Is this page helpful?

Introduction#

Securing the AI Software Stack: A Critical Need#

The field of Artificial Intelligence (AI) is constantly evolving, and the software stack that supports it is becoming increasingly complex. Open-source software (OSS) is playing a critical role in driving AI adoption forward at an unprecedented pace. The Octoverse 2025 report revealed that over 1.1 million public repositories now import a Generative AI SDK on GitHub, with new projects growing at a 178% year-over-year rate. This surge highlights the importance of the OSS community in ushering in the AI era. However, the vast number of OSS contributions also introduces significant challenges in maintaining a robust, enterprise-grade AI software stack.

The dynamic nature of the AI field presents additional challenges as security vulnerabilities become more numerous, requiring continuous vigilance. A report by Synopsys on open-source security and risk analysis revealed a 236% increase in high-risk attack patterns in OSS vulnerabilities across big data, AI, Business Intelligence, and machine learning over the past five years.

To address these challenges, NVIDIA introduced NVIDIA AI Enterprise, an end-to-end, cloud-native software platform that accelerates data science pipelines and streamlines the development and deployment of production-grade AI. It is built on open-source software curated, optimized, and supported by NVIDIA, and also includes additional proprietary components that orchestrate and optimize the use of physical resources, such as GPUs, networking, and servers.

NVIDIA AI Enterprise software is split into two categories: Application software and Infrastructure software.

The Application software includes NVIDIA NIM microservices, as well as AI and data science frameworks, libraries, and SDKs for agentic AI, physical AI, and other AI and accelerated computing workloads. This software is published in Kubernetes containers.

The Infrastructure software enables and optimizes the use of NVIDIA GPUs and Networking. It includes hardware and virtualization drivers, K8s operators, NVIDIA Run:ai for AI workload and GPU orchestration, and Base Command Manager software for cluster management. Some components of the infrastructure software, such as Kubernetes operators, are built on open source, while other parts are proprietary binaries.

The rest of this paper focuses on how NVIDIA secures, maintains, and delivers open source software so that developers can focus on building and deploying new AI services.

Software Branches for Use Case Flexibility#

NVIDIA works to actively patch vulnerabilities as they are identified and publish updates in a timely manner. However, we recognize that different types of software are used in different ways. So, we have organized the way we publish software to give customers flexibility while still maintaining security.

_images/ai-enterprise-security-01.png

Figure 1 NVIDIA AI Enterprise Software Branches#

All application software is updated monthly with the latest top-of-tree features, in what are known as Feature Branches.

For certain microservices, foundation AI tools and frameworks, we also create a Production Branch. This is done by designating a specific software version as the production branch version and maintaining that version for 9 months. Customers can use production branch software as part of production applications. They can benefit from regular security updates without having to worry about API changes that could break their application.

Long-term support branch software follows a similar principle to production branch software, except it is a smaller subset of the foundations AI tools and frameworks and includes a stable version of the infrastructure software collection. It is targeted at highly regulated industries such as health care and government.

Through the NVIDIA AI Enterprise subscription, enterprises have access to all branches, providing them with peace of mind. They have the flexibility to choose the branch that is best for their development and deployment without compromising on security. For more information on these various software branches, see the NVIDIA AI Enterprise Lifecycle Policy.

NVIDIA designates a subset of software as ‘Government ready’ to indicate that it meets the security requirements to be used in a customer’s FedRAMP High or equivalent boundary. FedRAMP and equivalent sovereign workloads require heightened security. As part of the systems acquisition process, when selecting software compared to less sensitive workloads, a customer has significant responsibility for ensuring the software meets or exceeds the security and functionality requirements. Learn more about our Government ready software in the white paper AI Software for Regulated Environments.

Ensuring Enterprise Container Security#

NVIDIA recognizes that ensuring the security of container images involves more than just securing the software components they contain. It covers the entire container development process, which requires following security-leading practices.

The following sections outline NVIDIA’s methods to strengthen container security in the application layer software of the NVIDIA AI Enterprise software stack, emphasizing our dedication to protecting enterprise AI applications. Many of these methods also apply to the parts of the infrastructure layer software that are delivered as containers.