NIST Security Framework Inadequate for Federal HPC AI Infrastructure, SentinelOne Warns
SentinelOne identifies a critical security gap in US Federal Government High-Performance Computing (HPC) AI infrastructure, arguing current NIST standards are insufficient for AI workloads.

The US Federal Government is investing $600 million to establish one of the world's most advanced AI infrastructure systems, known as the Genesis Mission. This initiative, driven by Executive Order 14363, aims to connect national laboratory supercomputers across critical domains like nuclear simulation, biodefense, and energy grid modeling. Fifty-one prominent organizations, including tech giants like NVIDIA, OpenAI, Microsoft, AWS, Google, and Oracle, have joined this endeavor.
However, SentinelOne Labs has identified a significant security deficiency: the existing framework governing these workloads was not designed for the scale and nature of modern AI applications. The current standard, NIST SP 800-234, the High-Performance Computing Security Overlay, while well-structured, was developed for deterministic HPC workloads. These traditional workloads, such as climate simulations or computational fluid dynamics, exhibit predictable behavior and can be secured through perimeter scanning, memory clearing between jobs, and integrity checks at load time. AI workloads, by contrast, break these fundamental assumptions.
Recent AI-driven supply chain attacks underscore the urgency of this issue. In a span of just three weeks, malicious actors targeted widely deployed software including LiteLLM, Axios, and CPU-Z. These attacks exploited trusted delivery channels, with compromised credentials, forgotten access tokens, and direct attacks on distribution infrastructure allowing malicious payloads to be delivered. Notably, an AI coding agent auto-updated to a compromised version of LiteLLM without human review, highlighting the danger of automated pipelines bypassing traditional security measures.
SentinelOne argues that these attacks demonstrate a critical gap where the authorization chain is legitimate, but the intent is subverted. Traditional security controls, including perimeter scans, signature libraries, and reputation lookups, fail to detect such threats because they focus on authorization rather than malicious intent within an otherwise trusted workflow. The speed at which these attacks can propagate through automated pipelines, without human checkpoints, poses a severe risk, especially when scaled to national laboratory supercomputers handling sensitive data.
The inadequacy of NIST SP 800-234 is particularly evident in its controls for AI workloads. Control SI-3 (Malware scanning) permits tailoring for performance, deferring to perimeter scanning, which is insufficient for AI workloads where malicious behavior might occur within expected computational ranges. SI-4 (System monitoring) acknowledges the challenges of high-speed data flows but lacks AI-specific telemetry requirements, leaving significant gaps in execution pipeline monitoring.
Furthermore, control SC-4 (Information in shared resources) addresses GPU memory clearing but neglects runtime behavioral monitoring and anomalous compute-pattern identification during AI training. The supply chain risk management (SR) family of controls, which are carried over from SP 800-53B without AI-specific guidance, fail to address crucial aspects like training-data provenance, model-weight integrity, or pre-trained-model validation, leaving a critical void in securing the AI development lifecycle.
SentinelOne has formally proposed solutions to the NIST HPC Security Working Group, acknowledging the need for runtime security measures that can monitor AI workloads during execution. These solutions aim to address the unique challenges posed by AI, such as detecting anomalous behavior in training pipelines and ensuring the integrity of data and model artifacts, which are as critical as the software supply chain itself.
The implications of failing to secure these advanced HPC AI infrastructures are profound. A compromised AI model trained on classified biodefense data, for instance, could produce results that are correct most of the time but maliciously manipulated under specific conditions. Without robust runtime security, the integrity and trustworthiness of AI-driven scientific research and national security initiatives could be severely compromised.