Tomas Kracmar
763da003d3
Complete repository of frameworks, playbooks, and assessment resources for cybersecurity consultations focused on antifragile enterprise design. Includes: - Core philosophy and manifest (5 pillars) - 12 modular engagement packages - AI sovereignty and operations frameworks - Zero-budget vulnerability discovery and hardening playbooks - M365 E3 hardening and antifragile project plans - Osquery sovereign discovery platform blueprint - Perimeter scanning capability guide - AI-assisted TVM blueprint for AI-powered adversaries - Vertical specializations: banking, telco, power/utilities - CIS Controls v8 and NIST CSF 2.0 mappings - Risk registers and assessment templates - C-suite conversation guide and business case templates
9.6 KiB
T0 Asset Framework
"Local AI is not an upgrade. It is an insurance policy against the obsolescence of your own company."
This framework defines the Tier 0 (T0) asset classification and its application to sovereign intelligence, critical infrastructure, and organizational survival. It translates cybersecurity risk language into strategic architecture decisions.
What Is a T0 Asset?
In enterprise security and infrastructure architecture, assets are commonly tiered by criticality:
| Tier | Definition | Traditional Examples |
|---|---|---|
| T3 | Standard business assets | Office productivity, non-critical SaaS |
| T2 | Important operational assets | ERP, CRM, standard customer-facing systems |
| T1 | Critical assets whose failure causes major harm | Financial systems, core production databases, active directory |
| T0 | Assets whose compromise or loss destroys the entire operation | Domain controllers, root certificate authorities, cryptographic key material, sovereign intelligence |
A T0 asset is not merely "important." It is existential. Its loss does not cause downtime; it causes dissolution.
Why Sovereign Intelligence Is T0
Treating local AI infrastructure as Tier 0 reframes the conversation from "technology investment" to "foundational pillar of survival."
1. T0 Defines the Boundary of Trust
Most organizations have allowed their cognitive perimeter to dissolve. Data flows outward to cloud AI providers through APIs, chat interfaces, and embedded assistants. The boundary of trust—the firewall between "us" and "them"—has been punctured by convenience.
By classifying intelligence as T0 and moving it inside the perimeter, the organization:
- Re-establishes the boundary of trust
- Regains control over what can be known about the organization
- Prevents silent exfiltration of strategic reasoning
"Our strategy is now ours again."
2. T0 Removes Vendor Risk
Clients are rightly terrified of vendor lock-in for infrastructure. Yet they are sleepwalking into the ultimate lock-in: intelligence lock-in.
If an organization builds workflows around a cloud model, it is renting its ability to think. The vendor controls:
- The model's capabilities and behaviour
- The pricing and availability
- The "alignment" and safety filters
- The terms of service and data usage policies
A local model is vendor-independent. It is an asset that remains fully functional regardless of:
- Silicon Valley boardroom decisions
- Geopolitical events affecting API availability
- Pricing restructuring
- Model deprecation or behaviour changes
This is the definition of a T0 asset: it must survive the failure of any external dependency.
3. T0 Signals Strategic Maturity
Most competitors are pushing shiny cloud APIs because they are easy to implement and make the consultant look "modern."
When you advocate for local T0 infrastructure, you signal that you are not interested in the shiny. You are interested in durability. You are optimizing for the organization's viability over a 5-to-10-year horizon, not the next quarterly demo.
Clients who are serious about survival recognize that maturity immediately.
4. T0 Elevates the Advisor
The industry is currently filled with "AI consultants" who are essentially glorified sales reps for cloud providers. They have a structural conflict of interest: their revenue depends on your consumption of third-party services.
An independent architect has no such conflict. When you say:
"I am not suggesting local AI because it is easy. I am suggesting it because it is the only way to keep our proprietary edge from being harvested."
You are speaking with the authority of someone who is on the client's side of the table.
The T0 Asset Lifecycle
Identification
Not all AI infrastructure is T0. The classification applies to:
- Proprietary fine-tuned models trained on internal data
- Core reasoning infrastructure that drives strategic or operational decisions
- Model weights and architectures that encode organizational knowledge
- Training datasets that represent irreproducible intellectual capital
- Inference pipelines that touch classified, regulated, or crown-jewel data
Cloud AI usage for generic, non-proprietary tasks (e.g., drafting public marketing copy) may remain non-T0. The classification is data- and context-dependent.
Protection
T0 assets demand T0 protection:
| Control Layer | Requirement |
|---|---|
| Physical | Local hardware in controlled facilities; no third-party physical access |
| Network | Air-gapped or strictly segmented; no direct internet egress from inference hosts |
| Access | Zero-trust with just-in-time elevation; multi-party approval for model changes |
| Cryptographic | Model weights encrypted at rest and in transit; key material in HSM |
| Audit | Complete logging of access, inference, and fine-tuning operations |
| Backup | Immutable, geographically distributed backups of weights, data, and configurations |
| Recovery | Tested recovery procedures with RPO < 1 hour and RTO < 4 hours |
Monitoring
T0 assets require continuous validation:
- Integrity monitoring: Detect unauthorized changes to model weights or configurations
- Performance drift monitoring: Ensure fine-tuned models maintain accuracy over time
- Access anomaly detection: Alert on unusual inference patterns or unauthorized access attempts
- Dependency health: Monitor supporting infrastructure (GPU, storage, orchestration) with the same rigor as the models themselves
Recovery
A T0 asset without a tested recovery plan is a liability:
- Quarterly recovery drills: Restore model weights and inference pipelines from backup
- Version rollback capability: Maintain previous model versions for instant reversion
- Cross-site redundancy: Active-passive or active-active deployment across independent facilities
- Documentation: Recovery runbooks that can be executed by personnel who did not design the system
The Vault Metaphor
When clients ask why they should accept the "friction" of local hosting, use the vault metaphor:
"Think of it like this: If our company's intelligence was a physical pile of cash, would we store it in a public bank that takes a 'training fee' off every dollar we put in and that holds the right to change the currency whenever they want? Or would we keep it in our own vault, where we control the security, the access, and the value?"
Local AI is the vault.
The vault has a cost. It requires space, guards, and maintenance. But it guarantees that:
- The cash is there when you need it
- No one else is lending it out
- The currency does not change overnight
- You can audit the balance at any time
T0 Classification Worksheet
Use this worksheet during client engagements to classify AI and intelligence assets:
Asset Name: ________________________________
Description: ________________________________
Data Types Processed: _______________________
[ ] Public information
[ ] Internal operational data
[ ] Customer data
[ ] Financial data
[ ] Strategic / IP data
[ ] Regulated data (specify: _________)
If this asset were unavailable for 24 hours:
[ ] Minor inconvenience
[ ] Operational disruption
[ ] Significant financial loss
[ ] Existential threat to organization
If this asset's data were leaked to a competitor:
[ ] No impact
[ ] Reputational damage
[ ] Competitive disadvantage
[ ] Existential threat to organization
If the vendor discontinued this service tomorrow:
[ ] Easy replacement within 30 days
[ ] Difficult replacement within 90 days
[ ] Replacement requires major re-architecture
[ ] No viable replacement exists
TIER CLASSIFICATION: [ ] T3 [ ] T2 [ ] T1 [ ] T0
Justification: ________________________________
Required Controls: ____________________________
Owner: ______________________________________
Review Date: ________________________________
Integrating T0 with Existing Frameworks
NIST Cybersecurity Framework
| NIST Function | T0 Application |
|---|---|
| Identify | Asset inventory explicitly includes model weights, training data, and inference pipelines |
| Protect | Encryption, access control, and segmentation applied to AI infrastructure at the highest level |
| Detect | Anomaly detection on model access and inference patterns |
| Respond | Incident response plans include model compromise and data poisoning scenarios |
| Recover | Recovery objectives for AI assets match or exceed those of domain controllers |
CIS Controls
Map T0 AI assets to CIS Control 1 (Inventory and Control of Enterprise Assets) and Control 3 (Data Protection). Treat model weights as sensitive data subject to the same controls as cryptographic key material.
Consultant's Checklist
When presenting the T0 framework to clients:
- Explain the T0 concept using familiar examples (domain controllers, root CAs)
- Map the client's current AI usage to the tier classification
- Identify at least one T0-class intelligence asset the client has not recognized
- Present the vault metaphor for intuitive understanding
- Quantify the vendor risk: what happens if the cloud provider changes terms tomorrow?
- Show the strategic maturity signal: this is what serious organizations do
- Provide the worksheet for self-assessment
- Connect T0 classification to immediate next steps in the Rapid Modernisation Plan
Next: Rapid Modernisation Plan Previous: AI Sovereignty Framework