





























Welcome to the PCI Security Standards Council’s blog series, The AI Exchange: Innovators in Payment Security. This special, ongoing feature of our PCI Perspectives blog offers a resource for payment security industry stakeholders to exchange information about how they are adopting and implementing artificial intelligence (AI) into their organizations.
In this edition of The AI Exchange, Utimaco Inc. Vice President of Products and Strategy, Manish Upasani, offers insight into how his company is using AI, and how this rapidly growing technology is shaping the future of payment security.
How has your AI strategy evolved over the past 12–18 months?
Following the recent growth of AI, Utimaco has transitioned from merely observing AI to actively safeguarding it. As a provider of foundational cryptographic infrastructure, Utimaco is strategically positioning this infrastructure as the security layer beneath AI workloads on-prem and in the cloud.
Our approach has evolved from being AI-adjacent to AI-foundational. While our HSMs and key management solutions have consistently secured sensitive data, we have recognized over the past 12–18 months that AI pipelines now constitute some of the most sensitive data environments within any enterprise. Consequently, we have explicitly repositioned our portfolio to address this reality.
We have established our AI-era partner ecosystem. We announced a technology alliance with key players in the AI space, including the VAST Cosmos community, as a technology partner. This alliance integrates our enterprise secure key manager with VAST’s AI operating system to protect sensitive data powering modern AI platforms.
In addition to securing AI workloads for our customers, we are actively exploring the utilization of AI for internal use cases and quality assurance processes. The inherent challenges associated with employing AI in highly regulated industries and products, such as HSMs, are being addressed in collaboration with compliance laboratories and internal auditors. We are exploring an airgapped AI infrastructure to mitigate the risk of intellectual property leakage.
What is one AI initiative that has already delivered a measurable impact, and what made it successful?
Typically, we do not develop AI products; instead, we secure the infrastructure on which AI operates. We are collaborating with our partners who develop AI products to enhance the protection of AI datasets, models, and workloads through secure lifecycle management of encryption keys. This approach involves centralized key control across distributed AI infrastructure, providing a single pane of glass for management.
We adhere to our core principle of not reinventing the wheel. Rather than developing an AI platform, we leveraged our proven cryptographic expertise to integrate with AI workloads, thereby reducing customer deployment risk and accelerating time-to-value.
In addition, we are utilizing AI to augment our documentation, particularly for integration guides, to enhance customer value. The AI-generated and validated integration guides enable us to remain current and validate processes, ensuring an error-free experience for our customers.
How are you approaching AI governance, particularly around data privacy and security?
Utimaco’s governance approach is firmly grounded in its hardware-anchored trust. We firmly believe that AI governance without cryptographic enforcement at the hardware level is not governance at all.
Our governance philosophy begins at the root of trust. You cannot govern what you cannot control, and leveraging encryption, you cannot exhibit control without controlling the keys. Our HSMs provide the hardware-anchored root of trust that makes AI governance enforceable, including the proven encryption technologies.
We have been closely engaged with the EU AI Act since early 2024, recognizing that it establishes proposed safety mechanisms to effectively control and regulate AI. For privacy specifically, our FIPS 140-3 Level 3 certified HSMs and key management solutions ensure that cryptographic keys never leave a tamper-resistant hardware boundary. In an AI world where models and agents can access vast amounts of enterprise data, this becomes a critical governance control.
We have structured our AI-era partnerships to provide a comprehensive security framework across on-premises, cloud, and hybrid infrastructures because AI workloads do not respect infrastructure boundaries, and neither should your governance framework.
What challenges have become more apparent as AI capabilities have matured?
AI has significantly expanded the attack surface for sensitive data, and the rapid advancement of AI capabilities has outpaced the security architectures of most organizations.
The most pressing challenge we observe is the expanding cryptographic attack surface. All enterprise data, whether public or classified, is now accessible to AI frameworks and more to AI agents, enabling them to make autonomous decisions. This creates an even larger volume of data, which is more lucrative and susceptible to various attack vectors. This ever-expanding AI-generated data landscape presents escalating complexity and manageability challenges. Keys that previously protected data accessed by humans now safeguard data accessed by autonomous systems, resulting in a significantly larger governance surface.
Harvest-now, decrypt-later attacks are a compounding threat. As AI capabilities accelerate, so does progress toward quantum computing. Adversaries are already collecting encrypted data today with the intention of decrypting it once quantum systems mature. NIST has standardized quantum-secure algorithms and established a timeline of 2030 for their implementation and the obsolescence of current cryptographic algorithms such as RSA and Elliptic Curve. Organizations that delay migration are accumulating risk they may not even be aware of.
Crypto agility is no longer a desirable feature. The pace of algorithm standardization and regulatory changes means that hard-coded cryptographic implementations become liabilities. Our Quantum Protect solution is designed to be field-activatable, allowing customers to add post-quantum cryptography (PQC) support without replacing hardware. This is because we anticipated that organizations would need to adapt without the need for forklift upgrades.
The skills gap remains acute. AI tools can help fill some of that gap, but they also introduce new risks if not properly governed.
What advice would you provide for an organization moving from early AI adoption to broader implementation?
We would like to emphasize the importance of establishing a robust cryptographic foundation before implementing and scaling your AI system. Governance debt, similar to technical debt, accumulates over time and can be significantly more costly to address retroactively.
We would like to highlight a few key points:
What AI trend are you most excited about?
In the wake of the heightened risk surface introduced by AI, new opportunities have emerged. Utimaco is actively monitoring the convergence of AI and post-quantum cryptography, particularly by utilizing AI to expedite the migration of PQC. Several emerging topics at Utimaco include:
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。