Blog

By Mike Bursell, Executive Director, Confidential Computing Consortium

TL;DR

Agentic AI, unprotected, allows unauthorised and malicious people and systems with access to the machines on which Agents run to tamper with the Agents, their execution and their data.  Confidential Computing isolates workloads such as Agents, protecting them.  It also provides other capabilities that can underpin Agentic AI security

Introduction

The growth in generative AI has recently led to sufficient capabilities for a new set of AI applications: Agentic AI.  One way to characterise generative AI is by its ability to generate and information – video, audio, text, numeric – in response to a query by one or more human actors.  Agentic AI, on the other hand, is designed to operate (semi-)autonomously, performing multiple tasks, including possibly branching and creating new Agents, in order to fulfil a request.  Agentic AI instances may query other systems, including humans, non-AI applications, generative AI and other Agentic AI entities.  

Confidential Computing is defined by the Confidential Computing Consortium (CCC) as “protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment”.

This article considers some of the key security requirements for Agentic AI and how Confidential Computing may be used to meet them.  It is intended to encourage interest in the subject and prompt technical conversations between practitioners in these and related fields.

The security problem

Agentic AI entities (“Agents”) will often be operating in environments that are not owned or operated by the owner of the Agent itself.  Even where the environment is owned by the company owning the Agent (such as a private cloud or data centre), the people who run the infrastructure are likely to have different responsibilities and authorisations to those associated with or delegated to the Agent.  A system admin is not likely to have the same authority as the CFO and therefore the CFO’s Agent, for example.  The problem here is that when you run any application – including an Agent – on a machine which you do not completely control, then that application is at risk from people and applications with sufficient permissions, who can read or change data within the application, or even the application itself.  This is just a function of how standard computing works, including cloud computing and virtualisation, whether with containers or virtual machines: with standard computing, if you have control over the infrastructure, then you have control over everything running on it.  In this model, every Agent with any significant capabilities or access to sensitive data would need to run on separate servers, owned, controlled and operated by the Agent’s owner.

This causes a significant problem for agents.  Most agents, by their very nature, need two specific things: an identity, and a way to authorise or approve actions.  This latter may well be associated with the identity, but may not be.  The standard way to provide an identity within computing is with a unique identifier such as a UUID, and the standard way to provide capabilities for authorisation is with a public-private cryptographic key, where the public part is published and the private part is kept confidential.  Both of these are at risk and fundamentally insecure for Agents running on standard computing infrastructure.

In a world where you can have no assurance that the Agent you think you are talking to is actually the correct one – because someone may have changed its ID – you can have no trust in that Agent.  Equally, what if somebody steals the private key from your Agent?  In this case, the thief will have all the capabilities you delegated to your agent, which could include anything from access to private files to the ability to charge unlimited transactions to your or your company’s credit card.

Isolation requirements

In order to operate safely and as expected, Agents need to be isolated from the infrastructure on which they are running, breaking the standard model of computing where whoever controls the infrastructure controls the workloads.  This isolation needs to be enforced in at least two ways: their identities need to be integrity protected, and their capabilities must be confidentiality protected.  In fact, there are typically other assurances required: protection of the integrity of the Agent itself (to stop someone changing the “mission” of the Agent) and protection of the confidentiality and integrity protection of most, if not all, of the data held by the Agent (if I have used the Agent to book flights, for example, I want to know that the itinerary that it returns to me is correct and that no unauthorised parties can see it).

These requirements are actually very similar to those for standard applications in highly-regulated industries where data privacy is a concern, such as healthcare, finance, telecommunications, pharmaceutical research and government.  In these contexts, protecting both the integrity and the confidentiality of data is a key requirement, often enforced by regulations.  Where Agentic AI overlaps with these sectors, we can expect to see these regulations being applied directly.  It is also likely that specific legislation and regulations will be created to apply to Agents specifically, simply due to the fact that they are going to be looking after and manipulating sensitive personal and business data.

Confidential Computing to protect Agentic AI

Confidential Computing is a set of chip-based technologies – whether on CPUs, GPUs or beyond – that are widely available both in the cloud and in server-grade technology available to organisations wishing to build private clouds and data centres or even to individual consumers.  It provides exactly the protections required – integrity and confidentiality of data and applications – using hardware-based isolation, rooted in silicon. 

Workloads, including Agents, are protected in-use – while they are executing – when run using  Confidential Computing: the memory they are using is protected from tampering and viewing by all other entities with access to the machine, including administrators, the kernel and hypervisor.  Additionally, Confidential Computing allows attestation measurements of applications and data can be verified by third parties to verify that these protections are in place and that the workloads are as expected.  It also provides the underpinning technologies required to allow identity to be created and managed.

This is a perfect fit for Agentic AI, providing solutions to the problems explained above with protections that are available now, allowing owners to trust their Agents and for those interacting with them to be sure that they have not been compromised or their data exfiltrated.  There are also opportunities for commercial providers of Agentic AI environments to build and sell services that owners of Agents can prove are safe for their Agents, because they do not need to trust these commercial providers, but the Confidential Computing infrastructure instead.

Conclusion

Confidential Computing allows Agentic AI to flourish without requiring infrastructure that is itself trusted: Agents from multiple owners can execute and interact on the same infrastructure.  Confidential Computing’s remote attestation also allows identity to be established and proved both to owners of Agents and to other Agents and systems.

The Confidential Computing Consortium

The Confidential Computing Consortium is part of the Linux Foundation and the industry body dedicated to defining and accelerating the adoption of confidential computing.  Members include businesses, research organisations and not-for-profits across the ecosystem who work on technical and outreach projects to further the Consortium’s goals.

This month, Mike Bursell, Executive Director of the Confidential Computing Consortium (CCC), was named in the OpenUK New Year Honours List for 2026. The list, compiled by OpenUK, “the UK organization for the business of Open Technology”, celebrates individuals supporting the UK’s leadership in Open Technology. The annual Honours List, now in its 6th year, recognises the commitment of individuals who contribute to the open technology ecosystem above and beyond the call of duty or the demands of their day job. 

“I’m delighted and honoured to be selected for this award,” Mike said, “and aware that the open source community only flourishes because many people behind the scenes are working in all aspects of what we do. Though my work in open source, including with the CCC, has spanned many countries, the UK remains a great place to be involved with and promote open source and open collaboration and I’m proud to be part of a flourishing community here.”

The Confidential Computing Consortium is part of the Linux Foundation and represents organizations across the Confidential Computing ecosystem, promoting the adoption of Confidential Computing technologies and providing a home for related open source projects. The growth in availability of hardware supporting Confidential Computing has aligned with concerns around digital sovereignty, privacy of data and protection of AI models, leading Gartner to select it as one of its top 10 strategic technologies for 2026. The CCC takes a lead in technical work around open protocols employing Confidential Computing, providing mentoring opportunities, a job board and fostering open source underpinnings and frameworks using the technologies. 

The Consortium also provides an important safe place for organizations to collaborate with other members of the ecosystem to create value for the wider community while minimizing anti-trust concerns. Mike’s role as Executive Director ranges across outreach activities such as speaking and membership activities through writing technical materials, engagement in technical discussions and nurturing open source projects.

A recent CCC report by IDC, Unlocking the Future of Data Security: Confidential Computing as a Strategic Imperative, found that adoption of Confidential Computing is accelerating as awareness of the technology hits critical mass and that the UK has one of the highest rates of awareness globally. Mike noted that while open source is important in all jurisdictions and across all sectors, it is particularly vital for security-related applications: “Confidential Computing has the super-power of allowing you to prove to yourself and others that your application is the one you expect: allowing collaboration in new ways across new sectors like healthcare, finance, pharmaceuticals, Adtech and telecommunications. But, in addition, you need to be able to be sure that the code you’re running is doing what it’s advertised to be doing, and the only way to ensure that is if you’re using open source.”

Mike, who is a UK national and based near Cambridge, has been involved in open source communities for over 25 years and has led the CCC since April 2023. He was involved in the setting up of the Consortium in 2019, serving as the Red Hat representative for several years and formerly holding the position of Treasurer. He was also a co-founder of the Enarx project, the first open source project donated to the CCC on its foundation, is the author of Trust in Computer Systems and the Cloud (Wiley, 2021) and is a graduate of both the University of Cambridge and the Open University.

Introduction

2026 feels like an important year for Confidential Computing – one of Gartner’s top strategic technologies for the year.  There are a number of trends and developments that are converging, suggesting that there are going to be major opportunities for the industry.  These include:

• Availability of hardware – CPUs and GPUs are now well-established in hyperscalers and data centres
• Visibility – the industry seems finally to be paying attention to the capabilities that Confidential Computing provides
• Growing interest from Regulators around data-in-use protection
• AI – realisation that AI needs protection
• Digital Sovereignty – growing concerns about protecting data, applications and AI/ML models from interference from non-local actors, including governments
• Distributed trust models, including Web3.

We are also seeing, as a Consortium, increased interest from demand-side, rather than supply-side.  Of course, defining “demand-side” can be quite tricky: to a chip vendor, a hyperscaler is demand-side, whereas to a hyperscaler, the term may be better applied to a bank, who, in turn, considers demand to rest with its business customers, who themselves have consumer customers!  Most important, from the CCC’s perspective, is that there is a developing “pull” for Confidential Computing, and we must position ourselves to service and encourage this.

In December, the Governing Board agreed a budget which aims to balance revenue against spending in 2026 – over the past few years, we’ve been spending into our reserves, which had grown quite large, in part because of reduced spending over the Covid years.  One of the impacts is on events, which the Outreach committee had already identified as an area of high spend but where the ability to track return-on-investment was low.  As a result, we will be doing careful targeting of which events we sponsor and get involved with this year, in particular considering how best to address the trends noted above and driving demand-side interest.

In another move to address and develop demand-side interest in Confidential Computing, the Governing Board has agreed to constitute a new Special Interest Group around Regulatory and Standards bodies.  This will concentrate on non-technical contacts and conversations with these bodies, leveraging expertise and links within Member organisations to influence work where Confidential Computing could and should be explicitly noted, recommended or even mandated.

Focus Areas

I expect to see three main areas of focus in the work that the Consortium undertakes during 2026.  In all three cases, there is a need for general evangelisation of Confidential Computing as a relevant technology and also for engagement with appropriate bodies and organisations.  I’m also sure there will be others that I’ve failed to identify, or whose importance has not yet registered.

Regulators

Government-backed regulatory bodies provide important checks and balances across many sectors and many jurisdictions.  They also often track emerging requirements and provide guidance on best practices that are expected to become mandated in the future.  An increasing realisation of the importance of protecting citizens’ and customers’ data in all states – in transit, at rest and in use – allows the CCC to position itself as a trusted advisor to bodies considering how best to provide guidance and, ultimately, regulations around using Confidential Computing as a technology to improve the protection of data, with its unique combination of performance, confidentiality and integrity.  

Given the growth in regulations around AI and digital sovereignty, the other two areas identified for focus, we can also expect to see overlap with activities in these contexts.

AI and Agentic AI

The last year or two has seen realisation of how important security is for AI, with proof of provenance often being equally important as the confidentiality and integrity of the systems that organisations are building and hosting, not to mention with which they are interacting.  The past few months, however, have seen the promise of Agentic AI becoming a major force in our day-to-day lives, with a rapid ramping up of technical work around how such agents will work.  All Agentic AI requires identity and, like human identity, this needs to be protected.  Confidential Computing provides opportunities to safeguard Agentic AI identity cryptographically, isolating the agent from its environment and attackers.  

Digital Sovereignty

As the global political climate has evolved and governments realise that their and their businesses’ and citizens’ applications, data and, ultimately, livelihoods are intimately wound up with the interests of the organisations hosting and storing the information and applications, there has been a move to try to move the hosting and processing of that information into the control of organisations that are locally managed or governed.  This is not just about protecting data, but also key intellectual property including AI/ML models.  Given the existing geographic distribution and deployment of computing resources, moving all processing within national boundaries is often challenging and may not even be sufficient, depending on the entities operating the computing resources.  Confidential Computing offers technical controls that allow for much greater assurances and transparency around digital sovereignty by isolating the processing of data and applications from the operating environment in which they take place.

Attestation

While confidentiality and integrity remain the first properties that most users initially associate with Confidential Computing, the value of attestation is often where long-term value is realised.  The Consortium already does a great deal of work around technical approaches around attestation, including engaging with standards bodies like the IETF on protocols and primitives.  We also have a number of open source projects which focus on or revolve around attestation. 

There continues to be a need for work around business models for attestation verification services (AVSs).  This includes consideration of revenue and charging models, policy management and devolution, trust transfer and also what types of bodies should be running an AVS in the first place: not-for-profits, silicon vendors, CSPs, ISVs, banks, governments, regulators or organisations themselves.  We can expect to see more conversation around these topics as we go through 2026.

Members

The beginning of 2026 sees the CCC with a healthy set of members across multiple geographic areas, of various sizes and in different industries and sectors.  As Confidential Computing grows through the year, we need to ensure not only that we are meeting the varying needs of existing members, but also showing and growing the benefits of membership to attract new members so that we can work to improve industry knowledge and adoption of Confidential Computing.  This means looking at new sectors (e.g. AI and Web3), crafting new messaging and materials (e.g. for regulators and governments) and adapting our messaging for those on the demand-side who need to find out more about the technologies in ways that suit them.

This all requires engagement by existing members, and I plan to find ways for members, both new and established, to engage in our activities in ways that are aligned with their interests and priorities, amplifying their efforts through our communal work.

Conclusion

2026 comes with many opportunities for Confidential Computing, and for the CCC to consolidate and grow our place in existing and new industries as a trusted and maturing technology.  The number of companies already using Confidential Computing is more than most people realise, as evidenced by the IDC’s report Unlocking the Future of Data Security: Confidential Computing as a Strategic Imperative (available on our White Papers & Reports page).  We at the Confidential Computing Consortium need to spread the news, while continuing to make the technologies as attractive and easy to use as possible and providing the primitives, protocols and open source projects that ease and encourage adoption.  I look forward to working with you and your colleagues as we tackle these tasks over the next twelve months.

The Confidential Computing Consortium (CCC) is pleased to welcome Confident Security as a new Start-Up Member.

Confident Security is dedicated to making AI truly private, developing technologies and practices that protect data and models in use without compromising performance or accessibility. The company’s mission closely aligns with the CCC’s goal of fostering open collaboration and standards to enable secure computation across industries.

Advancing Confidential AI Through Open Collaboration

By joining the CCC, Confident Security aims to help shape and accelerate the development of Confidential AI standards, ensuring privacy, integrity, and trust in next-generation machine learning systems. The company is particularly focused on frameworks that safeguard sensitive data used in AI training and inference while maintaining openness and interoperability.

In parallel, Confident Security has been expanding its open source contributions, sharing tools that support secure, privacy-preserving communication and computation. Recent releases include:

• ohttp: privacy-preserving HTTP relay implementation
• bhttp: binary HTTP protocol support
• go-nvtrust: Go bindings for NVIDIA Trust extensions
• twoway: bidirectional secure communication library

Most recently, Confident Security launched its largest open source project to date – OpenPCC, an open framework for privacy-preserving encryption and AI data security. This release was accompanied by an Axios feature and a comprehensive whitepaper outlining the architecture and technical foundations behind the project. OpenPCC represents a major milestone in the company’s vision to make secure, confidential computation accessible to all.

These projects demonstrate Confident Security’s commitment to advancing open, secure innovation and complement the CCC’s mission to drive adoption of confidential computing technologies.

Strengthening a Shared Mission

“It’s our mission to make AI truly private and part of making that happen are standards and education,” said a spokesperson from Confident Security. “For that reason, we’re very excited to join CCC and to contribute and collaborate with all the members to increase adoption and use of Confidential Computing technologies.”

As a recent addition to the CCC, Confident Security aligns itself with a global collective of technology pioneers, researchers, and innovators who are collaboratively striving to establish data protection and trusted execution as fundamental pillars for confidential computing. 

We’re pleased to welcome Acompany as the newest General Member of the Confidential Computing Consortium (CCC)!

Acompany provides Confidential Computing as a strategic security foundation, powering secure data collaboration and advancing trusted AI. Its technology supports use cases ranging from data clean rooms for a Fortune Global 500 telecom company (KDDI) to optimized manufacturing processes and mission-critical national security initiatives.

Expanding the Global Market for Confidential Computing

Acompany joins the Consortium with a clear vision: to accelerate the global adoption of Confidential Computing through community collaboration and open innovation.

“At Acompany, our mission is ‘Trust. Data. AI.’ We are delighted to join the Confidential Computing Consortium and work with industry leaders to advance secure and trusted AI. Just as HTTPS became the default for the web, Confidential Computing will become the default for AI—and we are proud to help shape that future.”  — Ryosuke Takahashi, CEO, Acompany Co., Ltd.

The company brings proven experience to the community. Its solutions already power secure data clean rooms for KDDI and support ongoing Confidential Computing research in collaboration with Intel Labs. Acompany’s participation will strengthen collective efforts to make Confidential Computing the foundation of secure data processing and privacy-preserving AI worldwide.

Community Collaboration in Action

Acompany is also engaging with CCC-hosted projects, including the Gramine framework. The team has actively participated in GitHub discussions and leveraged Gramine in their own research initiatives, helping to expand the practical applications of Confidential Computing technologies. In addition, Acompany contributes to the Consortium’s global outreach by supporting the Japanese translation of CCC’s White Papers & Reports, helping to broaden access to the Consortium’s insights and advance the global understanding and adoption of Confidential Computing.

Last week in San Francisco, our community came together for a day that reminded us why collaborative learning and shared experimentation are so vital in the confidential computing ecosystem.

Attendees represented a wide range of perspectives, from hyperscale cloud service providers, startups, think tanks, and industry ranging from pharmaceuticals to finance, to discuss Confidential Computing. The day was filled with lively technical exchanges and even laughter over afternoon bacon (yes, bacon is a snack), it was the kind of workshop that makes innovation feel personal.

A Lineup That Inspired Collaboration

We were honored to hear from a remarkable roster of speakers representing organizations at the heart of secure and privacy-preserving computing, including:

• Britt Law
• Duality
• Google
• Meta / WhatsApp
• NVIDIA
• Oblivious
• ServiceNow with Opaque
• TikTok
• Tinfoil

Each talk brought a unique perspective, from real-world deployments delivering measurable business value to bold experiments shaping the future of data protection. The diversity of voices reflected the Consortium’s strength: bringing together researchers, builders, and adopters to turn ideas into impact. The versatility of Confidential Computing was evident from the wide range of solutions and use cases presented.

From Inspiration to Imagination

The day wrapped up with our “Shark Tank”-style challenge, where four teams competed to design new use cases for Confidential Computing. The creativity on display was impressive, but one concept stood out – a secure, verifiable proof of humanity – a vision that perfectly captured the balance of trust, technology, and imagination our community strives for.

Community at the Core

Behind every successful event is a network of people who make it happen. This workshop was no exception. We’re deeply grateful to Laura Martinez (NVIDIA), Mateus Guzzo (TikTok) and Mike Ferron-Jones (Intel) for their incredible leadership in bringing everything together. Their effort ensured that even the smallest logistical details (and photo moments) went smoothly.

Looking Ahead

As we look to future workshops, we’ll keep building spaces like this one: open, hands-on, and human-centered. Because progress happens when we learn together, challenge ideas together, and celebrate the journey as much as the technology itself.

(Photos courtesy of Mateus Guzzo)

The Confidential Computing Consortium (CCC) is pleased to welcome FuriosaAI as our newest startup member!

Furiosa is a semiconductor company pioneering a new type of AI chip for data centers and enterprise customers. With a mission to make AI computing sustainable and accessible to everyone, Furiosa offers a full hardware and software stack that enables powerful AI at scale.  Its proprietary Tensor Contraction Processor (TCP) architecture delivers world-class performance for advanced AI models, along with breakthrough energy efficiency compared to GPUs.

Furiosa’s flagship inference chip, RNGD (pronounced “renegade”), accelerates large language models and agentic AI workloads in any data center, including ones with power, cooling, and space constraints that make it difficult or impossible to deploy advanced GPUs. Currently sampling with Fortune 500 customers worldwide, RNGD is designed to power the next generation of AI applications with both high performance and significantly lower operating expenses.

Why Furiosa Joined CCC

As AI workloads scale, protecting data becomes increasingly critical. Furiosa’s energy-efficient chips enable businesses to run their models on-prem, so they can maintain complete control of their data and tooling. By joining the CCC, Furiosa is committed to collaborating with peers across the ecosystem to build a more secure and trustworthy AI infrastructure.

Furiosa hopes to contribute its expertise in hardware-accelerated inference while learning from the community’s efforts to standardize and advance confidential computing practices. The company is particularly interested in trusted execution environments and data security in AI workloads, and looks forward to identifying projects where its AI compute acceleration technology can add meaningful value.

In Their Own Words

“At Furiosa, we believe the future of AI depends on both performance and trust. By joining the Confidential Computing Consortium, we’re excited to collaborate with industry leaders to ensure AI innovation happens securely, sustainably, and at scale.”
— Hanjoon Kim, Chief Technology Officer, FuriosaAI

We’re thrilled to have Furiosa join our community and look forward to the collaboration ahead. Welcome to the CCC!

We’re pleased to welcome QLAD to the Confidential Computing Consortium (CCC), as the latest innovator helping define the next era of secure computing.

QLAD is a Kubernetes-native confidential computing platform that provides runtime protection by default, delivering pod-level Trusted Execution Environments (TEEs) and featuring encrypted Armored Containers™ for enhanced IP protection and post-quantum resilience. With post-quantum resilience and seamless integration, no code rewrites or infrastructure changes required, QLAD enables scalable, production-ready confidentiality for modern workloads.

“At QLAD, we believe confidential computing should be simple. We’re building a platform that delivers drop-in protection for sensitive workloads, without code rewrites or infrastructure disruption. We’re proud to join the CCC community and contribute to the standards, tooling, and trust models that help organizations stay secure across clouds, edges, and collaborative environments.”
— Jason Tuschen, CEO, QLAD

Confidential computing is undergoing a transformation, from experimental to essential. QLAD was founded to help accelerate that shift by making trusted execution practical and DevOps-friendly, especially for organizations deploying at scale across cloud, hybrid, and edge environments.

Why QLAD joined CCC

The CCC provides a powerful venue to drive industry alignment on standards, reference architectures, and transparent governance. QLAD sees the consortium as a collaborative platform to:

• Champion workload-first adoption patterns (beyond VM- or node-level models)
• Demystify confidential computing for developers and security teams
• Share insights as it prepares to open-source components of its container security layer in late 2025

What QLAD brings to the community
QLAD engineers are already contributing to CCC-hosted initiatives, including the Confidential Containers (CoCo) project. Contributions to date include:

• QLAD engineers have contributed directly to the Confidential Containers (CoCo) project, including adding AWS SNP VLEK support across three repositories (trustee, guest-components, and azure-cvm-tooling)
• Submitted eight pull requests (all merged) to cloud-api-adaptor, advancing workload orchestration in confidential environments
• Engaged with members of U.S. Congress to raise awareness of Confidential Computing and Confidential Containers, helping ensure the technology receives attention and potential funding at the federal level

As QLAD prepares to open source additional components, it plans to work closely with the CCC Technical Advisory Council to align on contribution pathways and ensure long-term technical alignment.

What QLAD hopes to gain
In joining CCC, QLAD looks forward to:

• Advancing attestation frameworks, policy enforcement models, and container standards
• Collaborating with industry peers solving real-world deployment challenges
• Participating in working groups that shape the future of confidential computing across AI, hybrid cloud, and zero-trust environments

We’re excited to welcome QLAD into the CCC community and look forward to their continued contributions to making confidential computing scalable, practical, and trusted by default.