There is a question boards have learned to ask about cloud vendors: is our data segregated from other customers'? The answer, for a decade, has been architecture diagrams showing virtual networks, identity policies, and container boundaries. Executives nodded. The diagrams were true, as far as they went.

They do not go far enough for AI infrastructure, and almost no one outside a narrow circle of ML platform engineers is saying so publicly.

The Assumption Everyone Is Making

Every major AI inference platform — the API called for completions, the "private" model endpoint a vendor sold, the GPU cluster an internal team just stood up — rests on one assumption: that a container boundary, a scheduling namespace, and an access policy are sufficient to keep one customer's workload separated from another's on the same physical GPU.

They are not, and this is not a hypothetical.

The GPU driver — the software layer that actually talks to the chip — does not run inside any customer's container. It runs in the host operating system's kernel, at the highest privilege level on the machine, shared identically by every tenant scheduled onto that node. When a workload calls into the GPU, that call passes through the same kernel code, in the same memory space, as every other customer's workload sitting on the same physical server. There is no wall there. There is a driver, written by one vendor, patched on that vendor's schedule, and trusted implicitly by every cloud platform built on top of it.

"A container boundary was never designed to substitute for hardware isolation. It was designed to substitute for cooperation."

Two Ways This Fails — Neither Requires an Attacker

The driver itself gets exploited. The GPU driver is a closed-source binary several million lines long, and it has shipped multiple kernel-level vulnerabilities in recent years — memory-safety bugs that let an ordinary process running inside a customer container escalate to full control of the underlying physical server. Once that happens, every other tenant's data on that machine — model weights, customer prompts, session data — becomes readable. This is not a vendor being careless. It is the mathematics of a shared, closed-source, kernel-privileged codebase serving customers who were never meant to trust each other.

Nobody has to attack anything at all. This is the quieter problem, and the more common one. When a session ends and the GPU releases its memory back to the pool, that memory is not necessarily wiped before the next customer's workload is handed the same physical chips. Zeroing gigabytes of GPU memory on every handoff is expensive, so many platforms skip it as a performance decision made years before "AI infrastructure" was a board-level phrase. The next tenant scheduled onto those same chips can, without writing a single line of exploit code, read what is still sitting there: fragments of proprietary model weights, remnants of the previous customer's prompts. It is not theft in the legal sense of the word. It is leftovers.

A third mechanism sits underneath both. Many providers run a shared GPU scheduling service to squeeze more utilization out of expensive chips, letting several customers' workloads run on the same physical GPU simultaneously. That service is explicitly documented by the underlying hardware vendor as intended for trusted, cooperating jobs — not adversarial multi-tenancy. In that configuration, a crash triggered by one tenant's ordinary, non-malicious workload can take down every other tenant sharing that chip at that moment. No breach. No warning. A business-critical AI system goes dark because an unrelated customer's job hit a routine error three racks over.

Why This Hasn't Reached the Board Yet

This isn't classified. It is documented and discussed openly in ML infrastructure and security-research circles, and it is almost entirely absent from board decks. Three reasons explain the gap:

What This Means for Your Organization

If AI workloads — internal infrastructure or a vendor's — run on shared GPU capacity without hardware-level partitioning, three things are true right now, independent of whether anyone has attacked anything:

The Questions to Ask This Quarter

Before the next vendor renewal or infrastructure review, put these directly to the team or vendor responsible for AI infrastructure:

None of these questions have satisfying answers industry-wide yet. That is precisely why they belong on this quarter's risk register rather than next year's.