The eight mechanisms are not presented as universal cloud failure. They are the basis for the segmented H1 claim under Tier 1 scope: privileged, regulated, high-IP, or otherwise sensitive professional work where third-party runtime exposure is itself material.
M001Inference-time plaintext exposure on third-party infrastructure.
Dense transformer inference requires user content to be cleartext in host memory at the moment of token generation.
Strongest steel-man counterApple PCC claims stateless computation, deletion after response, non-targetability, attested nodes, public software images, and researcher verification; confidential-computing variants rely on TEE attestation.
Adversarial assessment outcomeVERIFIED The steel-man defends partially but is breached by AI-specific 2024-2025 academic attacks. Trail of Bits is cited as stating homomorphic encryption does not currently scale to Apple cloud AI workload.2321
M002Supply-chain compromise at the inference layer.
Cloud and live-network-pulling local stacks alike inherit the AI dependency graph: model registries, package indexes, transitive dependencies, MCP servers, gateway proxies.
Strongest steel-man counterThe symmetric supply-chain objection: local systems can be compromised too.
Adversarial assessment outcomeVERIFIED The LiteLLM event inverts the objection: compromised PyPI packages hit live dependency paths, while the official Proxy Docker path was not affected because dependencies were pinned.1
M003Log retention and U.S. statutory compulsory-process exposure.
18 U.S.C. section 2713 reaches provider-held data regardless of storage location; Section 2705(b) and NSL nondisclosure provisions can block customer notice.
Strongest steel-man counterSection 2702 content bars, warrant practice, and transparency reports narrow some exposure.
Adversarial assessment outcomeVERIFIED The counter does not eliminate provider possession, gagged process, or the NYT v. OpenAI preservation record.789
M004Privilege waiver and discovery exposure.
Consumer or open cloud AI use outside counsel direction can create privilege and discovery exposure.
Strongest steel-man counterABA Formal Opinion 512 and state-bar opinions provide a compliant cloud path with proper competence, consent, confidentiality, supervision, and fees controls.
Adversarial assessment outcomeVERIFIED Heppner and Jeffries show the failure mode in privilege and discovery contexts, while preserving a narrower counsel-directed path.101112
M005Vendor lock-in and unilateral platform risk.
Provider-controlled retirements, pricing, routing, and content-policy changes force revalidation on the provider's schedule.
Strongest steel-man counterMarket competition produces newer, better, often cheaper-per-unit-intelligence models, and customers can reroute.
Adversarial assessment outcomeVERIFIED OpenAI February 13, 2026 ChatGPT retirements included GPT-4o, GPT-4.1, GPT-4.1 mini, o4-mini, GPT-5 Instant, and GPT-5 Thinking. GPT-5.5 API pricing was recorded as 5 dollars per million input tokens and 30 dollars per million output tokens; GPT-5.5 Pro pricing was recorded as 30 dollars per million input and 180 dollars per million output tokens. OpenRouter reported 49 to 92 percent observed cost increases for selected GPT-5.4 to GPT-5.5 switches.45
M006Embedded values-layer behavior as silent override.
Behavioral dispositions baked into weights or post-training can alter refusal, framing, vulnerability, and compliance behavior without operator control.
Strongest steel-man counterProviders test, monitor, and roll back; customers can choose different providers.
Adversarial assessment outcomeVERIFIED CrowdStrike DeepSeek R1 study used 30,250 prompts per LLM and reported 91 percent human-annotator concordance for the LLM-judge process. CrowdStrike finding as recorded: 19 percent baseline vulnerable-code rate, 27.2 percent Tibet-context rate, and more than 45 percent Falun Gong-context refusal rate. NIST CAISI DeepSeek evaluation is cited as finding 12 times greater agent-hijacking susceptibility.1516
M007Cumulative-profile surveillance capacity.
Prompts, drafts, corrections, and queries are intent-revealing and longitudinally aggregable under provider retention and legal-process regimes.
Strongest steel-man counterTransparency reports show small absolute volumes; warrant practice provides procedural protection.
Adversarial assessment outcomeVERIFIED at capability-and-incentive level and PLAUSIBLE-to-CREDIBLE on realization rate.89
M008Cognitive monoculture and reasoning homogenization.
Population-level convergence of language, framing, reasoning, and idea production can emerge when many professionals use a small set of dominant models.
Strongest steel-man counterUsers retain agency and tools are used selectively.
Adversarial assessment outcomePLAUSIBLE-to-CREDIBLE with rising evidence; this is the weakest current mechanism in the record.18