
Across two days and dozens of sessions, the same conclusion surfaced from cloud providers, silicon vendors, a frontier AI lab, regulators, and nation-state buyers alike. The agentic era arrived faster than the security models built to contain it, and Confidential Computing has crossed from promising primitive to the foundation that production AI, sovereign deployments, and frontier-scale model protection are already being built on.
1. The category quietly redefined itself, from confidential VMs to confidential systems
The center of gravity moved this year, and the language moved with it. The conversation is no longer about confidential VMs in isolation; it is about confidential systems that span CPU, GPU, networking, and storage, all hardware-enforced rather than governed by contract. Google’s Nelly Porter made the case that as AI workloads move across devices and domains, confidentiality has to travel with them end to end, and the arrival of protocols for mutual attestation and encryption between CPUs, GPUs, and AI accelerators is what finally makes that practical at performance parity.
Microsoft’s Mark Russinovich showed where that road leads. After a decade of work, Microsoft has moved its own most sensitive services into Confidential Computing, from token signing, payment processing, licensing keys, not to sell a feature but to protect its own data from its own infrastructure. He framed the journey as a maturity curve that ends somewhere striking. A stage he calls Confidential Tenancy, which aims to take the cloud provider out of the trust equation entirely through a virtual data diode, a one-way gate that gives the customer cryptographic control over what data can ever leave, so even a compromised or compelled provider cannot exfiltrate it. The economic signal underneath is the real headline: the cost, performance, and complexity penalties that once justified avoiding enclaves are on track to disappear this year, which turns “why would we run confidentially” into “why wouldn’t we.”
2. Agents stopped answering and started acting, and the threat model broke
The defining realization of the event was that AI crossed a line from generating answers to taking consequential actions, and the security assumptions underneath did not move with it. AMD’s Hugo Romero opened with a real case. An agent placed in a live environment under a code freeze that acts anyway and deletes a commercial database. Agents now reach for tools, credentials, sensitive data, and APIs on our behalf, so every workflow has to be followed, verified, and attested rather than trusted by default. Mike Bursell of the Confidential Computing Consortium put the consequence plainly: when agentic AI goes wrong, accountability lands on you and your customers, and reactive defenses are too slow to catch it, which is why a hardware-based boundary delivering integrity, confidentiality, and attestation has to be the floor beneath everything built on top.
Monique Dumais, CIO of Capital Group, made the risk concrete and more alarming. The agents she loses sleep over are not the ones her engineers build but the ones her business users build, what she calls rogue IT rather than shadow IT. She has no visibility into whether a non-technical employee has hardcoded a credential into a prompt or pointed an agent at a forbidden data source. Her asks mapped exactly onto what Confidential Computing promises, verifiable execution, enforced data boundaries, runtime policy, and proof that sensitive data was never exposed, paired with a plea that technologists reach legislators before unworkable AI rules harden into law.
The field was also honest about its limits. Raghu Yeluri from Intel made the sharpest version of the point. Proving the same code ran is no longer sufficient, because an agent can execute exactly the right code and still be corrupted by what enters its context, and long-term memory is where attackers will plant dormant manipulations that gradually bend an agent’s objectives and behavior. The question has moved from “did the right code run” to “is this agent doing the right thing, and why, right now.”
3. Identity is the missing primitive, and it describes what, not who
If agents are the new actors, the field’s old notion of identity breaks, and nearly every thread converged on the same fix. Workload-based identity, attesting to what an agent is, its code, configuration, and the policies that let it run, rather than who assigned it. Humans remain the “who,” but confidential, measured, attested workloads become the “what,” and only Confidential Computing makes that distinction enforceable. That work is already underway: the Confidential Computing Consortium’s Trusted Workload Identity Special Interest Group is turning the idea into shared standards.
That carried a hard consequence about governance. Policy enforced by humans clicking “approve” does not scale, because we cannot know what an agent needs to reach or why. The consensus moved from human-in-the-loop to human-on-the-loop, with agents acting as auditors when privileges escalate. Manu Fontaine, founder of Hushmesh, makes a sharp point. To move off the inherited institutional trust the internet runs on, the DNS records, certificate authorities, and privileged insiders, every entity needs a cryptographic identity that is also its key, generated from within and verifiable in hardware rather than granted by any authority. He is not theorizing; the approach is being deployed with NATO’s DIANA accelerator, where zero trust across nations and domains is exactly the problem.
4. The new standard is verifiable, not trustworthy
A striking consensus emerged that the goal is not to be trusted but to be verified, with cryptographic evidence customers can check rather than a vendor’s word, because no single provider should be the sole authority on trust. Amazon’s Matt Wilson made the engineering case, framing his pitch as “trust me, but please verify my work.” He pushed back on a popular piece of the discourse. Software-based and hardware-based execution environments are not opposites, since every real system blends both and all attestation is ultimately implemented in software, so the right bar is to demand rigorous proof that software is sound rather than to wave hardware as a trump card.
Apple’s Ivan Krstić set the ceiling for what verifiable can mean. He laid out a four-level framework for trustworthy AI inference and argued most systems in production today reach at most the first level. His non-negotiable principle was non-targetability, the idea that a system should force an attacker to compromise the entire fleet rather than single out one known user, which makes attacks expensive to scale and strips any leaked data of attribution. Most forward-looking was his demonstration that this bar can be extended onto third-party confidential hardware without lowering it, using multi-party control across vendors so trust is minimized even in the hardware supplier.
5. Sovereignty has a floor, a deadline, and rising stakes
Sovereignty was the connective tissue of the event, and the sharpest insight was about its limits. TII’s Najwa Aaraj drew the line from experience. An organization can own its models, agents, key management, and cryptographic stack and still hit a hard wall at the silicon and infrastructure layer, where true sovereignty stops. That turns sovereignty from a checkbox into a supply-chain question, and points toward provenance you can verify from design through fabrication.
The deadline came from Anthropic’s Jason Clinton, who delivered the sharpest warning of the summit. Advanced cyber capability emerged in a frontier model as an unintended byproduct of training for better coding, and it will eventually reach every model, including open-weights ones. His explicitly personal estimate, that defenders have roughly seven to ten months before an open-weights model carries advanced autonomous cyber capability, turned an abstract risk into a countdown. Use the lead now to harden pipelines, make zero-trust real, and point capable models at your own detection and response. He tied it back to Confidential Computing as the mechanism that lets frontier labs distribute defensive capability to trusted parties without leaking the model to adversaries.
Brittany Kaiser of Alpha Compute named the rising stakes most pointedly, bringing a human-rights lens to a room of engineers. Personal data is the most valuable asset most people own and have never controlled. Confidential Computing, in her framing, is what finally makes ownership enforceable, turning the technology into a front in the larger contest over who holds power in the AI economy.
6. The point of all this is not protection, it is what protection unlocks
For all the talk of threats and defenses, the breakouts reframed the value proposition around what confidentiality makes newly possible. Jonathan Dotan of EQTY Lab offered the most resonant framing of the event: a private conversation is simply a better conversation. When you speak to a lawyer or a prospective employer in confidence, you bring your full and honest self; strip the privacy away and the exchange degrades, so confidentiality becomes not defensive overhead but the precondition for the most valuable AI interactions. He grounded it in the use case that gets him up in the morning, personalized medicine, which requires combining a person’s own data with population-scale data, the only path to capabilities like automated clinical trials, with proofs portable across environments so maximum data can be brought to bear without anyone surrendering control of it. It was the clearest articulation all event of why the Consortium frames confidentiality as an enabler of progress rather than a constraint on it.
Why This Year Felt Different
Underneath the six signals was a single change in tone. The hardware foundation is no longer the thing being argued for. It is the thing being built on, and the honest open problems have moved up the stack, to agent identity, memory integrity, governance at machine speed, and attestation that holds across clouds and on-premises alike. None of these belong to a single company. They are being worked out in the open, across competitors, inside the Confidential Computing Consortium, which is the quiet argument the event kept making: the organizations treating Confidential Computing as the foundation they build on, rather than a feature they bolt on later, are the ones who will still be standing when the window closes.
This recap only scratches the surface of two content rich days. The full keynotes and breakouts, the four-level inference framework, the maturity-curve taxonomy, the frontier-security warning, and the architecture deep-dives, are available on demand.
If you missed any of the sessions you can access the Confidential Computing Summit 2026 sessions here.