PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council blog, preserved for tracking changes over time.
View Original →

The AI Exchange: Innovators in Payment Security Featuring Utimaco

By Alicia Malone

The AI Exchange: Innovators in Payment Security Featuring Utimaco


Welcome to the PCI Security Standards Council’s blog series, The AI Exchange: Innovators in Payment Security. This special, ongoing feature of our PCI Perspectives blog offers a resource for payment security industry stakeholders to exchange information about how they are adopting and implementing artificial intelligence (AI) into their organizations.  

In this edition of The AI Exchange, Utimaco Inc. Vice President of Products and Strategy, Manish Upasani, offers insight into how his company is using AI, and how this rapidly growing technology is shaping the future of payment security. 

How has your AI strategy evolved over the past 12–18 months? 

Following the recent growth of AI, Utimaco has transitioned from merely observing AI to actively safeguarding it. As a provider of foundational cryptographic infrastructure, Utimaco is strategically positioning this infrastructure as the security layer beneath AI workloads on-prem and in the cloud.

Our approach has evolved from being AI-adjacent to AI-foundational. While our HSMs and key management solutions have consistently secured sensitive data, we have recognized over the past 12–18 months that AI pipelines now constitute some of the most sensitive data environments within any enterprise. Consequently, we have explicitly repositioned our portfolio to address this reality.

We have established our AI-era partner ecosystem. We announced a technology alliance with key players in the AI space, including the VAST Cosmos community, as a technology partner. This alliance integrates our enterprise secure key manager with VAST’s AI operating system to protect sensitive data powering modern AI platforms.

In addition to securing AI workloads for our customers, we are actively exploring the utilization of AI for internal use cases and quality assurance processes. The inherent challenges associated with employing AI in highly regulated industries and products, such as HSMs, are being addressed in collaboration with compliance laboratories and internal auditors. We are exploring an airgapped AI infrastructure to mitigate the risk of intellectual property leakage.

What is one AI initiative that has already delivered a measurable impact, and what made it successful? 

Typically, we do not develop AI products; instead, we secure the infrastructure on which AI operates. We are collaborating with our partners who develop AI products to enhance the protection of AI datasets, models, and workloads through secure lifecycle management of encryption keys. This approach involves centralized key control across distributed AI infrastructure, providing a single pane of glass for management.

We adhere to our core principle of not reinventing the wheel. Rather than developing an AI platform, we leveraged our proven cryptographic expertise to integrate with AI workloads, thereby reducing customer deployment risk and accelerating time-to-value.

In addition, we are utilizing AI to augment our documentation, particularly for integration guides, to enhance customer value. The AI-generated and validated integration guides enable us to remain current and validate processes, ensuring an error-free experience for our customers.  

How are you approaching AI governance, particularly around data privacy and security? 

Utimaco’s governance approach is firmly grounded in its hardware-anchored trust. We firmly believe that AI governance without cryptographic enforcement at the hardware level is not governance at all.

Our governance philosophy begins at the root of trust. You cannot govern what you cannot control, and leveraging encryption, you cannot exhibit control without controlling the keys. Our HSMs provide the hardware-anchored root of trust that makes AI governance enforceable, including the proven encryption technologies.

We have been closely engaged with the EU AI Act since early 2024, recognizing that it establishes proposed safety mechanisms to effectively control and regulate AI. For privacy specifically, our FIPS 140-3 Level 3 certified HSMs and key management solutions ensure that cryptographic keys never leave a tamper-resistant hardware boundary. In an AI world where models and agents can access vast amounts of enterprise data, this becomes a critical governance control.

We have structured our AI-era partnerships to provide a comprehensive security framework across on-premises, cloud, and hybrid infrastructures because AI workloads do not respect infrastructure boundaries, and neither should your governance framework. 

What challenges have become more apparent as AI capabilities have matured? 

AI has significantly expanded the attack surface for sensitive data, and the rapid advancement of AI capabilities has outpaced the security architectures of most organizations.

The most pressing challenge we observe is the expanding cryptographic attack surface. All enterprise data, whether public or classified, is now accessible to AI frameworks and more to AI agents, enabling them to make autonomous decisions. This creates an even larger volume of data, which is more lucrative and susceptible to various attack vectors. This ever-expanding AI-generated data landscape presents escalating complexity and manageability challenges. Keys that previously protected data accessed by humans now safeguard data accessed by autonomous systems, resulting in a significantly larger governance surface.

Harvest-now, decrypt-later attacks are a compounding threat. As AI capabilities accelerate, so does progress toward quantum computing. Adversaries are already collecting encrypted data today with the intention of decrypting it once quantum systems mature. NIST has standardized quantum-secure algorithms and established a timeline of 2030 for their implementation and the obsolescence of current cryptographic algorithms such as RSA and Elliptic Curve. Organizations that delay migration are accumulating risk they may not even be aware of.

Crypto agility is no longer a desirable feature. The pace of algorithm standardization and regulatory changes means that hard-coded cryptographic implementations become liabilities. Our Quantum Protect solution is designed to be field-activatable, allowing customers to add post-quantum cryptography (PQC) support without replacing hardware. This is because we anticipated that organizations would need to adapt without the need for forklift upgrades.

The skills gap remains acute. AI tools can help fill some of that gap, but they also introduce new risks if not properly governed. 

What advice would you provide for an organization moving from early AI adoption to broader implementation? 

We would like to emphasize the importance of establishing a robust cryptographic foundation before implementing and scaling your AI system. Governance debt, similar to technical debt, accumulates over time and can be significantly more costly to address retroactively.

We would like to highlight a few key points:  

  • Prioritize Security: Many organizations are replicating the mistakes of early cloud adoption: moving rapidly, acquiring capabilities, and inadvertently discovering security vulnerabilities at scale. Establish your key management, data protection, and access governance architecture before expanding AI deployment.
  • Consider AI as Critical Infrastructure: The data that feeds AI models, training sets, inference inputs, model weights, is among the most sensitive and strategically valuable data your organization possesses. It warrants HSM-grade protection, not merely software-layer controls.
  • Embrace Crypto Agility: In the rapidly evolving AI and post-quantum cryptography (PQC) landscape, it is crucial to select assets that offer the flexibility to adapt your implementations. We are currently in the early stages of AI and PQC 1.0, and it is possible that we may soon encounter PQC 2.0 and additional algorithms.
  • Lead with CBOM: Centralized key management cannot be retrofitted once AI workloads are distributed across numerous data stores and cloud providers. A single pane of glass for cryptographic keys serves as the governance foundation and start with a Cryptographic Bill of Material (CBOM). 

What AI trend are you most excited about? 

In the wake of the heightened risk surface introduced by AI, new opportunities have emerged. Utimaco is actively monitoring the convergence of AI and post-quantum cryptography, particularly by utilizing AI to expedite the migration of PQC. Several emerging topics at Utimaco include: 

  • AI-Accelerated Cryptographic Migration: Utilizing AI to assist organizations in inventorying, assessing, and migrating their cryptographic implementations on a large scale. PQC migration fundamentally involves data and dependency mapping at an enterprise level, and AI is increasingly capable of conducting this discovery work that would otherwise require years of manual effort.
  • Agentic AI for Security Operations: The concept of autonomous agents continuously monitoring cryptographic posture, detecting anomalies, and triggering remediation workflows. Organizations can now achieve centralized key control across distributed AI infrastructure, managing encryption keys through a single interface. The next step involves automating the monitoring and response layer on top of this.
  • Privacy-Preserving AI: Expanding beyond our existing portfolio, techniques such as confidential computing, homomorphic encryption, and secure enclaves enable AI models to operate on encrypted data without decrypting it. This represents the genuine transformative potential of the long-term convergence of AI and cryptography, and it is a domain where Utimaco’s HSM expertise is directly applicable. 

View More Content on Artificial Intelligence

Learn More About Ultimaco Inc.