---
id: "prereq-application-vs-infrastructure-security"
type: "prerequisite"
source_timestamps: ["\\\"§ Research", "Methodology", "and Findings\\\"", "§ New Risks Executives Must Address"]
tags: ["security-architecture"]
related: ["concept-ai-infrastructure-attack-surface", "claim-application-defenseless-on-compromised-infra"]
reason: "Required to understand why traditional security measures fail against hardware-level AI exploits."
source_title: "Research: Conventional Cybersecurity Won't Protect Your AI"
source_url: "https://hbr.org/2026/01/ts-research-conventional-cybersecurity-wont-protect-your-ai"
sources: ["tail2"]
sourceVaultSlug: "hbr-seg-tail2"
originDay: 2
articleStem: "hbr-tail-128-cybersecurity-wont-protect-ai"
sourceUrl: "https://hbr.org/2026/01/ts-research-conventional-cybersecurity-wont-protect-your-ai"
sourceTitle: "Research: Conventional Cybersecurity Won’t Protect Your AI"
---
# Application vs. Infrastructure Security

**Why you need this:** Required to understand why traditional security measures fail against hardware-level AI exploits.

The source assumes you can distinguish **securing an application** (code review, MFA, encryption, penetration testing) from **securing the underlying infrastructure / system layer** (OS, hypervisors, drivers, firmware). This distinction is the load-bearing premise of [[concept-ai-infrastructure-attack-surface]] and [[claim-application-defenseless-on-compromised-infra]] — if you conflate the two layers, the 'Pal' keylogger anecdote and the infrastructure-first thesis will not land.
