Blog • June 1, 2026 • 25 minute read

Data Protection Becomes the Foremost Strategic Priority

At NVIDIA GTC Taipei at COMPUTEX 2026, the company announced new NVIDIA DOCA security innovations for agentic AI with NVIDIA Vera BlueField-4 STX, highlighting data security as the foremost strategic priority, which lands exactly where the AI security conversation is now stuck.

In this blog

Inference is no longer a request-response transaction. Now, inference is a population of long-running, tool-using agents that read models, retrieve context, call each other, and act on data, with consequences. The integrity of those actions cannot be governed at the application layer alone. Until this release, the platforms enterprises rely on for AI workloads have not provided enforcement primitives where data movement actually happens: on the storage IO path, in silicon, at line rate.

NVIDIA is now filling that gap. The release is a coherent agentic AI factory architecture built around NVIDIA BlueField-4, a redefined NVIDIA DOCA security stack with a brand-new file-access primitive called DOCA Vault, the NVIDIA Vera BlueField-4 STX modular storage reference design, and a deliberately bridged ecosystem of storage and cybersecurity partners running consistently on the same BlueField-4 processor. Most consequentially, the Data Protection domain finally has a primitive that operates without trading off AI workload performance.

This blog walks through the technical mechanics of the NVIDIA AI Factory secured by NVIDIA DOCA, and then maps the capabilities back to the WWT AI Readiness Model for Operational Resilience (ARMOR) domains a CISO will be asked to govern against.

NVIDIA BlueField: protection at every AI node

NVIDIA's positioning for this release is direct. NVIDIA BlueField is an accelerated computing platform for cybersecurity, pervasively built into every AI system and every AI factory. Four architectural properties carry the security story.

Programmable security with NVIDIA DOCA, executed on dedicated compute engines and accelerators: Security software runs in NVIDIA BlueField's own compute domain, not on the host.
Operation from a separate trust domain: The NVIDIA BlueField security plane is invisible to attackers on the host. Even when host resources are under attack, the security plane stays trusted.
Inline accelerated cybersecurity functionality on the IO path: Security functions execute at line rate in silicon, on the same path data is already moving.
A new generation of cybersecurity capabilities purpose-built for AI workloads, agentless and friction-free.

Three operational properties result:

There are no agents to install on the host.
There is no integration required against host-based resources.
There is no overhead, because security software runs on NVIDIA BlueField's own engines and accelerators.

The result is security that is resilient by construction: trusted even when the host is compromised, because compromise cannot reach the NVIDIA BlueField domain.

GTC Taipei: What's new with NVIDIA BlueField-4?

BlueField-4 steps from NVIDIA BlueField-3's 16 Arm Cortex-A78 cores to 64 Arm Neoverse V2 cores, with 128 GB of LPDDR5, 114 MB of shared L3 cache, and 512 GB of onboard SSD. It integrates the NVIDIA ConnectX-9 SuperNIC for 800 Gb/s of network throughput with line-speedRDMA over Converged Ethernet (RoCE) support, and presents to the host over PCIe Gen6 x16. NVIDIA quotes 6x the compute of NVIDIA BlueField-3. That headline number enables the larger architectural move in this release, because the security stack is now able to do more on the DPU.

Architecturally, NVIDIA BlueField-4 sits in the host-to-network and host-to-storage data paths. It terminates NVIDIA Spectrum-X Ethernet for scale-out north-south traffic and the file and object storage path for IO, and it presents emulated PCIe devices back to the host: NVMe block, virtio-blk, virtio-net, and critically for this release, virtio-fs. NVIDIA Quantum-X800 InfiniBand, when present in the architecture for scale-out training fabrics, does not traverse NVIDIA BlueField-4 directly; it runs through dedicated NVIDIA ConnectX-9 SuperNICs. NVIDIA DOCA Argus still surfaces metadata about InfiniBand traffic at the node level through realtime memory analysis of specific snippets of the host kernel state. The NVIDIA BlueField-4 cores run a tenant-isolated security domain, defined by the NVIDIA BlueField Advanced Secure Trusted Resource Architecture (Astra), that operates outside the host's data and control planes. That separation is the architectural foundation everything in this post depends on.

Inside the NVIDIA Vera Rubin POD

NVIDIA Vera Rubin NVL72 Compute Tray

The NVIDIA Vera Rubin NVL72 compute tray carries the inference and training workloads, featuring: 2 x Vera CPU, 4 x Rubin GPUs, 1 x BlueField-4 DPU, and 4 x ConnectX-9 SuperNICs. The full DOCA security stack runs here: OVS-DOCA for network security policy, DOCA Argus for situational awareness, and the new DOCA Vault for file-based access policy. This is the primary enforcement tier, because this is where workloads originate the storage and network requests that everything downstream sees. Argus has ground truth on workload behavior, and the JBOF sits downstream of where the policy decision is made. Upon threat detection, OVS-DOCA can be programmed to stop network activity, and DOCA Vault can enforce a file access request. Stopping threats at the client side enhanced the overall cybersecurity posture of the infrastructure by preventing lateral movement at large-scale environments.

NVIDIA Vera CPU Compute Tray

The Vera Compute tray is a dense, modular building block for CPU-scale AI infrastructure, purpose-built for running AI agents. Equipped with 88 custom NVIDIA Olympus cores, up to 1.2 TB/s of memory bandwidth, Vera gives AI factories the CPU throughput needed for orchestration, tool calling, code execution, data processing and long-context workflows. The NVIDIA DOCA stack runs consistently on this platform with DOCA Argus, OVS-DOCA, and the new DOCA Vault to protect agents at massive scale.

NVIDIA Vera BlueField-4 STX Server

NVIDIA Vera BlueField-4 STX is the foundation for agentic AI-native storage solutions. Powered by NVIDIA DOCA, NVIDIA Vera BlueField-4 STX brings in-silicon security to enforce trust across compute and storage.. The STX server runs on a Vera-based BlueField-4 storage processor and OVS-DOCA. While DOCA Argus and DOCA Vault can run on the STX server, their primary role is to detect threats and contain them at the storage initiator side. However, certain implementations could see DOCA Argus and DOCA Vault running natively on the storage processor.

NVIDIA Spectrum-X Ethernet Networking Fabric

Spectrum-X Ethernet ties the three tiers together at 800G per port via NVIDIA BlueField-4 and NVIDIA ConnectX-9 SuperNIC. NVIDIA NVLink and NVLink Switch carry intra-rack scale-up traffic between GPUs without crossing a DPU. NVIDIA Quantum-X800 InfiniBand, where deployed for scale-out training, runs through dedicated NVIDIA ConnectX-9 SuperNICs and does not traverse NVIDIA BlueField-4 directly, though DOCA Argus still gathers metadata about that traffic at the node level. Every workload, agent, and storage flow that crosses Ethernet between racks crosses an NVIDIA BlueField-4. That is the primary locus of enforcement.

Figure 1. NVIDIA Vera Rubin POD deployment mapping. Three tiers, each with a different DOCA security profile. The STX Server normally runs only OVS-DOCA; DOCA Argus and Vault live at the initiator where ground truth lives.

The NVIDIA DOCA security stack, end to end

NVIDIA DOCA is the software platform that turns NVIDIA BlueField-4 into a programmable security processor. Three primitives matter for this release.

DOCA Flow controls network policy via OVS-DOCA, which programs NVIDIA BlueField's eSwitch using hardware steering. Key Use cases for this release: micro-segmentation, next-generation firewall, AI Firewall, AI Application Firewall with protocol decoding, and incident response. Stock Open vSwitch control plane, hardware data path.
DOCA Vault, is a new data security microservice purpose-built for file-based, AI-native storage. It helps ensure that only authorized AI workloads, agents and services can access the right files with the right permissions, enforcing authorization on every file access request in BlueField silicon. Designed for dynamic agentic AI environments, DOCA Vault protects sensitive data, models and context memory from unauthorized access, data extraction and exposure. It provides zero-trust file access for AI factories while operating independently of the host CPU and storage system, helping deliver security at the speed and scale of AI workloads.
DOCA Argus is the situational awareness layer. The architectural property to internalize: DOCA Argus does not run agents on the host and does not depend on eBPF, syscall tracing, or any host-side instrumentation. DOCA Argus runs entirely on NVIDIA BlueField-4 cores and observes host activity through real-time memory introspection across PCIe Gen6 DMA, parsing host kernel data structures to reconstruct process, thread, memory, library, file descriptor, network connection, and container state.

What CISOs should do now

Re-baseline the Data Protection domain of your ARMOR posture. Controls previously deferred because they could not be enforced at AI workload throughput should be revisited. DOCA Vault changes what is enforceable on the storage IO path.
Engage your incumbent cybersecurity partners on their DOCA Vault, DOCA Flow, and DOCA Argus roadmaps. The platforms that will matter in twelve months are the ones showing up at GTC Taipei with credible Vault integration plans.
Bring security architects into the storage RFP. STX-based storage is going to change procurement criteria. Selection should be made jointly between AI infrastructure, storage, and security architecture, not sequentially. Look explicitly at AI Memory Protection on CMX, not just file storage.
Pilot Application Control via the remote-NFS execution pattern. This is the highest-leverage agent-escape control in the entire release, and it is implementable today on the Vault POC. Identify a high-value agent workload and test the manifest-based execution control in a non-production environment.
Plan for Continuous Verifiable AI in your agent identity strategy. The attestation-to-token pattern integrates with identity providers. Coordinate now between AI platform, security architecture, and identity engineering.

WWT's ARMOR practice will be publishing technical deep dives on DOCA Vault integration patterns, reference architectures for Vault-enabled agentic AI deployments, AI Memory Protection on NVIDIA CMX, and ARMOR-aligned validation playbooks through the AI Proving Ground. WWT delivers ARMOR-aligned platform integration with NVIDIA BlueField and DOCA, co-developed with NVIDIA and validated in WWT's AI Proving Ground. For organizations ready to pressure-test what this release means for their AI security posture, the Proving Ground is the venue.

What this release locks in

Last October, NVIDIA's BlueField-4 announcement signaled that security was going to live in the infrastructure, not on top of it. Fast forward to today with the announcement of DOCA Vault, the NVIDIA Vera BlueField-4 STX for AI-native storage, AI Memory Protection on the Context Memory layer, and the Continuous Verifiable AI attestation pattern, the data plane catches up to the network plane, and the agent itself becomes a first-class enforceable entity. The agentic AI factory is the workload these capabilities were built for. The ARMOR framework is the operational architecture that lets enterprises put them to use.

Secure AI is foundational, not optional. With this release, it is also finally performant on the storage path, on the memory tier, and at the agent boundary. Use cases sit on top of the three primitives, divided into four categories: cybersecurity, networking, storage, and observability. Cybersecurity capabilities span all three primitives. DOCA Vault drives Zero-Trust Access Layer for File-based Storage, Application Control, Data Exfiltration Prevention, Realtime Workload Threat Detection and Prevention, Drift Prevention, Forensics Investigation, and Incident Response. DOCA Argus drives AI Discovery, AI Exposure Management, AI Container Security, Realtime Workload Threat Detection, Drift Detection, Forensics, and Incident Response. DOCA Flow drives micro-segmentation, NGFW, AI Firewall and AI Application Firewall, and Incident Response.

Figure 2. The DOCA security stack on NVIDIA BlueField-4. Three primitives (DOCA Flow, SNAP with the new Vault primitive, and Argus) feed four use-case categories: cybersecurity, networking, storage, and observability.

DOCA Argus: real-time situational awareness for AI workloads

At GTC Taipei, NVIDIA repositioned DOCA Argus, from real-time threat detection to real-time situational awareness, and that change matters. The data DOCA Argus produces serves a dual purpose: security telemetry, and substrate for AI consumption and partner XDR integration. Three additions in this release expand what DOCA Argus surfaces.

Container image hash and digest hash, with matching against external repositories such as Hugging Face, NGC, and GitHub: This is the foundation for AI Discovery and AI Exposure Management. CISOs gain visibility into which models and which container images are actually running in the factory, where they're sourced from, and who they're signed by. Discovery in the AI factory has been a near-universal blind spot. Argus closes it.
Container-to-pod mapping, with full attribution from container down to GPU: Every container DOCA Argus observes is now correlated to the Kubernetes pod and the specific GPU it is running on, with serial number identification.
GPU telemetry equivalent to DCGM, surfaced from NVIDIA BlueField-4 rather than from a host-side agent: Utilization, power, thermal, and GPU serial numbers are all available off-host. Operations teams gain a single source of GPU truth that is independent of any host that might be compromised, with the bonus that telemetry collection no longer consumes host CPU cycles. NVIDIA captures the bigger point: as Jensen Huang emphasized in the GTC Taipei keynote, agents need more CPU. Moving observability off-host returns CPU to the workload.

DOCA Argus signals flow two ways. Locally on NVIDIA BlueField-4, alerts and events feed a Local AI/ML module that includes NVIDIA Morpheus with its GNN-based autoencoder for NetFlow anomaly detection. Externally, the same signals are forwarded to partner XDR platforms with their own AI modules, management consoles, detection logic, security data lakes, vulnerability databases, and threat intelligence. Response actions flow back the same way: partner XDR can issue Requested Response Actions that the NVIDIA BlueField-4 realtime response engine executes locally.

DOCA Flow: network policy in hardware

DOCA Flow is the most mature primitive in the stack, in production through NVIDIA BlueField-3 and now extended on NVIDIA BlueField-4. The architecture is OVS-DOCA: Open vSwitch runs as the control plane, exactly as it would on a regular host, but its data path interface is backed by DOCA Flow and executes in hardware on the eSwitch. Evolved from the ASAP² (Accelerated Switching and Packet Processing) architecture, OVS-DOCA delivers east-west microsegmentation, network kill switches, per-container traffic shaping, and protocol-aware AI Application Firewalling at line rate, with no host or DPU CPU consumed.

The integration surface is already established. Palo Alto Networks runs VM-Series with Intelligent Traffic Offload on BlueField-2 and BlueField-3, classifying flows on the DPU and inspecting where it matters. Check Point AI Cloud Protect combines DPU-resident network controls with Argus DMA for host process inspection. Cisco extends Hypershield enforcement onto NVIDIA BlueField in GPU servers with DOCA Argus integration on the roadmap. F5 BIG-IP Next for Kubernetes runs natively on BlueField as the AI gateway and LLM router, generally available on NVIDIA BlueField-3 and announced for BlueField-4. Trend Micro Vision One deploys Endpoint Security on NVIDIA BlueField alongside Vision One AI App Security integrated with NVIDIA NeMo Guardrails for agentic AI workloads. The cybersecurity partner ecosystem is, in effect, already programming the NVIDIA BlueField security plane.

*Figure 3. The cybersecurity partner ecosystem on BlueField. Six partners, six integration patterns, all programming against a common DOCA surface.*

DOCA Vault: the zero-trust access layer for file-based storage

DOCA Vault is the new primitive at the heart of this release. Everything else reinforces it. NVIDIA's canonical tagline is direct: Vault is the Zero-Trust Access Layer for File-based Storage. Initial protocol support is NFS. Object storage is on the roadmap and architecturally validated.

Architecture

DOCA Vault sits inline in the DOCA SNAP path. On the host, the AI workload uses the standard Virtio-fs Linux driver; it has no awareness that Vault exists and no API to call. Behind that driver, requests cross PCIe Gen6 through the DOCA DPA and DOCA firewall layers into the NVIDIA BlueField-4 Arm domain. Inside the NVIDIA BlueField Arm domain, the DOCA SNAP module receives the request through the DOCA Device Emulation SDK, then walks the request down through Virtio-fs DOCA Transport, Virtio-fs Target Core, and SPDK fsdev before forwarding it over the storage fabric to remote storage. DOCASNAP translates between FUSE-formatted host requests and NFS on the back-end. DMA carries the file traffic. Vault inserts itself into the SNAP path. Every file operation is intercepted before it leaves the DPU.

*Figure 4. DOCA Vault data path. Host driver is unmodified. Policy is enforced in silicon on the BlueField-4 SNAP module, with Argus enriching the PID via realtime memory introspection across PCIe.*

How DOCA Vault makes decisions

Three properties of DOCA Vault matter in combination. First, it builds session context across requests, not single-request decisions. A file open, a read, a write, a stat are correlated into a coherent session that lets DOCA Vault reason about intent, not just atomic IO. Second, for every operation DOCA Vault captures three things: the PID of the calling process, the identity of the file being accessed, and the action being attempted. Third, DOCA Vault enriches the PID by looking it up against the in-memory data DOCA Argus produces from realtime memory introspection. The result is a full attribution: which process (by name, by binary hash, by command line, by container image hash) is attempting which action on which file. NVIDIA calls this signature the process-to-file-to-action model.

Once DOCA Vault has all three properties, policy enforcement is straightforward. If a process is not permitted to read a model file, the operation is denied at the DPU before it crosses to storage. If a process is permitted to read a file with R|O semantics, only that process is allowed, and every other process on the host that attempts the same access is denied. NVIDIA reports enforcement latency on the order of microseconds. Throughput benchmarks at scale are still being characterized.

Use cases, as NVIDIA frames them

Seven use cases sit on top of Vault in NVIDIA's materials.

Zero-Trust Access Layer for File-based Storage: Only the right AI workload processes access the right files with the right permissions.
Application Control: Only trusted applications are allowed to execute. Prevents arbitrary code execution in the event of an agent escape.
Data Exfiltration Prevention: Processes cannot access files they are not privy to. A process that loads a model into memory does so with R|O permissions; all other processes cannot access the model at all.
Realtime Workload Threat Detection and Prevention: Any deviation from the policy is, by definition, a behavioral change indicative of breach.
Drift Prevention: Configuration files cannot be modified (for example, agent configuration) and additions cannot be made (for example, new agent skills) without authorization.
Forensics Investigation: Granular per-process, per-file, per-action records support security incident investigation.
Incident Response: In the event of a breach, storage is immunized. Vault immediately blocks access to remote file-based storage as a response action, and OVS-DOCA on the JBOF enforces the disconnection a second time at the storage target.

Four container behavioral profiles, and where DOCA Vault lands

Arkin frames the security model in terms of four behavioral profiles for any container running in the AI factory. Vault and Argus together cover two today, will cover three with a near-term enhancement, and provide the substrate for partners to cover the fourth.

Profile 1: manifest. The set of binaries and libraries that should be present.
Profile 2: execution intent. The command-line arguments and placement of those binaries and libraries.
Profile 3: process-to-file-to-action. Which processes access which files in which ways. This is what Vault enforces today.
Profile 4: process-to-network. Which processes communicate with which network destinations.

Profile 4 is where the in-memory database NVIDIA is building becomes important. Vault and Argus correlate the process-to-file-to-action picture in microseconds and write the result to a shared in-memory database on NVIDIA BlueField-4. The intention, explicit in NVIDIA's roadmap, is to expose that database to the cybersecurity partner ecosystem so partners can program DOCA Flow with process-based, not just IP-based, network policies. With that database open to the partner ecosystem, every cybersecurity partner running on NVIDIA BlueField gains process-attributed network enforcement without writing a host agent.

Application Control: the remote-NFS execution pattern

The most architecturally surprising use case in this release is Application Control, and it works through a non-obvious mechanism. The pattern, currently in NVIDIA's second proof of concept, is to mount the binaries and contents of the container itself on remote NFS, exposed through DOCA SNAP Virtio-fs to the host. ContainerD pulls the files locally to execute the container plan and load any other required files. Because the file system is presented through DOCA SNAP, Vault sees every binary file as it is opened, and every library load as it occurs. Because there is already a token established between NVIDIA BlueField-4 and the DOCA SNAP file system, no host credentials are required for DOCA Vault to compute file hashes inline.

The hashes are then validated in real time against a manifest, either NVIDIA-provided or operator-supplied. If a binary on the remote file system does not match the manifest hash, execution is denied. If a file changes on the host (because something tampered with it), the hash mismatch is detected immediately. This delivers two of the four behavioral profiles, Profile 2 (execution intent) and Profile 3 (file access), with one architectural mechanism. The result is application control without needing operating-system gold-image hash tables and without any host agent. Validation happens at execution time, not at boot, and it happens out-of-band from the host.

Agent escape and morphing prevention

The agentic AI breakout scenario, where an agent modifies itself, builds new applications, or bypasses sandbox constraints, has become a meaningful concern over the past year. With Vault and the Application Control mechanism above, the architectural response is direct. A morphed binary is, by definition, not in the manifest. DOCA Vault denies execution. A self-modifying agent that writes a new binary to disk produces a hash that fails manifest validation, and DOCA Vault prevents the binary from being executed and prevents the morphed binary from accessing any of the files outside the policy. As Arkin explained, "Vault becomes a sandbox by itself, operating from its own trust domain with no host-side API to attack."

AI Memory Protection on the Context Memory layer

STX introduces NVIDIA CMX context memory storage platform that lets storage targets serve KV-cache and retrieval state to agents at performance levels that previously required GPU-side recomputation. NVIDIA CMX is a high-value, sensitive memory tier. Per-agent retrieval state, intermediate reasoning context, and cached embeddings all live there. NVIDIA pairs CMX with a memory protection mechanism: ACLs derived from the same security plane as Vault are pushed to OVS-DOCA, which enforces them at the NVIDIA CMX boundary. Memory protection becomes per-agent, per-context, in silicon. This is a distinct ARMOR Infrastructure Security capability worth tracking independently of file-level Data Security.

Continuous Verifiable AI: attestation as the basis for agent identity

The strategic thread that ties the technical mechanics back together is what Ofir called Continuous Verifiable AI. Two facts about a running container can now be established with hardware-level confidence. First, that the code being executed is the code that was supposed to be executed, established via DOCA Argus container image hash matching at runtime. Second, that the runtime is maintaining its integrity, established via continuous DOCA Vault and Argus observation of process-to-file-to-action behavior. Those two together form an attestation base.

An identity provider, integrated with the AI Security Gateway running as a reverse proxy on NVIDIA BlueField, can issue tokens for autonomous agent communication conditioned on that attestation. As long as the container's code is yours and its runtime is intact, the agent receives a token to communicate. The moment integrity is violated, the token is invalidated and the agent is cut off from the network at OVS-DOCA. This is the identity-bound, hardware-rooted gateway pattern enterprises have been asking for in agentic AI, made implementable on a single platform.

Confidential computing as a complement, not replacement

Confidential computing solves a specific problem: data at rest and data in transit, protected through CPU-to-GPU encrypted memory and disk encryption. It does not solve runtime security. A successful breach of a confidential computing boundary still allows the breached workload to access data within its enclave. Vault and Argus address that runtime gap. When an agent goes off-policy, the cord is cut immediately. Confidential computing and Vault are complementary primitives, not competing ones; both belong in the architecture.

Multi-layer enforcement, end to end across the pod

Vault enforces at the initiator, because that is where session context lives. The JBOF runs only OVS-DOCA, because the JBOF does not have the process-level visibility to make policy decisions on its own. For routine operation, that division of labor is the design. For incident response, the two cooperate. When Vault decides at the initiator to cut a container off from its storage, OVS-DOCA on the JBOF receives an ACL push and enforces the disconnection a second time at the storage target. This is defense-in-depth across the pod, with the right enforcement at the right tier, none of it dependent on the host.

ARMOR Alignment

The table below maps the capabilities in this release to ARMOR's six domains plus the cyber resilience through-line, with the technical justification for each placement.

ARMOR Domain	What is new at this GTC	Where it lands technically	Net impact
Infrastructure Security	BlueField-4 lands as a uniform out-of-band security processor on every node type in the agentic AI factory: AI Node (CPU + GPU + BlueField + ConnectX), AI Data Platform (CPU + GPU + BlueField), and the BlueField-4 STX JBOF (2x BlueField). Operates from a separate trust domain via Astra (the NVIDIA BlueField Advanced Secure Trusted Resource Architecture).	A uniform PCIe Gen6 trust boundary with 800 Gb/s line-rate enforcement, trusted even when host resources are under attack.	Strong material lift.
Data Protection	DOCA Vault establishes a Zero-Trust Access Layer for File-based Storage. Built on DOCA SNAP Virtio-fs (DOCA Device Emulation SDK + Virtio-fs DOCA Transport + Virtio-fs Target Core + SPDK fsdev). Vault builds session context per request, captures process-to-file-to-action, and enriches the PID with Argus realtime memory introspection data for full attribution.	Per-process, per-file zero-trust policy applied in silicon on the IO path.	Largest single gap closed.
Secure AI Operations	DOCA Argus is repositioned as realtime situational awareness for AI workloads. New telemetry surfaces: container image hash and digest hash (for AI discovery against Hugging Face, NGC, GitHub), container-to-pod mapping, and GPU telemetry sourced off-host. Local AI/ML module on BlueField (NVIDIA Morpheus GNN-based autoencoder) plus partner XDR integration.	Detect, decide, enforce loop collapses across Vault, Flow, and Argus on a single platform.	Strong material lift.
Model Protection	Vault enforces R\|O policy on model files so only the loading process can read them, while all other processes are denied access entirely. Argus container image hash matching detects unauthorized model artifacts pulled from upstream repos.	Storage-side, identity-bound enforcement on model artifacts and against agent escape, without sacrificing inference throughput.	Significant enabler.
Governance, Risk, and Compliance	Continuous Verifiable AI: container image hash plus continuous runtime integrity attestation from Vault and Argus combine as an attestation base for identity providers to issue tokens for autonomous agent communication.	High-fidelity audit trail for AI data access events plus a hardware-rooted attestation primitive for agent identity. Aligns to NIST AI RMF and CSA AI Security guidance.	Indirect but meaningful, particularly in regulated and sovereign contexts.
Secure Development Lifecycle	Drift Prevention via Vault: configuration files, agent skills, and runtime artifacts on remote mounts cannot be modified or added without violating policy. The remote NFS execution pattern allows real-time hash validation of every binary and library executed inside the container.	Application Control without operating-system gold-image hash tables. Drift detection becomes inline enforcement.	Modest direct uplift.
Cyber Resilience (through-line)	AI Memory Protection: ACLs pushed from the security plane to OVS-DOCA enforce policy on the Context Memory (CMX) layer for KV-cache and retrieval state. Multi-layer enforcement: Vault at the initiator, OVS-DOCA at the JBOF for storage disconnection. Argus telemetry feeds NVIDIA Morpheus and partner XDR platforms.	A closed-loop security-for-AI plus AI-for-security operating model. Initiator-side detection with multi-tier enforcement, end-to-end across the pod.	Strongest articulation of the resilience flywheel to date.

*Figure 5. ARMOR x DOCA. Where each capability in this release lands across the six ARMOR domains, with Cyber Resilience as the closed-loop through-line.*

The AI-for-Security flywheel

One last operating model to note. With Vault, Argus, and Flow producing process-attributed telemetry across every NVIDIA BlueField-4 in the factory, and with NVIDIA AI Enterprise software, such as NVIDIA NIM microservices, NVIDIA NeMo Retriever, and NVIDIA Morpheus available on the same NVIDIA BlueField-4 plane or on the AI Data Platform tier, the cybersecurity partner ecosystem now has both the raw material and the compute to build their own AI factories for security intelligence. Telemetry in, AI processing in the middle, Requested Response Actions back through OVS-DOCA and Vault. That is the closed-loop security-for-AI plus AI-for-security operating model that the ARMOR framework has been articulating since its launch in January 2026. With this release, it stops being aspirational and becomes implementable on a single platform.

*Figure 6. AI workload protection on BlueField-4. AI Security Gateway, DOCA Vault, DOCA Argus, and on-DPU Morpheus together drive the realtime response loop.*

Trademarks and attributions

NVIDIA, the NVIDIA logo, BlueField, BlueField Astra, ConnectX, CUDA, DOCA, DGX, DPF, Morpheus, NeMo, NIM, NVIDIA AI Enterprise, NVIDIA AI Data Platform, NVLink, Quantum-X800, Rubin, Spectrum-X, STX, Vera, and CMX are trademarks and/or registered trademarks of NVIDIA Corporation in the United States and other countries. ASAP² is a trademark of NVIDIA Corporation. Other product names referenced in this document may be trademarks of their respective owners. Use of these names is for identification purposes only and does not imply endorsement.