The defense industrial base’s CUI sits as plaintext on most cloud platforms. AI has made compromising those servers cheap — and when the server falls, the plaintext falls with it. End-to-end encryption keeps CUI encrypted in the cloud, so a breach of the server is not a breach of the data.
On April 7, 2026, Anthropic announced Claude Mythos Preview — a frontier AI model that identified thousands of previously unknown high-severity vulnerabilities, across every major operating system and web browser, and produced working exploits for many of them.
Anthropic, which has every commercial incentive to release its frontier models, judged Mythos too dangerous to commercialize. Instead, it formed Project Glasswing — a consortium that includes Microsoft, Google, AWS, Apple, NVIDIA, CrowdStrike, and JPMorgan Chase — to direct the capability toward defense. The hyperscalers whose cloud platforms hold most of the world’s enterprise data judged the threat severe enough to join. When the company that built it judges it too dangerous to sell — and the providers running the cloud judge it severe enough to coordinate against — IT and compliance leaders should pay attention.
Most Cloud Services Hold Plaintext at the Server
Almost every major cloud service holds plaintext at the server. Most people assume that because data is encrypted in transit and at rest, it is encrypted all the time. It is not. While in use, the data is decrypted in the provider’s memory, with the keys held by the provider.
The security model is perimeter defense: make the cloud infrastructure hard to penetrate, and layer controls — authentication, monitoring, segmentation — around the plaintext data. This is the model for Google Workspace and Microsoft GCC High. GCC High adds additional protections — U.S.-persons-only operation, FedRAMP High, Impact Level 4 — but the architectural property is unchanged: the provider can decrypt the data.
Even Before AI the Security Cracks Showed
For most of the cloud era, that model was somewhat defensible. Sophisticated server-side attack required resources largely confined to nation-state actors, and large providers defended their infrastructure competently — until they didn’t.
In 2023, a Chinese state-sponsored group stole a Microsoft consumer signing key — one that, by Microsoft’s own account, should have been retired in 2021. Combining it with a token validation flaw, the attackers forged authentication tokens that worked against essentially any Exchange Online enterprise mailbox in the world. They reached more than 500 individuals across 22 organizations, including senior U.S. officials managing the U.S.–China relationship. The Cyber Safety Review Board called the breach a “cascade of avoidable errors” that “should never have happened.” As of the CSRB’s report, Microsoft still could not explain how the key was stolen.
The breach, known as Storm-0558, was not isolated. SolarWinds had already shown how one supply-chain compromise could propagate through hundreds of federal and corporate networks. The 2024 Salt Typhoon intrusions reached the core of eight major U.S. telecommunications providers. A pattern was visible: when a provider holds the keys, one provider-side failure exposes every user the provider holds. The exposure is architectural, not accidental. This was before AI arrived in earnest.
AI Collapses the Cost of Server-Side Attack
In November 2025, Anthropic disclosed that a Chinese state-sponsored group had used a jailbroken Claude Code agent to execute 80 to 90 percent of the tactical operations in a coordinated espionage campaign against thirty organizations — at what Anthropic described as “physically impossible request rates.” In May 2026, Google’s Threat Intelligence Group identified the first AI-developed zero-day exploit deployed in the wild and reported that adversaries are now using AI “as expert-level force multipliers for vulnerability research and exploit development.”
The architectural implication is direct. Sophisticated server-side attack is moving from rare and expensive to routine and cheap. The long, multi-step planning it requires is precisely what frontier models now do well. The theoretical vulnerability of cloud-plaintext architecture is no longer theoretical.
End-to-End Encryption: Protecting CUI Even When the Cloud Is Breached
The federal agencies most capable of assessing nation-state threats have been pointing at end-to-end encryption for years. In 2019, the State Department, in consultation with the NSA, adopted ITAR §120.54 — codifying end-to-end encryption as a means to transfer and store export-controlled defense data. Following the 2024 Salt Typhoon intrusions, CISA issued public guidance recommending that high-value targets use only end-to-end encrypted communications. The architectural standard was set six years before AI made it broadly consequential.
In a true end-to-end encrypted system, data is encrypted on the sender’s device. Keys exist only on user devices — never on the cloud servers that store, route, or process the data. No intermediary, including the cloud provider, has any technical means to read the data while it is in its custody. The cloud holds ciphertext, and only ciphertext.
Figure 1. Architectural difference. In conventional cloud, every internal service can decrypt the data; a breach of any one reaches plaintext for all users. In end-to-end encryption, the cloud holds only ciphertext and keys live only on user devices.
In the AI era, the servers of E2E systems will be attacked just like those holding plaintext. But where a plaintext breach yields the data, an E2E breach yields only ciphertext — useless without keys that exist only on user devices.
Why CMMC Compliance Isn’t Enough for CUI in the AI Era
CMMC was created to protect Controlled Unclassified Information. Compliance is the mechanism; protection of CUI is the purpose.
In the AI era, those two things can come apart. The DIB now faces a choice between two architecturally different cloud platforms that both satisfy CMMC compliance. Legacy platforms that decrypt CUI on the server are compliant but increasingly vulnerable to attacks on the cloud infrastructure itself. End-to-end encrypted platforms are compliant — and aligned with the purpose CMMC was created to serve: keeping CUI protected even when the cloud infrastructure is breached.
AI-driven adversaries will attack both. Only one is designed to withstand them.
Microsoft GCC High represents the former. It is a capable, compliant offering well-suited to large enterprises — but the architectural property is unchanged: Microsoft holds the keys, Microsoft’s services decrypt the data, and a sufficiently capable attacker reaching that infrastructure reaches plaintext. Storm-0558 happened in commercial Exchange Online, not GCC High; the architectural vulnerability is identical in both. Certifications certify controls. They do not change the architecture.
PreVeil represents the latter. PreVeil was designed at MIT from the ground up for precisely the threat environment now unfolding — the assumption that attacks on cloud infrastructure would increase and inevitably succeed, and that CUI therefore had to be protected by architecture rather than by perimeter. The cloud holds ciphertext; keys live only on user devices; a breach of the server is not a breach of the data.
The deployment model is a CUI enclave: separate CUI onto an end-to-end encrypted platform the provider cannot decrypt, and keep general productivity on existing cloud where the features justify the exposure. PreVeil sits side-by-side with the user’s existing Microsoft 365 or Google Workspace — on their existing computer or within the same VDI — under the same email address. This is a targeted addition, not a wholesale migration. It satisfies the controls CMMC specifies — and the intent CMMC was created to serve: protecting CUI from the adversaries the program was built to defend against.
Figure 2. PreVeil sits side-by-side with the user’s existing Microsoft 365 or Google Workspace, on their existing computer or within the same VDI. The cloud provider holds plaintext for general productivity and ciphertext only for CUI.
The path is operationally proven. More than 3,000 defense contractors use PreVeil for CMMC and ITAR workloads, the vast majority small and medium businesses. More than 85 have achieved CMMC certification on PreVeil. The PreVeil service is FedRAMP Moderate Baseline — the level required by DFARS 7012 and CMMC — with CUI stored on US-Person-Only AWS GovCloud (FedRAMP High).
Both deliver compliance. Only one is built for the AI threat.
The white paper “End-to-End Encryption When AI Shifts Threat Economics” covers the full architectural analysis — including how to evaluate E2E vendors, the administrator-compromise problem and its cryptographic solution, and the CMMC implementation path.
