TL;DR: America’s AI Action Plan pairs rapid federal AI adoption with over 90 near-term actions, but the security burden shifts to visibility, compliance, and attack-path control across cloud and Kubernetes environments, according to Orca Security. The real test is whether agencies can secure AI infrastructure at deployment speed without creating a governance gap that outpaces review cycles.
NHIMG editorial — based on content published by Orca Security: securing the foundation of AI innovation
By the numbers:
- America’s AI Action Plan includes over 90 near-term federal actions.
- Orca Security says its platform includes over 200 built-in compliance frameworks.
Questions worth separating out
Q: How should security teams govern AI infrastructure across cloud and Kubernetes?
A: They should govern AI infrastructure as a combined asset, identity, and exposure problem.
Q: Why do fast-moving AI programmes create new compliance risk?
A: Fast-moving AI programmes create risk because security evidence can lag behind real cloud state.
Q: What do teams get wrong about securing AI workloads in the cloud?
A: They often treat AI workloads as a separate security domain when the real exposure sits in cloud permissions, Kubernetes access, and dependent application paths.
Practitioner guidance
- Build a single AI asset inventory Track model services, cloud resources, Kubernetes clusters, and the identities that connect them in one inventory.
- Prioritise attack paths to crown-jewel AI systems Use attack-path analysis to identify which cloud and application weaknesses can actually reach mission-critical AI workloads.
- Map compliance evidence to live configuration Tie reporting for frameworks such as NIST CSF and NIST SP 800-53 to current cloud state, access paths, and workload changes.
What's in the full article
Orca Security's full article covers the operational detail this post intentionally leaves for the source:
- FedRAMP Moderate authorization details and how the platform is positioned for government procurement workflows
- The specific compliance frameworks Orca says it maps to across federal, state, local, and education environments
- Expanded application security capabilities such as SAST, SCA, and IaC scanning in the federal AI development lifecycle
- How its risk prioritisation and automated remediation workflow is described for mission-critical cloud environments
👉 Read Orca Security's analysis of securing federal AI infrastructure →
AI infrastructure security: what federal teams need to close now?
Explore further
AI infrastructure security is now an identity and attack-path problem. The article is not really about AI models alone. It is about how cloud entitlements, Kubernetes access, and supporting application paths turn AI infrastructure into a broader exposure surface that security teams must govern as a connected system. The implication is that programme owners need to treat AI workloads as part of the wider identity and access graph, not as isolated innovation projects.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: How can organisations tell whether AI security controls are working?
A: They should look for shorter time from discovery to remediation, fewer reachable attack paths to high-value systems, and compliance reports that match live configuration. If controls are working, exposure shrinks in practice and evidence stays current. If not, the organisation is only generating paperwork while risk remains unchanged.
👉 Read our full editorial: AI infrastructure security must catch up with federal AI adoption