Field notes · Case F-13 · Lifecycle

Decommissioning is a security program, not a disposal ticket

Every device that ever held data leaves the building eventually. In an AI facility that is thousands of drives per refresh, and the exit deserves the same engineering as the entrance.

Security architecture obsesses over how things enter: vetted people, inspected deliveries, badged doors. Almost nothing in the standard playbook governs how things leave. Yet a hyperscale refresh cycle pushes pallets of storage out of the building on a schedule, each drive a container of customer data, credentials, or model checkpoints, and the whole flow is typically managed as a facilities ticket with a disposal vendor attached.

Your last control is a certificate signed by the lowest bidder.

The inventory nobody keeps

The decommissioning program is only as good as its definition of data-bearing device. Drives, obviously. But also the flash inside management controllers, switches and appliances that hold configurations and credentials, accelerator trays with onboard storage, and the failed units that cannot be wiped because they no longer power on. If it stored anything, it leaves through the program. In our reviews, the failure bin is the most consistent gap: dead drives accumulate in an unlocked cabinet, owned by nobody, until a vendor sweep takes them somewhere on faith.

Engineering the exit

Decommissioning is where asset protection, data security and compliance converge on the same pallet. Sites that treat it as a program discover they already had the muscle: it is the intake process, run in reverse, with the same seriousness.

We have followed pallets all the way to the shredder. If your certificates go unchecked, we know that gap well.