By Laura Martinez, Chair of Outreach Committee, Confidential Computing Consortium
Agentic AI is moving faster than most security frameworks were designed to handle, and the organizations deploying it, including some of the most sophisticated enterprises in the world, are navigating new territory. The question isn’t whether your team is experienced enough. It’s whether the security model you’re working with was built for this moment.
The gap traditional security doesn’t reach
The Confidential Computing community has long understood something the broader security world is catching up to: encrypting data at rest and in transit leaves a critical window open. When data is actively being processed, it has to be decrypted. In a standard cloud environment, that moment of computation is exactly when it’s most exposed.
For years, that gap was an acceptable tradeoff. Workloads were bounded. Humans were in the loop. The blast radius of a compromised execution environment was contained.
Agentic AI changes all of that at once.
An AI agent executing autonomously across enterprise infrastructure isn’t a bounded workload. It’s continuously processing sensitive data, calling tools, accessing live data pipelines, and making decisions, all without a human checkpoint, and all inside a cloud environment where the hypervisor, the host operating system, and the cloud operator sit above the workload in the trust hierarchy. The assumption that the infrastructure that traditional security was built on is trustworthy no longer holds when the workload is this autonomous.
Hardware-based Trusted Execution Environments address this directly. By creating isolated execution environments where memory is encrypted and managed at the CPU level, they make the underlying infrastructure irrelevant to the trust model. The hypervisor, the host OS, and the cloud operator are no longer in the trust boundary. The silicon is.
Why the GPU layer matters for agentic AI
Most enterprise security conversations about AI are still CPU-centric. But agentic AI workloads are GPU-heavy by nature. Inference, reasoning, and multi-step planning all run on GPU infrastructure. And extending the Confidential Computing trust boundary from the CPU to the GPU has been one of the industry’s most important recent advances.
GPU-side Confidential Computing means the trust chain can now extend from the CPU through a trusted and attested interconnect to the full inference stack. The agent’s reasoning, the model weights it runs on, and the data it processes can all sit within a hardware-rooted boundary. For organizations running agentic AI at scale, that progression closes the last major gap in the end-to-end trust architecture.
The deployment layer: making this real without rebuilding everything
Hardware-rooted trust at the CPU and GPU layer is the foundation. But for most enterprise teams, the practical question is how to deploy it without rebuilding their entire infrastructure stack.
Confidential containers on Kubernetes are one answer to that question for cloud-native environments. By running pods inside hardware-isolated virtual machines, memory inside the container becomes invisible to the host OS and the underlying administrator. Secrets are provisioned only after the execution environment has been verified through attestation. For organizations already running AI workloads in cloud-native environments, this is a clear path from awareness to production without a full infrastructure rebuild.
Attestation: the trust anchor for autonomous systems
Across all of these layers, the mechanism that ties everything together is cryptographic attestation. Before any sensitive data enters a Trusted Execution Environment, the TEE generates verifiable cryptographic proof of its hardware and software state. That proof can be verified remotely, confirming that the agent is running unmodified code in a genuine, trusted environment and can even be repeated at various points in the lifecycle to ensure continued security. Attestation is what makes Confidential Computing different from every other privacy-enhancing technology. It doesn’t just claim security, it proves it.
For an autonomous system operating with no human oversight, attestation is the architectural trust anchor. It answers the question every enterprise security team needs to be able to answer: how do we know the environment our AI is running in hasn’t been compromised?
Open standards: the CCC’s role in making this interoperable
The hardware is here. The deployment tooling is maturing. What the industry now needs is open, vendor-neutral guidance that helps organizations navigate the best technology stack choices, validate their architectures, and move confidently from evaluation to production.
Adoption-focused technical guidance and reference architectures, built collaboratively across hardware vendors, cloud providers, and software developers, designed to give enterprise teams a practical and interoperable path forward regardless of which cloud or hardware stack they’re running on.
The goal is straightforward: make Confidential Computing the default for AI infrastructure, not a specialized capability reserved for the most security-conscious organizations.
The conversation we want to have with you
We’re bringing together three of the people closest to this problem for an open, practical conversation about what securing agentic AI actually looks like at every layer of the stack.
Felix Schuster, CEO of Edgeless Systems, is a pioneer in the Confidential Computing (CC) space, creating usable and deployable across every vertical. Jesse Schrater is a hardware visionary in the CC space, and brings Intel’s perspective on hardware-rooted trust and enterprise adoption of TDX and SGX. Daniel Rohrer from NVIDIA has been at the forefront of extending Confidential Computing at rack scale across CPUs, GPUs and networking where agentic AI and the world’s largest models and workloads run.
Together we’ll walk through LIVE the architecture, the deployment reality, and the practical steps organizations can take to start building AI infrastructure that’s secure by design.
Agentic AI in the Wild: Rethinking Trust When Your AI Has the Keys
Confidential Computing Consortium hosted live webinar ahead of CC Summit 2026.
This is the conversation the Confidential Computing community needs to be leading. We’d love for you to be part of it.
