Field notes · Case F-22 · NERC CIP

NERC CIP without a utility badge

The grid’s security standards are mandatory, audited, and enforced with fines that reach a million dollars per violation per day. AI campuses are moving closer to that world than their owners think.

Most compliance frameworks are advice wearing a tie. NERC CIP is different in kind: it is regulation, with audits, findings, and civil penalties that can reach seven figures per violation per day. Utilities have lived under it for nearly two decades, and it has shaped a culture the rest of critical infrastructure quietly envies: evidence first, change control that actually controls, and physical security treated as an auditable system rather than a facilities line item.

A framework asks how you feel about controls. A regulation asks for the evidence, dated, and fines the gap.

Why a data center should care

Two reasons. The first is proximity: AI campuses are signing interconnections at gigawatt scale, colocating with generation, and negotiating behind-the-meter arrangements. The closer your electrical relationship to the bulk power system, the more interest regulators and your utility counterparties take in your practices, and contract clauses increasingly pass CIP-shaped obligations downstream. The second is quality: CIP-014, the physical security standard written after the Metcalf substation attack, is simply a good discipline: identify the critical sites, assess the threats site-specifically, and engineer protection against them, with third-party review. That loop applies to a compute campus word for word.

What to borrow, voluntarily

We translate CIP discipline for private campuses. Borrowed early, it costs a fraction of what imposed later does.