AI workloads process some of the most sensitive data in an organization β training data, model weights, inference inputs, and predictions. Confidential computing protects this data while it is being processed, not just at rest and in transit.
The Three States of Data Protection
| State | Traditional Protection | Confidential Computing |
|---|---|---|
| At rest | Encryption (AES-256) | β Already covered |
| In transit | TLS 1.3 | β Already covered |
| In use | None | Hardware-based TEEs |
The βin useβ gap means that anyone with access to the host machine β cloud provider employees, compromised hypervisors, malicious co-tenants β can potentially read your data while it is being processed.
Trusted Execution Environments (TEEs)
TEEs create hardware-isolated enclaves where code and data are protected from everything outside β including the operating system, hypervisor, and cloud provider.
Available TEE Technologies
| Technology | Vendor | Isolation Level | GPU Support |
|---|---|---|---|
| Intel TDX | Intel | VM-level | Via GPU TEE |
| AMD SEV-SNP | AMD | VM-level | Planned |
| ARM CCA | ARM | Realm-level | Via GPU TEE |
| NVIDIA H100 TEE | NVIDIA | GPU memory | Native |
Confidential AI Architecture
βββββββββββββββββ Confidential VM (TEE) βββββββββββββββββ
β β
β βββββββββββββββ βββββββββββββββ ββββββββββββββββ β
β β Encrypted β β AI Model β β Encrypted β β
β β Training ββ β (in secure ββ β Predictions β β
β β Data β β memory) β β β β
β βββββββββββββββ βββββββββββββββ ββββββββββββββββ β
β β
β Memory encrypted with hardware keys β
β Attestation proves code integrity β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
β Cloud provider / hypervisor CANNOT see insideKubernetes Integration
Running confidential AI workloads on Kubernetes:
apiVersion: v1
kind: Pod
metadata:
name: confidential-inference
spec:
runtimeClassName: kata-cc # Confidential Containers
containers:
- name: inference
image: registry.example.com/ai-model:v1
resources:
limits:
nvidia.com/gpu: 1
env:
- name: NVIDIA_CC_MODE
value: "on" # Enable GPU confidential computing
volumeMounts:
- name: encrypted-model
mountPath: /models
readOnly: true
volumes:
- name: encrypted-model
csi:
driver: secrets-store.csi.k8s.io
readOnly: trueConfidential Containers (CoCo)
The CNCF Confidential Containers project brings TEE support to Kubernetes:
- Kata Containers: Provides VM-level isolation per pod
- Attestation: Cryptographic proof that the workload runs in a genuine TEE
- Encrypted images: Container images decrypted only inside the TEE
- Sealed secrets: Secrets released only to attested workloads
Use Cases for Confidential AI
- Multi-party ML: Train models on combined datasets without any party seeing the otherβs data
- Regulated inference: Healthcare/financial AI where data must never be exposed to cloud provider
- Model protection: Prevent model theft β weights are never accessible outside the TEE
- Edge AI: Protect models running on untrusted hardware at the edge
Performance Considerations
Confidential computing adds overhead:
- CPU TEE: 5-15% performance overhead for memory encryption
- GPU TEE (H100): 2-5% overhead for GPU memory encryption
- Attestation: One-time cost at workload startup (seconds)
- Memory limit: TEE size limits maximum model/data size
For inference workloads, the overhead is often acceptable. For large-scale training, plan for 10-15% longer training times.
