What JPMorgan gets right about AI security — and why storage must catch up

JPMorgan’s open letter to technology vendors isn’t just another security advisory — it’s a watershed moment for enterprise AI adoption. When the world’s largest bank publicly demands that providers “urgently reprioritize security,” it signals a fundamental shift in how businesses will evaluate AI systems going forward.

Though the message was originally aimed at SaaS providers, it should be understood as a broader call to action that implicates the entire technology stack — infrastructure players included. Some infrastructure and security architects have been sounding this alarm for years, but their warnings have largely been overshadowed by the pursuit of speed and innovation. That oversight is now catching up to the industry.

The foundations of AI weren’t built for the threats it now faces — especially when it comes to data storage.

When speed becomes a security risk

Patrick Opet, CISO at JPMorganChase, has articulated what many security-first-minded IT professionals have been thinking but few have been willing to state so bluntly: The rush to deploy AI has created systemic risks that threaten the entire technology ecosystem.

While vendors race to deliver flashy new AI capabilities, they’ve quietly eroded critical security boundaries, creating a generation of systems built for speed, not safety.

This isn’t just about application-level vulnerabilities. It’s about fundamental architectural regression — the dismantling of security controls and governance frameworks that took decades to establish. The security debt being accumulated today will have to be paid eventually, and the cost will be enormous.

The uncomfortable truth? AI’s security debt is compounding faster than most organizations can pay it down. Those building for resilience today will emerge as leaders. Those who delay may find themselves scrambling to recover, rather than leading with confidence.

The overlooked foundation of AI security: Storage infrastructure

While headlines focus on model vulnerabilities and prompt injection attacks, a critical vulnerability lies beneath the surface: legacy storage infrastructure underpinning AI systems was never designed for this new paradigm.

The AI data pipeline spans from initial data preparation (aggregation, curation, and processing) through model training and inference — all stages that create unique security challenges. Yet many organizations are building sophisticated AI capabilities on storage architectures that prioritize performance over security and adaptability.

Consider these critical security gaps in traditional storage approaches:

• Architectural rigidity: Most storage systems bundle metadata, compute, security, and management into tightly coupled stacks. This rigid design forces organizations to scale all components together regardless of actual security needs — creating inefficiency, unnecessary exposure, and potential compliance gaps.
• Metadata vulnerability: AI workloads generate exponential growth in metadata operations. Without the ability to scale metadata services independently and securely, organizations face both performance bottlenecks and security blind spots. Who accessed what data? Which training sets influenced specific model versions? These questions become increasingly difficult to answer.
• Insufficient tenant isolation: Enterprise AI environments typically serve multiple workloads and teams simultaneously. Traditional storage offers limited isolation between these environments, creating risk of lateral movement should one application or access point be compromised.
• Unpredictable security scaling: As JP Morgan implies, the security requirements for AI systems aren’t static — they evolve rapidly as threats adapt. Storage infrastructure needs to scale security services independently to meet these changing demands without compromising performance.
• Gaps in cyber-threat defenses: Traditional storage architectures often fall short across multiple layers of protection — from access control to data preservation — leaving critical AI pipelines exposed to modern threats like ransomware, data poisoning, or insider attacks. Without API-level immutability, secure access enforcement, layered data and storage-level protections, and geographic or architectural safeguards, these systems lack the resilience needed to defend against increasingly sophisticated adversaries.

The shift from raw speed to resilience

JP Morgan’s letter marks a turning point in how we evaluate AI infrastructure. While early AI adoption focused almost exclusively on performance metrics — how fast can we train, how quickly can we deploy — the next phase will prioritize security, governance, and resilience.

Organizations need storage architectures that can adapt dynamically to emerging security requirements without forcing costly rip-and-replace cycles. The solution isn’t simply adding security features to legacy storage — it requires fundamentally rethinking how storage systems are designed.

The storage vendors that lead the next phase of enterprise AI adoption won’t just be the fastest — they’ll be the ones who can prove they’re secure, auditable, and built for long-term resilience.

Disaggregated architecture: The foundation of secure AI storage

Forward-thinking organizations are recognizing that disaggregated storage architectures — where key services like metadata, compute, security, and management can scale independently — provide the foundation for secure, adaptable AI infrastructure.

This approach offers several critical security advantages:

• Targeted security scaling: Security services can evolve and expand based on actual threat landscapes without forcing unnecessary growth in other areas.
• Comprehensive audit trails: Metadata services can be scaled to maintain detailed provenance information and access logs without compromising performance.
• Enhanced isolation: Proper service disaggregation enables stronger boundaries between tenants, applications, and data sets — limiting the blast radius of potential compromises.
• Future-proof compliance: As regulatory requirements for AI evolve, organizations can adapt specific dimensions of their storage infrastructure without overhauling entire systems.

What cloud architecture can teach AI builders about security

Interestingly, the challenges JP Morgan highlights aren’t entirely new. They mirror many of the same issues cloud providers faced over the past decade as they built multi-tenant environments that needed to maintain security at massive scale.

The pioneers who solved these challenges in cloud environments developed architectures with remarkable parallels to what secure AI infrastructure now requires:

• Multiple applications accessing shared storage
• Unpredictable scaling requirements across various dimensions
• High performance paired with strict security boundaries
• Detailed audit trails for compliance and security forensics

The organizations best positioned to meet JP Morgan’s security demands are those who recognize these parallels and implement storage infrastructures designed with similar principles of disaggregation, independent scaling, and security-first architecture.

The path forward: Security starts at the bottom of the stack

The takeaway is unambiguous: Security can no longer be an afterthought bolted onto AI systems. It must be woven into every layer of the infrastructure — especially the foundational storage layer that touches all data throughout its lifecycle.

Organizations building AI infrastructure should:

1. Evaluate storage architectures based on security flexibility, not just raw performance metrics
2. Prioritize solutions with independently scalable security services that can adapt to evolving threats
3. Insist on comprehensive audit capabilities that track data access and modifications across the entire pipeline
4. Build in security isolation between different AI workloads, tenants, and applications
5. Implement immutable storage options to protect against data tampering and ransomware

AI’s security reckoning is here, and the time to act is now

JP Morgan’s letter represents more than just one institution’s preferences — it’s the leading edge of a broader market shift. As AI becomes increasingly mission-critical, organizations unwilling to invest in secure infrastructure will find themselves losing ground to competitors who recognize that responsible AI requires a fundamentally new approach to data management.

The question isn’t whether your storage infrastructure will need to evolve to meet these security demands, but whether you’ll make those changes proactively or be forced to retrofit security after a costly incident. JP Morgan has issued the warning. The time to act is now.

Giorgio Regni

Giorgio Regni leads the company’s long-term technology vision and innovation strategy, drawing on decades of experience in distributed systems, object storage and cloud infrastructure. Regni foundedScalityin 2009 with a mission to solve the challenges of storing and managing massive amounts of unstructured data at scale. Today, his leadership continues to shape Scality’s RING and ARTESCA product lines—trusted by some of the world’s largest enterprises, service providers, and public sector organizations.Regni is passionate about open standards, high-performance computing, and designing software architectures that stand the test of time. He holds a Master’s degree in Computer Science from École Centrale Paris.