Confidential AI

Agents in regulated sectors usually mean picking between privacy and capability. These examples show you don't have to.

Today we're launching Confidential Agents, the world's first verifiably private, secure agent runtime. Teams in finance, healthcare, and gov get stuck with clunky on-prem workarounds for AI tasks. Why? Because the only thing that'd protect their data in a cloud is a legal agreement. That’s not enough. Confidential Agents fixes by running both the agent and its inference inside Trusted Execution Environments. And it's all verifiable with an open source CLI. In other words, your data is encrypted in use, not just at rest and in transit, with only a 4-8% hit to token throughput. AI should be personal, and personal means private. Sign up for the Confidential Agents beta here: https://lnkd.in/ePNpH3wX Read our launch post and API docs for more: https://lnkd.in/e7gBjM5M

From June 1st, we are now a proud member of the The Linux Foundation and The Confidential Computing Consortium. It's cool to see our logo up on their members pages.

Most "private" AI isn't. It still decrypts your data where someone can see it. Our confidential inference is genuinely private. Here's how it works: Customer prompts (and their responses) are encrypted all the way from the client SDK to the inference enclave and back again. Plaintext exists in exactly two places: 1) The client device, where the prompt is composed and the response is rendered. 2) The hardware-enforced inference enclave, where the model runs. Everywhere else (the public internet, the cloud network, the load balancer, the worker node, the hypervisor, the host OS) the data is ciphertext. Nothing in between can read it. The client encrypts each prompt directly to the inference enclave's public key and decrypts the response with its own local private key. So even the load balancer routing the request never sees plaintext. Every attested component holds a certificate issued only after our open source Attestation Service verifies its hardware signature and code measurement. Hardware-rooted trust, not a pinky promise. What this means for the trust boundary: - The cloud provider is excluded. - The hypervisor is excluded. - The host OS is excluded. - Confidential AI itself is excluded. Your data is observable as plaintext only inside your device and the enclave. For teams running sensitive operational, financial, or personal data, this is the deployment model that actually holds up. Same for anyone who needs demonstrable in-country-equivalent guarantees for legal or regulatory reasons. Confidential inference. Encrypted end to end. Verified by hardware.

Today we are sunsetting the moon and shipping a new logo. The moon was a placeholder. An emoji. The fastest way to ship a mark, and it fit our old name, Lunal. Now we are Confidential. The moon needed an upgrade. Our new logo is a redacted bar inside square brackets. [██] You can read it in a few different ways, all valid. As a glyph. Redacted text inside brackets implies something is there but you cannot see it. Not deleted but private. Present, in use, deliberately withheld from view. That is confidential computing in one image. As code. Square brackets index into memory. The thing inside is a buffer. The bar is its contents. A buffer whose contents are opaque to everything outside it is a TEE. The logo is a picture of protected memory. As text. It is typeable. [██] renders in a terminal, a commit message, a Slack channel, a CLI prompt. Most logos die the moment they leave the brand folder. This one survives in plaintext. Grep-able. Whiteboard-able. Degrades to ASCII without losing meaning. It is not a padlock. It is not a shield. It is not a vault. Every other company in security reaches for those. They all mean: trust us, we will protect you. Ours is different. The contents are not protected by us. The contents are cryptographically unreachable. That is the entire point of hardware-enforced confidential computing, and now it is the logo.

Our CTO Amean Asad spoke about confidential inference at scale for frontier AI at the AViD workshop yesterday. Thanks for hosting FAR.AI and the Center for AI Safety.

Today, my team at Confidential AI published the whitepaper for Kettle: Attested Builds. It is a technique we invented to answer a question every software consumer should ask: how do you know the binary you're running matches the source it claims to come from? Conventional builds answer with process. CI logs, signed checksums, release notes. None of it is cryptographic evidence. A compromised build runner can ship a clean source commit and a backdoored binary, and you'd never know. The technique: Run the build inside a TEE. Capture a hardware-signed attestation of the pipeline, inputs, and outputs. Staple it to the artifact. The result: Provenance down to the git commit. The trust surface contracts from "the entire build infrastructure and everyone with access to it" to "the CPU vendor root." Kettle is open source. Emits SLSA v1.2 provenance, verifiable in one signature check against AMD or Intel. Authors: André Arko Amean Asad Paper: https://lnkd.in/e6_3cRWg Code: https://lnkd.in/eT3ECAGU

Great stuff Amean Asad, Patrick McClurg, João Sousa Andrade

Confidential has been accepted into the NVIDIA Inception program. We run AI workloads on GPUs that support confidential computing. NVIDIA builds these GPUs. Inception gives us closer collaboration with NVIDIA on the GPU side of our stack. Great day for the team. #NvidiaInception

Confidential computing for Kubernetes, without rethinking the control plane. The C8s whitepaper is out.