Confidential Computing Summit 2026

Every regulated industry runs on the same uncomfortable bargain:multi parties with conflicting interests agree to trust each other procedurally, because no tech mechanism exists to verify the claims they're making. An MRI running an AI diagnostic model involves at least 5 stakeholders:the AI vendor protecting IP, the hospital safeguarding patient data, the device mfg ensuring FW integrity, the regulator verifying the cleared algorithm is actually running, and the patient who never consented to their scan training someone else's model. Today, all of them take each other on faith. Confidential computing changes that equation from trust assumptions to trust evidence.This talk examines 2 concrete problem domains where we are applying HW-rooted attestation and PKI-based trust services to solve real, urgent problems. 1st, we walk through the brownfield medical device challenge: how do you retrofit TPM-based measured boot, model integrity verification, and remote attestation onto med. devices already deployed in the field without disrupting clinical operations? 2nd, we present DigiCert's work on AI agent ID for agentic AI systems; a problem that extends CC principles into the SW ID layer

This presentation shows a real-world example of our private cloud introducing Confidential VMs based on SEV-SNP where application in container is included in trust boundary.

At LY Corporation, as part of our privacy enhancement for LINE (messaging app with 194 million active users), we provide Confidential VMs powered by AMD SEV-SNP in our private cloud. This ensures that even employees cannot access data input to AI systems, and that the data remains protected even in the event of infrastructure compromise.

This session focuses on two parts: one is mobile client perspective, the other is cloud-user perspective.

In our Confidential VM implementation, the whole system including application can be attested to the mobile clients using Attestation Report feature of SEV-SNP.

Our implementation includes SEV-SNP support in OpenStack, OVMF provisioning to ensure attestation, and our OS image to ensure that only the expected application is running. By designing the chain of trust, everything including OVMF, kernel, OS image and container image is included inside the trust boundary, while cloud users can use the common OS image.

In the agentic era, deploying proprietary AI on-premises raises a critical question: how do you protect model IP when infrastructure admins have full hardware access? This session introduces Private Model as a Service (PMaaS), a production-ready reference architecture that secures AI model weights across their entire lifecycle using hardware-rooted Trusted Execution Environments (TEEs).

We dive into the technical orchestration of Confidential Containers (CoCo) and KServe to build a cryptographically verified inference pipeline with vLLM. Model weights are distributed and decrypted exclusively inside hardware-verified CPU TEEs (Intel TDX, AMD SEV-SNP) with GPU memory protection (NVIDIA H100/B200). Remote attestation via a Key Broker Service (KBS) ensures decryption keys are only released to policy-compliant, verified environments.

We also cover the challenges of running vLLM inside restricted TEEs and our work upstreaming GPU attestation logic into Kata Containers and CoCo. Attendees leave with a practical blueprint for deploying zero-trust confidential AI workloads that decouple model security from infrastructure trust.