadence?
5. Will your telemetry stream into our existing SIEM, or do my analysts have to watch your console?
6. Is customer-managed key encryption supported for model weights at rest?
7. Does identity revocation propagate across your fleet in seconds, and can you prove it?

If the answers come back specific and documented, you’re talking to a real partner. If they come back hedged or aspirational, keep looking.

A note on the moment

I’m not going to tell you AI security is a solved problem. It isn’t. The threat curve will keep getting steeper before it bends. What I will tell you is that I’ve spent my career rolling up my sleeves on problems like this one, and I haven’t been this energized about the work in years. The architecture we need is in place. The evidence is documented. And the honest conversations between security teams about what the new bar should be are starting to happen. We need them to keep happening.

If you want to go deeper:

• Visit the CoreWeave Trust Center for compliance documentation, certifications, and audit reports.
• Read our security architecture deep-dive for the technical foundation behind the platform.
• Talk to a CoreWeave AI infrastructure expert to discuss your specific security requirements.