In various discussions of Security Architecture, I have read that HSMs can be configured with rate limiting on the number of encryptions/decryptions that can be performed in a given amount of time. If I understand correctly, the purpose of a rate limit would be to limit the damage that would come from a hacker that manages to compromise a server that is authorized to make use of the HSM. For example, if an API server had 1000 encrypted files that each stored the data for one customer, then a hacker that compromised the API server would have to ask the HSM to decrypt each of those 1000 files to steal all of the data. A rate limit of, say, 10 files per hour would make it very time consuming for the hacker to get all of the data for all of the customers. Ideally, the hacker would be detected and booted out before they got too much data.
This led to me thinking about the possibility of implementing a method for stopping decryptions from taking place that involved having the HSM send requests to other external services, rather than relying solely on an internal system clock. Going back to the previous example, if the HSM received a request from the API server, could the HSM then send a request to the API's authentication server to ask if that particular customer had actually authenticated recently? If the user hadn't successfully logged in within the last 10 minutes, then the HSM could refuse to perform the decryption operation, and the data would be safe.
This would essentially mean that the hacker would need to compromise both the API server and the authentication server to decrypt and steal all of the data for all of the users (assuming the API server and the authentication server are two completely independent servers). The hacker could still steal the data of customers that happen to log-in while the API server is breached, but getting ALL of the data would require waiting for all of the customers to login at least once.
Are any HSMs capable of sending requests and taking an action based on the response? Or are they all limited to simpler things like rate limiting?