Last year, I audited an AI deployment at a healthcare company that had implemented what they believed was a strong security architecture. Their model weights were encrypted with AES-256. Their API traffic was TLS-encrypted. Their access controls used role-based permissions with MFA. On paper, it looked solid.
The key management was handled by a software KMS running on a standard virtual machine.
That single architectural decision meant that every cryptographic key protecting their patient-facing diagnostic model was accessible to whoever controlled that VM — the hypervisor, the cloud provider's operations staff, anyone who could compromise the VM through a software vulnerability. AES-256 encryption with a key in software is not strong encryption. It's encryption theater.
This is one of the most common and most consequential security architecture mistakes I see in AI deployments. Let me explain why, and what doing it right actually requires.
What a Hardware Security Module Actually Is
A Hardware Security Module is a dedicated piece of hardware designed to do one thing: store and use cryptographic keys in a way that makes extraction impossible. Not computationally infeasible — physically impossible.
The distinction matters. Software key management stores keys in memory on a system. An attacker who gains access to that system — through a vulnerability, a misconfiguration, a compromised admin account, a hypervisor-level exploit — can read the keys. The encryption protecting your data is only as strong as the access controls protecting the system where the keys live.
An HSM stores keys inside a tamper-resistant hardware boundary. The key material never leaves the HSM in cleartext. All cryptographic operations — encryption, decryption, signing — are performed inside the HSM. The HSM is designed to detect tampering and respond by zeroizing its keys — destroying them rather than letting an attacker extract them. This is a physical property of the hardware, not a software configuration.
The standards that govern HSMs are meaningful. FIPS 140-3 Level 3 certification — the common standard for enterprise HSMs — requires tamper detection, key zeroization on tamper detection, and defense against physical attacks including power analysis and fault injection. An HSM that doesn't meet this standard is not an HSM in the security-relevant sense.
Why AI Key Management Has Unique Requirements
The key management needs for AI deployments are different from traditional enterprise key management in ways that matter for architecture decisions.
Model weight protection. The primary key management requirement for AI inference is protecting the keys that encrypt model weights at rest. This is a high-value target: a proprietary model is often a company's most valuable intellectual property. The keys need to protect weights during storage, during transit to the inference environment, and during the brief window when they're used to decrypt weights into GPU memory. Each phase has different latency and throughput requirements that affect which HSM features matter.
Training data protection. Federated learning, privacy-preserving training, and other advanced training architectures require key management for training data. The keys need to support secure multi-party computation protocols where different parties hold key shares. HSM support for threshold cryptographic operations is relevant here.
Inference result signing. For high-assurance deployments, inference outputs should be signed by a key held in an HSM. This provides non-repudiation — a downstream system can verify that results came from a specific model running in a specific attested environment. This requires HSMs that support signing operations with adequate throughput for your inference volume.
Regulatory requirements. HIPAA, GDPR, and sector-specific regulations (PCI-DSS, SOX, Basel III) have requirements around cryptographic key management for systems handling regulated data. Most of these regulations explicitly or implicitly require hardware-based key storage for high-sensitivity applications. Using a software KMS for AI systems that process healthcare data, financial data, or other regulated information creates compliance risk that goes beyond the security risk.
The Threat Model: What HSMs Protect Against
Understanding what HSMs actually protect against — and what they don't — is essential for making good architectural decisions.
What HSMs protect against:
Software-layer key extraction. A compromised OS, hypervisor, or application cannot extract keys from an HSM. This is the primary threat HSMs address. If your cloud provider's hypervisor is compromised, or if an attacker gains VM-level access to your key management infrastructure, an HSM prevents key extraction. A software KMS does not.
Insider threat. An insider with access to the VM running your key management software can extract keys. An insider with access to the HSM hardware can trigger tamper detection and destroy the keys, but cannot extract them. This is a meaningful difference for deployments where insider threat is part of the threat model.
Key material exposure in memory. Software KMS keys may be exposed in memory dumps, core dumps, crash reports, or swap files. HSM keys never exist in cleartext outside the hardware boundary, so these attack vectors don't apply.
Compromised build/deployment pipelines. Keys that were generated in software and deployed to production are accessible throughout the deployment pipeline. HSMs generate keys inside the hardware boundary and keep them there — the key material never exists in a deployable form.
What HSMs don't protect against:
Application-level attacks. An attacker who can call the HSM's API can request decryption operations. If your inference application has a vulnerability that lets an attacker call decryption with arbitrary ciphertext, the HSM will happily decrypt — because the HSM can't distinguish legitimate calls from attacks. Application security and HSM security are complementary, not substitutes.
Performance overhead. HSM operations have latency — typically microseconds to milliseconds per operation, depending on the HSM and the operation. For model weight decryption, where you might decrypt gigabytes of weights at cold start, this adds meaningful time.Architectures need to account for this through caching strategies, warm instance patterns, or hardware that supports faster key operations.
HSM configuration errors. An HSM configured to allow insecure key extraction or weak access controls is not meaningfully better than software. Proper HSM configuration — PIN policies, role separation, audit logging, network segmentation — is essential and often neglected.
Cloud HSM Options: What the Providers Offer
All three major cloud providers offer HSM-backed key management with FIPS 140-2 Level 3 certification. Understanding the differences matters for AI deployments.
AWS CloudHSM. AWS CloudHSM provides dedicated HSM instances in your VPC — hardware that you control, isolated from shared infrastructure. This eliminates the multi-tenancy risk of AWS KMS (which uses shared HSM infrastructure). CloudHSM supports standard PKCS#11, Java JCA/JCE, and Microsoft CAPI/CNG interfaces, making integration with most key management consumers straightforward. The tradeoff: you manage the HSM instances, including high availability, failover, and firmware updates.
Azure Dedicated HSM. Azure's dedicated HSM service provides Thales Luna Network HSMs in Azure datacenters. It offers similar isolation properties to AWS CloudHSM. Azure's advantage for Microsoft-heavy environments is deeper integration with Azure services and Active Directory-based access control. The HSM management is through Azure's portal, which some organizations prefer over direct HSM CLI management.
GCP Cloud HSM. Google's Cloud HSM uses Google's own Titan HSMs — purpose-built by Google for their infrastructure. GCP's HSM integrates with Cloud KMS, providing both dedicated HSM protection and the management interface of a cloud-native KMS. This is often the lowest-friction option for GCP-native deployments.
For AI specifically, the critical question is integration with your inference runtime. Most AI inference frameworks don't natively integrate with HSMs — you'll need to build or adapt the key management layer. This is where the integration complexity lives: how does your inference service authenticate to the HSM, request key unwrapping, and handle HSM failover without downtime?
Building an HSM-Backed Architecture for AI Inference
Here's the architecture I've seen work for production AI deployments with HSM-backed key management:
Key hierarchy. Use a tiered key structure. At the top: a master key stored in the HSM, never exported, used only for key wrapping. Below it: key-encrypting keys (KEKs) that wrap the model-specific data encryption keys (DEKs). The DEKs are stored encrypted by the KEKs and are the keys actually used for model weight encryption. This hierarchy allows you to rotate model-specific keys without touching the HSM master key, reducing HSM operational overhead.
Model deployment workflow. When a model is deployed: (1) the DEK is generated, (2) the model weights are encrypted with the DEK, (3) the DEK is wrapped with the KEK and stored alongside the encrypted model, (4) the encrypted model is stored in your model registry. At inference startup: (1) the wrapped DEK is retrieved, (2) it's sent to the HSM for unwrapping, (3) the HSM returns the cleartext DEK to the inference service (ideally in a memory-protected region), (4) the inference service uses the DEK to decrypt weights. The cleartext DEK exists in memory only during the decryption window — then it can be cleared.
Attestation integration. For deployments using confidential computing, the HSM key release should be gated on attestation. The HSM verifies the attestation report from the requesting instance — confirming it's a genuine, attested TEE running the expected software — before releasing the KEK. This creates a defense-in-depth architecture: even if someone extracts the encrypted DEK from the model registry, they can't decrypt it without both the HSM and a valid attestation from a properly configured TEE.
HSM high availability. Production HSM deployments should have at least two HSMs in a cluster for redundancy. Most HSM platforms support redundant HSM networks with automatic failover. The operational complexity is real — you'll need to manage HSM cluster configuration, key synchronization, and firmware updates across the cluster. Budget engineering time for this; it's not a set-and-forget component.
The HSM Beyond Encryption: Signing and Attestation
For high-assurance AI deployments, HSMs serve a second critical function: signing keys for inference result attestation.
When an inference result is signed by an HSM-held key, a downstream service can verify that the result was produced by a specific model, in a specific environment, without modification. This is valuable for:
Audit chains. Regulated industries often need auditable proof that specific decisions were made by specific models at specific times. HSM signing provides the non-repudiation property that makes this audit chain legally meaningful.
Multi-party inference. When you're running inference on behalf of a client who needs cryptographic proof of what model processed their data, HSM signing lets you provide that proof without giving the client access to your model weights.
Chain of custody. For AI outputs used as evidence or in legal proceedings, the provenance chain matters. HSM attestation signatures create a cryptographically verifiable chain from the hardware root of trust through to the specific output.
What Most Organizations Get Wrong
Based on audits and reviews I've done of AI security architectures, the most common HSM-related mistakes:
Using cloud KMS instead of dedicated HSM for high-value models. AWS KMS, Azure Key Vault, and GCP Cloud KMS use shared HSM infrastructure — your keys are protected by HSMs that also protect other customers' keys. For commodity use cases, this is fine. For proprietary models where the weights represent significant competitive advantage, the shared infrastructure means your keys share a trust boundary with strangers. Dedicated HSMs — CloudHSM, Azure Dedicated HSM, Cloud HSM — are the right choice.
Not rotating keys. Keys that have encrypted model weights for years without rotation accumulate exposure. If a key is ever compromised, all model versions encrypted with that key are compromised. Establish a key rotation schedule — annually at minimum, quarterly for highest-sensitivity models — and build the rotation process into your model deployment pipeline before you need it.
Treating HSM as a compliance checkbox. An HSM that isn't properly configured, monitored, and maintained provides legal compliance without actual security. Configure your HSM with strong PIN policies, separate admin and crypto officer roles, audit logging, and network controls. Review HSM access logs as part of your security operations practice, not just during audits.
Ignoring HSM performance. HSM operations add latency that doesn't exist with software key management. Architect for this from the start. If your cold start time matters, implement model pre-warming or use cached DEK patterns that reduce HSM calls per inference request. Measure HSM overhead in staging before deploying to production.
The bottom line: if your most sensitive AI models are protected by keys stored in software, your encryption is protecting against the wrong threat. A sophisticated attacker who compromises your infrastructure won't brute-force AES-256 — they'll extract the key from wherever you stored it. HSMs make that extraction impossible.
The confidential computing architecture I've described in other posts achieves much of its security through the HSM-backed key management that underlies it. The TEE is only as trustworthy as the key management infrastructure that releases keys to it. Build both right.