Likelihood: HIGH
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is rated high because five named China-nexus APT groups are actively and persistently targeting AI infrastructure with a documented 58% share of state-sponsored tech-sector attacks, representing a sustained strategic campaign rather than opportunistic exploitation — even absent confirmed compromise, exposure is structural for any organization holding AI IP. Impact is rated very_high because AI training data, model weights, and research IP are irreversible losses: once exfiltrated they cannot be rotated or invalidated, and the competitive damage represents the potential transfer of multi-year R&D investment to a strategic adversary.
Treatment rationale: Avoidance is not viable for organizations whose core business is AI development, transfer is partial at best given the irreversibility of IP theft, and acceptance is unjustifiable given the strategic magnitude of loss — active mitigation through hardened access controls, AI asset inventory, and persistent threat detection against known TTPs of these actor groups is the only treatment that meaningfully reduces both likelihood and impact.
Third-Party / Supply-Chain Risk
Organizations using shared ML infrastructure, cloud-hosted training environments, third-party data labeling or annotation vendors, open-source model repositories, or academic/research partnerships introduce additional ingress vectors; a China-nexus APT targeting the supply chain of AI tooling or data pipelines (consistent with NIST SP 800-161 third-party risk concerns) could compromise downstream model integrity or exfiltrate training data without directly breaching the primary organization's perimeter.
Loss Exposure (illustrative)
Magnitude: very high — illustrative range $10M–$500M+ depending on the commercial value of the AI IP at risk; organizations with foundational model weights or proprietary training datasets representing years of R&D sit at the upper end of this range
Frequency: For an organization actively building or operating AI systems with internet-accessible training infrastructure or cloud-hosted model development environments, illustrative exposure frequency is estimated at low-to-moderate probability of a targeted intrusion attempt within any 24-month window given the documented campaign breadth and named actor persistence
Annualized: Insufficient basis for a precise ALE figure; illustrative framing suggests annualized expected loss in the tens of millions for a mid-to-large AI firm once loss magnitude and frequency are combined, but this is highly sensitive to the specific commercial value of the IP held
Basis: Loss magnitude derived from the irreversible, non-rotatable nature of AI IP loss and the strategic competitive consequence of transferring multi-year R&D to a state-backed adversary — not from any third-party benchmark or report. Frequency derived from the documented campaign scale (58% of state-sponsored tech-sector attacks attributed to China-nexus groups) and the explicit targeting of AI infrastructure as a campaign priority. No external dollar-figure reports cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Exfiltration of proprietary AI model weights or training datasets may trigger cyber insurance notification obligations under policy definitions of 'data loss' or 'intellectual property theft' — verify with broker whether current policy language covers AI IP and whether a suspected (vs. confirmed) intrusion triggers reporting duties.
• If targeted AI systems process personal data as part of training pipelines, a successful intrusion could implicate data breach notification obligations under applicable privacy frameworks — verify with counsel before any disclosure or non-disclosure decision.
• Defense, government, or regulated-sector clients contracting for AI capabilities may hold contractual breach or incident-notification clauses that are triggered by compromise of systems used in their delivery — verify with counsel.
