Most physical security assessments are conformance exercises: walk the site with a standard, mark controls present or absent, deliver a traffic-light report. For an office park that is fine. For an AI campus it produces a dangerous artifact: a green dashboard for a site that a motivated adversary could take offline in an afternoon.
The threat population changed
Three actor classes now matter that the checklists were never written for. First, ideologically motivated groups: data centers have become protest targets in several European markets over power, water and AI itself, and a blockade at the gate is an availability incident whether or not anyone crosses the fence. Second, organized theft that has repriced its targets: the same crews that took copper now understand what an accelerator tray sells for. Third, sophisticated actors for whom the physical site is simply the cheapest path to a digital asset: model weights, customer data, or a foothold in the management network.
For an AI campus, consequence is measured in training-run days, not in server counts.
Consequence is the number that changes decisions
A risk-based assessment prices every finding against what it protects. The unit that lands in an AI boardroom is not “downtime” in the abstract: it is the cost of an interrupted training run. A power event that forces a fleet back to its last checkpoint can burn weeks of GPU time, which is to say millions of dollars, without a single component being stolen. Once you price findings that way, priorities reorder themselves: the substation fence and the chiller yard rise, the lobby turnstile falls, and the budget conversation becomes short.
What we do differently on the walk
- Adversary sequencing: for each actor class, walk their actual route, from public road to objective, and note the first control that would realistically stop them and the first that would detect them.
- Detection before resistance: a gate that delays for five minutes but alerts no one is scenery. We map time-to-detection along every route.
- Consequence interviews: sit with the operations and ML platform leads and price the bad afternoons. The threat model is only as good as the cost model under it.
- One deliverable: a ranked list where every line reads risk, control, cost, owner. If a finding cannot name what it protects, it does not ship.
We assess campuses like this every month. A threat model of your own is one conversation away.