Jonathan M. Herman

The White House just signed an EO pushing AI labs to give the government early access to their most powerful models — plus a federal clearinghouse to scan critical infrastructure for vulnerabilities. A real step. But it raises a harder question for operators 👇

The most sensitive systems — nuclear, grid OT, water, defense — can't connect production networks to a cloud AI API. By architecture and by rule. Defensive AI only counts if it runs where the threat is. For air-gapped environments, that means on-prem. Sovereign by design.

OpenAI just confirmed two developer machines compromised in a supply-chain attack this week. Reminder: cloud AI means your threat model now includes the provider's pipeline, their dependencies, and their incident timeline — not just yours.

For regulated operators (energy, water, nuclear, finance, healthcare) ask 3 things: Where does inference run? What's in the upstream supply chain you can't see or patch? What happens to YOU when the provider has a bad day? If you can't answer, you don't control your AI.

Two stories from the last 10 days tell critical-infrastructure operators everything about the gap between regulation and reality. May 21: White House pulled the AI cybersecurity EO. May 12: Dragos published the first AI-assisted attack postmortem. Water utility. Claude+GPT recon

Operator takeaway: 1) Federal benchmark on hold. The threat that motivated it isn't. 2) AI-assisted recon on regulated networks no longer needs a nation-state. Commercial LLMs lower the floor. 3) Air-gapped inference + segmentation are now preconditions, not hedges.

Air-gapped AI = weights local, inference local, data never leaves the boundary, model under change control. Most "private AI" fails every test, regardless of sector. If you can't air-gap it, you can't audit it. https://t.co/JkUqeLs42R

IAEA closed CyberCon26 Friday + launched a Coordinated Research Project on computer security for AI in regulated environments. When the world's most exacting safety regulator decides AI needs its own security framework, every regulated industry should be reading the same memo.

New Kiteworks forecast: 91% of energy orgs lack network isolation for AI. 59% don't encrypt training data. 51% still run manual incident response. Same picture in healthcare, finance, government. Not an AI maturity gap — a perimeter problem with AI poured into it.

Infrastructure is named as a first-class cluster — hardware, network boundaries, isolation. That's the policy hook for sovereign and air-gapped AI to move from preference to procurement requirement. More: https://t.co/JkUqeLs42R

CISA and the G7 just published an SBOM standard for AI. It dropped May 12 and barely registered — but if you operate or buy AI in a regulated environment, it's the document that just reshaped your compliance frontier.

Seven minimum-element clusters: Metadata, Models, Dataset Properties, System Level Properties, KPIs, Security Properties, Infrastructure. Provenance is no longer a vendor talking point. The dependency graph is becoming legible the way open source did a decade ago.

CI Fortify will push operators to prove recovery without dependencies. AI dependencies count. The organizations getting this right aren't the loudest. They're quietly architecting for control. More: https://t.co/JkUqeLs42R

Two stories landed this week and they should be read together: 1) CISA launched CI Fortify — preparing critical infrastructure for cyber outages during geopolitical conflict. 2) The House opened an inquiry into PRC-origin AI models in U.S. critical infrastructure.

Read together they describe the same problem: AI is now inside the perimeter of systems we cannot afford to lose. Sovereignty becomes architectural, not legal. You don't get sovereign AI from a procurement clause. You get it from where the model actually runs.