Why concentrating data in AI models demands greater vigilance [Q&A]

Data that was once scattered across sprawling systems and silos -- providing natural obstacles to attackers -- is now concentrated and highly portable within AI models. This fundamental shift redefines the challenge of digital security.

We spoke to Dr. Luigi Caramico, CTO and co-founder of DataKrypto, to discuss how organizations can repond to this challenge.

BN: With data now concentrated and highly portable within AI models, how can organizations quickly update their data security strategies?

LC: Enterprise data that was once protected by its bulk and fragmentation is now compressed into compact, portable AI models. This centralization creates a new attack surface, where the theft of a single model can compromise years of intellectual property. Traditional protections like encryption at rest and in motion are no longer sufficient, as data and models are exposed in memory during training and inference.

Organizations must now secure AI across the entire lifecycle by:

• Applying continuous encryption, including in GPU memory, so that no plaintext ever appears.
• Using Trusted Execution Environments (TEEs) for secure key management and protection of sensitive boundaries such as input and output layers.
• Leveraging homomorphic encryption that allows encrypted weights to run at GPU-native speed, avoiding performance trade-offs.

This layered approach ensures that stolen or exfiltrated models are cryptographically useless without enclave access.

BN: With AI models holding the crown jewels now, what happens to compliance, such as GDPR, HIPPA -- how do companies keep their data not only secure but adhere to mandates with AI?

LC: Regulators expect protection not just during storage and transmission, but also during active processing. Data exposure in system memory or GPU memory creates direct compliance risks.

• GDPR requires appropriate safeguards to protect personal data during processing.
• HIPAA expects electronic Protected Health Information (ePHI) to be secured across its full lifecycle.
• CCPA raises liability if personal data is exposed in unencrypted form.

By combining continuous encryption with TEEs, companies can meet these mandates by ensuring that:

• No plain text exists in memory or VRAM.
• Keys are never exposed outside the enclave.
• Each inference session is protected with unique keys to limit the scope of any compromise.

This creates a compliance-by-design model where privacy and regulatory requirements are satisfied at every stage of AI operation.

BN: AI performs best with access to vast, diverse datasets but the more AI systems learn, the greater the risk of exposing private data. How can companies keep up but also protect their valuable data?

LC: AI systems thrive on large, diverse datasets, but this also magnifies the risks of data leakage and memorization of unique or sensitive information. Proprietary research, financial records, or medical data can all be at risk of exposure through model misuse or extraction.

Companies can balance scale and protection by adopting encryption methods that:

• Keep weights, embeddings, and activations encrypted at all times, even inside GPU memory.
• Restrict decryption keys to TEEs, ensuring no external party can access raw data or outputs.
• Encrypt each session with its own key, limiting exposure if a single session is compromised.

This approach allows organizations to safely provide sensitive data for training and inference without risking exposure or model theft.

BN: Given all the data security tools on the market today, why aren't there fewer instances of data theft?

LC: Most tools today are designed to prevent access to the data itself through perimeter and access controls such as firewalls, intrusion prevention and detection systems (IPS/IDS), role-based access control (RBAC), and identity and access management (IAM). These defenses are important, but when they fail -- and history shows that eventually they do -- the data is left unprotected.

In the case of AI, once an attacker bypasses those controls, the model and the sensitive data it processes are sitting in plaintext in memory or GPU VRAM. At that point, the AI itself becomes the unlocked vault, freely accessible to whoever has gained privileged access.

The persistence of breaches stems from this gap:

• Memory exposure during inference and training leaves raw data and models exposed.
• Insider threats or compromised administrators can bypass access controls.
• Multi-tenant cloud environments amplify the risk, as logical isolation does not prevent memory scraping.

Until encryption is extended into runtime memory and GPU environments, attackers who penetrate access controls will always find the most valuable assets -- the AI models and data -- unguarded.

BN: Fully homomorphic encryption (FHE) has also been around for a long time, allowing data to be secured continuously so, even if stolen, a hacker cannot access it. So why is FHE still so slow to adopt?

LC: Historically, FHE was too slow and resource-intensive for real-world deployment, with operations running thousands of times slower than plain text equivalents and ciphertexts expanding in size. This made it impractical for enterprise AI workloads.

Recent advancements now allow:

• Encrypted weights to maintain the same size as plain text.
• GPU-based inference to run at full speed without performance degradation.
• Training and fine-tuning to be carried out securely in encrypted mode.

These breakthroughs have removed the historical bottlenecks, making FHE viable for enterprise-scale adoption.

BN: We are seeing NIST, CISA and White House Executive Orders for post-quantum cryptography. However, companies can secure data now, with FHE, do you think there should be a mandate for the adoption of FHE?

LC: While mandating FHE outright may be premature, regulators are increasingly requiring protection of data in use. Since quantum computing threatens traditional cryptography, adopting advanced encryption methods like FHE is both a proactive defense and a future-proof strategy.

Policy options could include:

• Requiring runtime encryption of sensitive workloads, effectively mandating technologies like FHE.
• Providing incentives for early adoption through compliance credits or reduced liability.
• Expanding definitions of ‘appropriate safeguards’ to include in-use protection.

Given its ability to eliminate plaintext exposure, FHE represents the natural next step in regulatory expectations for AI security.

Image credit: BiancoBlue/Dreamstime.com