Technical Brief  ·  Infrastructure Analysis  ·  March 31, 2026

The Inference Window

Your client's documents are encrypted until the moment the AI has to read them.
That moment happens on infrastructure you do not control.
This is not a vulnerability. It is the architecture.

A ORIGIN Attorney submits privileged matter to cloud AI Firm controls B ENCRYPTED TRANSIT TLS encryption. SOC 2. GDPR. Standard controls apply. Badges cover this C ARRIVAL Packet reaches third-party data center. Vendor env. Vendor controls D INFERENCE Encryption stripped. Plaintext. AI reads client data here. No badge covers this E DEPENDENCY LAYER App runs on open source libs from public registries. Firm never sees this F RESPONSE AI output returned. Session complete. Attorney sees nothing. But what happened at D?
Firm controls / badges apply
Vendor-controlled environment
Unaddressed by standard controls
Session complete, exposure unknown

Step D is the only moment that matters for confidentiality.

An AI model cannot process ciphertext. To generate output, the model must receive the input in machine-readable plaintext. This is a computational requirement, not a design flaw. The decryption occurs on third-party infrastructure, inside a software stack the firm has not audited, operated by personnel the firm does not supervise.

Every standard security control — SOC 2, BYOK, zero-training commitment, GDPR compliance — addresses a different step than D. The LiteLLM breach on March 24, 2026 did not create this exposure. It confirmed that a sufficiently positioned attacker could reach plaintext client data at Step D without defeating any of those controls.

95M LiteLLM monthly
downloads
36% Cloud environments
containing LiteLLM
(Wiz, March 2026)
~300GB Credentials
exfiltrated
(Vx-Underground est.)
What each control actually covers
SOC 2
Past controls within audit scope
Does not certify runtime dependency integrity at Step D
BYOK
Key custody for stored data
Key must unlock data before inference. Step D is unprotected.
Zero Training
Downstream reuse after session ends
Does not address session-time exposure at Step D
Encryption
Data in transit and at rest
Must decrypt at Step D. That window is not covered.

"The badges and the breach addressed different moments. The badges covered Steps B and C. The breach hit Step D. Both were simultaneously true because no standard control was ever designed to address inference-time plaintext on third-party infrastructure."

CloseVector Research · March 31, 2026 · Based on LiteLLM incident reporting and U.S. v. Heppner, SDNY Feb. 17, 2026
Infrastructure commentary only. Nothing on this page constitutes legal advice or professional responsibility guidance. Heppner: United States v. Heppner, No. 25 CR. 503 (JSR), 2026 WL 436479 (S.D.N.Y. Feb. 17, 2026). 300GB figure attributed to Vx-Underground via SecurityWeek; partner attribution mixed across reporting sources as of March 31, 2026. LiteLLM confirmed official Proxy Docker image was not impacted; exposure path was unpinned PyPI installations and transitive dependencies. Consult qualified counsel before making AI deployment decisions for privileged work.