Explore

Who we are

What we do

Resources

Career

Global Search

Search across SysArt

AI transformationon-prem AIsystems thinkingleadership
AI Consulting

Clarify enterprise AI strategy, architecture, and governance decisions.

 Consulting

AI transformation, private AI architecture, and organization design.

 Insights

Systems thinking, agility, AI, and transformation writing.

 Contact

Reach the Stockholm office and consulting team directly.

Blog

Confidential Computing for On-Premises AI Inference: Attestation, Threat Models, and Practical Boundaries

Data Security · On-Premises AI · AI Architecture · Advanced

How trusted execution environments and remote attestation can strengthen on-premises AI when workloads handle regulated or highly sensitive data, and where they still require application-level controls.

Close-up of electronic circuitry and components suggesting secure hardware

When on-premises hosting is not enough

Running large language models inside your own data centers removes many third-party data paths, but it does not automatically solve every confidentiality problem. Administrators, backup operators, hypervisor teams, and anyone with physical or logical access to hosts can still observe memory at the wrong layer unless the workload is isolated cryptographically. Confidential computing addresses that gap by combining hardware-backed trusted execution with remote attestation: a verifiable statement about what software is running before sensitive inputs are released to it.

For enterprises that process health, financial, or national-security adjacent workloads, or that face contractual duties around segregation of duties, confidential computing is less a marketing checkbox and more a way to align technical controls with audit expectations. It is not a replacement for network segmentation, identity, or application security, but it tightens the trust boundary around the inference runtime itself.

Core building blocks

Modern confidential computing stacks typically rely on CPU or accelerator features that establish a hardware root of trust. Examples include AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP), Intel Trust Domain Extensions (TDX), and ARM Confidential Compute Architecture on suitable platforms. Cloud providers document comparable offerings; on-premises, your responsibility is to select hardware generations, firmware versions, and enablement steps that your security architecture team can attest to consistently.

Remote attestation lets a client or orchestrator ask the platform to prove that a specific measurement of code and configuration was loaded. In AI scenarios, that might cover the inference server binary, container image digest, kernel parameters, and policy agents. Attestation does not prove that the model weights are benign; it proves that the agreed stack is what actually runs. Pairing attestation with signed artifacts in your model registry closes a common gap between “we deployed v1.2” and “this GPU worker is truly serving v1.2.”

Ecosystem projects such as the Confidential Containers community and vendor integrations for Kubernetes aim to make attested pods or confidential VMs a deployable unit rather than a lab experiment. The exact APIs and attestor formats differ by vendor; what matters operationally is that your release pipeline produces artifacts your attestation verifier understands.

Threat model: what confidential AI does and does not cover

In scope. Confidential execution materially raises the bar for a malicious hypervisor administrator or a compromised host management agent reading plaintext model activations or user prompts from RAM. It also supports scenarios where you must show regulators or partners that data decryption happens only inside an attested enclave, not on a general-purpose OS image.

Out of scope or partial. Side-channel attacks, microarchitectural leakage, and certain denial-of-service patterns remain concerns that vendors document with varying candor. If your threat model includes sophisticated physical attackers, you need facility controls beyond software. Insider abuse at the application layer—for example, a poorly scoped service account that exfiltrates outputs after inference—is not solved by hardware enclaves alone. Similarly, prompt injection and unsafe tool use are application-layer issues; they do not disappear because tensors moved through encrypted memory.

Be explicit in architecture reviews about which claims you are making to stakeholders. “Data is always encrypted at rest and in transit” is different from “operator staff cannot observe prompts without breaking attestation,” and different again from “the model cannot leak secrets,” which is not something confidential computing promises by itself.

Design patterns for inference services

A practical pattern is to place the tokenizer, model loader, and inference server inside the confidential execution boundary while keeping API gateways, rate limiters, and observability collectors outside but tightly authenticated. Traffic enters through mutual TLS; attestation results are checked before session keys are provisioned. Logging must be carefully redacted: storing full prompts in a centralized SIEM often undermines the confidentiality story unless those logs are themselves classified and encrypted with separate keys.

For GPU-backed inference, availability of confidential GPU paths depends on hardware generation and software stack. Teams sometimes run CPU-only confidential paths for extremely sensitive preprocessing while keeping bulk GPU inference in a standard zone—an architectural compromise driven by latency budgets and supply constraints rather than ideal security purity.

Key management should integrate with your existing enterprise HSM or cloud KMS bridges in a way that root keys never materialize on operator laptops. Use short-lived session keys derived after successful attestation, and rotate them on policy triggers such as image upgrades or node rebuilds.

Operational realities: performance, patching, and governance

Confidential modes can add CPU overhead, complicate live migration, and slow down some I/O paths. Before committing, profile your target models with representative batch sizes and sequence lengths on attested configurations, not only on unconstrained lab GPUs. Treat firmware and microcode updates as scheduled events that may change measurements and therefore require coordinated attestation policy updates.

Governance should connect to your broader AI controls: model cards, approved base images, and change records. When an attestation failure appears in production, runbooks should distinguish between benign drift after patching and potential compromise. That distinction is easier when you maintain golden measurements per release artifact rather than a single opaque “trust this host” flag.

Putting it together

Confidential computing is a strong complement to on-premises AI when your risk assessments turn on operator access and multi-tenant host sharing. It aligns well with remote attestation of inference stacks and signed models. It does not replace secure API design, robust identity, or testing against misuse of model outputs. The organizations that extract value start with a written threat model, choose hardware and software stacks their teams can operate, and integrate attestation into deployment pipelines—not as a one-off demo, but as part of how every approved model version reaches production.

Featured image by Mika Baumeister on Unsplash.

← Back to blog