Confidential AI computing
Confidential AI computing is the most credible near-term way to reduce cloud-model trust without waiting for fully homomorphic LLM inference.
The model still processes plaintext, but only inside an isolated, hardware-backed execution environment. The client verifies evidence that the expected hardware and code are running before releasing a decryption key for the request.
This is not conventional end-to-end encryption. It is not zero knowledge. It is attested confidential processing.
What a TEE changes
A trusted execution environment, or TEE, is designed to isolate code and data from the ordinary host operating system, hypervisor, and infrastructure operators.
Modern CPU and GPU confidential-computing stacks can produce a remote-attestation report that identifies:
- hardware and firmware state
- secure-boot and debug configuration
- the measured software image
- a public workload key bound to the attested workload
The report does not automatically prove an arbitrary model name or weight file. The measured application must bind its model hash or manifest to a signed release policy, and the client must compare that policy with the quote.
The report needs a fresh client nonce. Otherwise an attacker could replay old evidence for a now-changed machine.
NVIDIA documents attestation for Hopper-class confidential GPUs. RATS and EAT RFCs provide useful standards for reasoning about attestation roles and evidence.
A defensible request flow
- The client sends a fresh nonce to the workload.
- The workload creates an ephemeral HPKE public key inside the TEE and returns an attestation quote binding that key, the nonce, hardware chain, patch level, debug state, measured application, and approved release entry.
- The client verifies the quote and the separately signed model manifest against its local policy.
- It encrypts the prompt, selected document chunks, and necessary conversation state directly to that attested ephemeral public key.
- The workload decrypts and processes the request; its private key remains inside the measured environment and expires after the request or short session.
- The worker processes the request without a general-purpose shell, debugger, or unrestricted egress.
- It returns the response over the bound encrypted session. The client stores a local privacy receipt: route, release ID, model, time, and attestation verdict, but not prompt content.
sequenceDiagram participant C as Client participant W as TEE workload C->>W: 1. fresh nonce W->>C: 2. attestation quote plus ephemeral HPKE key C->>C: 3. verify quote and signed model manifest C->>W: 4. encrypt prompt and context to the attested key W->>W: 5. decrypt inside the TEE, private key stays inside W->>W: 6. process without shell, debugger, or open egress W->>C: 7. response over the bound session C->>C: store local privacy receipt, not the prompt
The plaintext must not terminate at an ordinary load balancer, observability service, analytics SDK, or support proxy before the TEE.
What must be inside the boundary
Protecting only the GPU is not enough. The attested boundary must cover:
- request and response plaintext
- conversation context and KV cache
- document chunks and embeddings used remotely
- intermediate tensors
- model weights and adapters
- authentication and rate-limit decisions
- logs, crash handling, and dynamic configuration
The runtime must measure or transparently version every component that can change its behavior. Otherwise a safe code image can load unsafe logic after boot.
Current reference points
Apple Private Cloud Compute security guide is a high standard: it describes stateless processing, restricted operational interfaces, hardware attestation, published release information, and transparency designed for client verification.
Brave Leo TEE pilot shows a smaller, real-world confidential-inference pilot. Its first stage has Brave perform verification, and it says user-side end-to-end verification remains future work. That is an important product lesson: showing a green label is not the same as letting the user’s own client verify the quote.
Venice, Tinfoil, Privatemode, and other privacy-AI competitors also make confidential inference a live market, not a speculative one. Private AI competitors maps the differences.
Residual risk
TEEs reduce, but do not eliminate, trust:
- the endpoint may be compromised or unlocked
- hardware, firmware, microcode, and attestation services can fail
- side channels and implementation bugs are real
- the verifier’s policy can be wrong
- a user may approve a tool that sends data outside the enclave
- traffic timing, size, account, payment, and support metadata can remain visible
Market the system as “attested confidential processing.” Do not call it unbreakable, anonymous, or zero knowledge.
Venture path
A small venture should not build a general cloud first. It should prototype one narrow, open-weight model, one region, and one high-trust workflow through a verified TEE provider or partner.
The differentiator is the client verifier, release evidence, fail-closed mode, and professional workflow around it. Only sustained customer demand should justify operating an owned Swedish or EU inference cluster. Private AI services gives the staged commercial path.