






























Artificial Intelligence and Machine Learning workloads are grounded in established software engineering and infrastructure principles. While AI and ML lifecycles introduce new operational constraints, they still execute as workloads on compute, storage, and networking platforms, fitting naturally within familiar IaaS, PaaS, and SaaS delivery models (AI is still a workload somewhere).
Organizations either deploy AI systems on their own infrastructure or consume models as managed services. In this article, we focus on AI applications deployed on Kubernetes and cloud infrastructure, with particular attention to Oracle Cloud Infrastructure (OCI) and Oracle Kubernetes Engine (OKE).
OCI is increasingly adopted for security, compliance, and data sovereignty reasons. Thanks to its cost efficiency, and strong alignment with enterprise and regulatory requirements, OCI provides a solid foundation for AI and high-performance computing (HPC) applications. Features such as RDMA-enabled networking (high-bandwidth, ultra-low latency) are especially relevant for highly demanding parallel computing workloads (financial, automotive, aerospace, biomedical, GenAI, BigData).
The AI threat surface spans a layered stack (physical CPU and GPU, virtualization layers up through models, data, inference, agents, applications, and APIs). MLOps platforms such as Kubeflow and MLflow manage model artifacts and training pipelines tightly coupled to shared data stores.
At runtime, inference engines such as vLLM and TensorRT-LLM execute with high privilege and sustained GPU access. In Kubernetes environments, stacks such as llm-d provide distributed serving primitives around model workers, while platforms such as NVIDIA Triton Inference Server provide a production grade inference server for multiple model backends.
Above this, agent layers built with frameworks like LlamaIndex or LangChain dynamically connect models, tools, and data before exposing functionality through application and API layers. These layers are tightly interconnected, weaknesses at any point can propagate upward, resulting in model theft, data exposure, or large-scale GPU abuse.
OCI and OKE provide a solid, well-managed platform, but attackers focus on what you deploy on top of it. Under OCI’s shared responsibility model, Oracle manages the control plane, while customers are responsible for application security and most data-plane operations. Below are examples of how this model works.
Core responsibilities
Shared operations
Security and patching
Support scope
Application and networking ownership
Attacks are increasing in volume, sophistication, and impact. Over the past several months, many notable incidents have highlighted how rapidly threats are evolving:
July 2025 - LangFlow Server RCE vulnerability → Unauthenticated AI pipeline takeover.
July 2025 - Nvidia Container Escape → Container-to-host GPU escape.
Nov 2025 - ShadowRay 2.0 → AI inference server exploit and cloud malware.
Nov 2025 - Keras Supply Chain Vulnerability → ML dependency supply-chain abuse.
Jan 2026 - IBM Bob duped to run malware → Trusted AI agent compromise.
For deeper analysis and additional examples, see the Sysdig Threat Research Team content.
Most of these attacks are executed inside running workloads, often entering through supply-chain weaknesses or zero-day exploits and escalating via over-privileged GPU runtimes, exposed inference services, or misconfigured data and vector stores.
Consequently, we must lend special attention to:
Real time behavior
Even with a strong security posture, zero-day and supply-chain attacks can bypass preventive controls, making runtime protection essential for detecting and stopping abnormal behavior in AI and GPU workloads. In LLM-based systems, for example, prompt-based attacks can lead to resource hijacking and unintended compute abuse.
A single metric is not enough. As we saw with ShadowRay 2.0, attackers kept a low GPU usage to avoid triggering alerts. An effective security approach has to correlate multi-domain information in real time.
Security posture and guardrails
CI/CD security and Kubernetes security posture management (KSPM) platforms can prevent attacks early by detecting poisoned dependencies, exposed AI services, and unsafe GPU or Kubernetes configurations, while enforcing least-privilege IAM, trusted images, and hardened GPU node pools.

Sysdig protects AI workloads by aligning its CNAPP platform around three foundational pillars.
Runtime insights provide deep, real-time visibility into AI and GPU workloads with multi-domain correlation.
Agentic AI that takes precise action for detection and response to stop threats as they execute, from inference server exploits to container escapes.
Open innovation underpins the platform, leveraging open source, transparent policies, and customer-controlled rules to build trust and keep teams in control. Together, these pillars span the full AI lifecycle, ensuring production-grade applications remain secure without sacrificing performance or velocity.

Learn more by downloading the whitepaper Operational Security for OKE GPU-Accelerated AI Applications
Defending your AI attack surface against threats requires leveraging key security best practices and capabilities.
CI/CD vulnerability and risk management prevent AI attacks by blocking poisoned dependencies, exposed services, and unsafe GPU/Kubernetes configs before deployment. Sysdig runtime insights reduce the noise, helping with a clean prioritization.
Zero-days and supply-chain flaws still occur, so runtime detection is critical to stop abnormal behavior in AI and GPU workloads.
When the cost of a cloud breach is $4.45 million, security teams need to respond fast to attackers. Sysdig redefined the detection and response benchmark with the Sysdig 555. Here's how:
Want to learn more? Explore the Sysdig Secure website.
Security for GPU-accelerated Kubernetes clusters should not be an afterthought. Security must be addressed from the earliest design phase, which is why starting from a well-defined landing zone or blueprint is important to ensure clusters are secure by default.
Oracle addresses this need through a growing set of OCI Kubernetes blueprints for AI applications, including reference architectures for large language models. These blueprints provide validated infrastructure designs, recommended GPU and node profiles, required software components, and baseline monitoring configurations. They allow teams to move faster while avoiding ad-hoc, insecure deployments when adopting new architectures.
Sysdig and Oracle Kubernetes Engine jointly developed a Quick Start blueprint that focuses specifically on security. This blueprint enables one-click deployment of OKE clusters with Sysdig Secure integrated by default, using Terraform and aligned with OCI Quick Start standards. The goal is to make runtime security, visibility, and threat detection part of the initial cluster design, rather than something retrofitted after workloads are already running.
Modern security teams understand that tools only provide value when they are properly integrated and used in day-to-day operations. This usually means fitting new tools into an existing security stack. This is especially true for SOC teams, which tend to have well-established views on workflows, data ownership, and response automation.
Because operational models vary widely, teams need to make deliberate choices around integrations, ownership, and response patterns. To determine how Sysdig should be deployed within your security stack, consider the following questions.
OKE on OCI delivers a resilient and compliant foundation for GPU accelerated AI workloads, but responsibility for securing the applications running on top ultimately rests with you.
While much of the security industry focuses on analyzing outputs and adding guardrails at the prompt layer, infrastructure, supply chain, and runtime security remain essential first class concerns. The emerging AI threat landscape and new technology stacks demand a dedicated security approach.
Sysdig provides AI workload protection capabilities to address this challenge, including near real time detection, security signal enrichment to reduce noise and lower costs, and strong integration with compliance and security operations platforms.
Read more about Sysdig and Oracle Cloud:
Download the full whitepaper here.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。