Loading…
Type: Breakout Sessions clear filter
Tuesday, June 23
 

12:45pm PDT

From Perimeter to Silicon: Why Agentic AI Demands a New Security Model - Dan Middleton, NVIDIA & Raghu Yeluri, Intel
Tuesday June 23, 2026 12:45pm - 1:10pm PDT
As AI agents move from assistants to autonomous actors executing workflows, calling tools, and making decisions across sensitive infrastructure, every industry faces the same foundational question: how do we establish verifiable trust at every layer of the stack?
This session examines the full trust architecture agentic AI requires:
  • Cryptographic attestation that verifies data and model integrity inside secure enclaves
  • Integrity-protected agent identity generation and verification
  • Policy-enforced execution that maintains auditability with no human in the loop
Speakers from Intel and NVIDIA will share how the CCC's four new vendor-agnostic technical blueprints are making Confidential Computing deployable at enterprise scale.

Key Takeaways:
  • The CCC's strategic shift toward demand-driven technical excellence and what it unlocks for enterprise adopters
  • A technical overview of the four new guidance papers and the deployment bottlenecks they solve
  • How to map these reference architectures to your existing cloud-native and open-source pipelines

Speakers
avatar for Dan Middleton

Dan Middleton

Principal Software Architect, NVIDIA
Dan Middleton is a Principal Software Architect at NVIDIA, with deep experience driving innovation at the intersection of open source and emerging technologies. He has led the development and release of products spanning Computational Imaging, Blockchain, Confidential Computing, and... Read More →
RY

Raghu Yeluri

Sr. Principal Engineer, Intel

Tuesday June 23, 2026 12:45pm - 1:10pm PDT
Gold Ballroom

12:45pm PDT

Securing the Future with Azure Confidential Computing - Run Cai & Ashutosh Chickerur, Microsoft
Tuesday June 23, 2026 12:45pm - 1:10pm PDT
Confidential computing is becoming a critical foundation for cloud security in an era defined by AI acceleration, data sovereignty requirements, and rising expectations for end-to-end protection of sensitive workloads. Azure is advancing this space with new infrastructure, stronger platform protections, and innovations designed to make confidential workloads more resilient, scalable, and production ready. This session will highlight the latest Azure Confidential Computing developments, including v6 confidential VMs on AMD and Intel, expanded Azure regional availability, and continued progress in production readiness. We will also look ahead to live migration for confidential VMs, including a live demo, and discuss how this capability improves workload continuity during planned security updates and unexpected hardware events. In addition, we will explore future investments acrossenclaves, platform attestation, and confidential AI. Topics include nested virtualization to enable confidential enclaves, stronger platform attestation with recovery capabilities, protection of Azure trusted computing base services, and the growing need for confidential GPUs to secure prompts, model weights, and distributed inference workloads for modern AI applications at scale.
Speakers
avatar for Run Cai

Run Cai

Principal PM Manager, Microsoft
Run Cai is a Principal TPM Manager at Microsoft, leading large-scale Azure infrastructure and focusing on confidential computing programs. She is shaping future generations of Azure confidential computing platforms, driving product scale-out and elasticity while championing new initiatives... Read More →
AC

Ashutosh Chickerur

Principal Engineering Manager, Microsoft
Ashutosh Chickerur is a Principal Software Engineering Manager at Microsoft, leading Azure confidential computing and cloud infrastructure efforts, with deep expertise in multi-cloud platforms, security, and large-scale distributed systems.
Tuesday June 23, 2026 12:45pm - 1:10pm PDT
Courtyard

1:15pm PDT

AMD SEV & Azure Local: When Confidential VMs Go Local - David Harmon, AMD & Deepak Manohar, Microsoft
Tuesday June 23, 2026 1:15pm - 1:40pm PDT
AMD SEV has provided foundational technology for Confidential VMs at cloud scale, including deployments in Microsoft Azure Cloud. As workloads span cloud, hybrid, edge, and customer-owned environments, the architectural requirement is clear: preserve the Confidential VM trust pattern wherever those workloads run. This joint AMD-Microsoft session shows how AMD SEV and Azure Local come together for hybrid and on-prem deployment requirements, connecting silicon-based isolation, attestation, policy-gated key release, Azure Local deployment models, and practical deployment considerations. The session includes an Azure Local demo of attestation-gated access to protected workload assets.

Speakers
avatar for David Harmon

David Harmon

Director, Data Center Ecosystem, AMD
David Harmon is a Director of Software Development at AMD. David's work focuses on datacenter solutions that include AMD EPYC server product line and Microsoft software solutions for cloud and on prem including Azure Local.
avatar for Deepak Manohar

Deepak Manohar

Sr. Director PM, Microsoft
Deepak Manohar is a Sr. Director PM at Microsoft. He leads the security product management team for Azure Local and Digital Operations. One of his areas of focus is to bring Confidential computing to Azure's on-premises offering namely Azure Local. More broadly, he is responsible... Read More →
Tuesday June 23, 2026 1:15pm - 1:40pm PDT
Gold Ballroom

1:15pm PDT

Strictly Confidential: Use Cases & Demos of AI Workflows in TEEs - Sam Lugani & Ranjit Narjala, Google
Tuesday June 23, 2026 1:15pm - 1:40pm PDT
This session dives deeper into practical implementation and use cases for confidential computing. As complex AI models demand robust cryptographic roots of trust, we will demonstrate precisely how to architect and execute these environments in the real world. Through a series of live, hands-on demonstrations, we will showcase the latest confidential platforms in action, seamlessly extending trusted execution environments (TEEs) from model training all the way through to inference. Join us to look under the hood at the exact mechanisms and architectures that allow leading Google Cloud customers to secure complex AI workflows and keep active processing encrypted at scale.

Speakers
avatar for Sam Lugani

Sam Lugani

Product Lead, Confidential Computing, Google Cloud
Sam Lugani is the product lead for Confidential Computing and Confidential AI at Google. Sam started his professional career working as a software engineer at Cisco before venturing into product centric roles at FireEye, Synack and later at Google. He completed his MS in Computer... Read More →
avatar for Ranjit Narjala

Ranjit Narjala

Google Cloud, Engineering Lead, Confidential Computing,

Tuesday June 23, 2026 1:15pm - 1:40pm PDT
Courtyard

1:45pm PDT

Confidential Tenancy: Towards Digital Sovereignty on Public Clouds - Antoine Delignat-Lavaud, Microsoft
Tuesday June 23, 2026 1:45pm - 2:10pm PDT
Digital Sovereignty is commonly interpreted as a legal concept - but can it be turned into a technical guarantee? We introduce a new sovereignty boundary within existing public cloud infrastructure built on (and generalizing) the concept of confidential computing, where a given workload is totally isolated from its surrounding shared infrastructure within a trusted execution environment (TEE), enforced and attested in hardware. Although the concept of TEEs applies to a unit of computation (e.g., a process, VM, or container), we propose to extend these security guarantees to an entire cloud tenant, i.e., a cloud account with all its resources – IaaS (i.e., VMs), PaaS (e.g., Kubernetes clusters), and SaaS (e.g., model-as-a-service endpoints) and its associated management layer, including its own identity, access control and key management services. Critically, we introduce virtual data diode (VDD), a novel primitive that allows confidential tenants to control all movements of data within and without their confidential tenancy, including traffic to shared infrastructure services. We also introduce new operator controls to ensure that support requests can be addressed when operators need access to logs or must perform manual maintenance actions on the tenant’s resources, while ensuring that all maintenance actions can be reviewed and approved by the confidential tenant. 

Speakers
avatar for Antoine Delignat-Lavaud

Antoine Delignat-Lavaud

Principal Researcher, Microsoft
Tuesday June 23, 2026 1:45pm - 2:10pm PDT
Gold Ballroom
  Breakout Sessions
  • Slides Attached Yes

1:45pm PDT

Panel Discussion: Proof in Production: Customer Lessons from Confidential AI - Reshma Shetty, ServiceNow; Shyam Menon, Mitek Systems; Nikhil Gulati, Johnson & Johnson; & James Edwards, Midland Credit Management
Tuesday June 23, 2026 1:45pm - 2:10pm PDT
Enterprises in regulated sectors face a stark reality: AI agents offer transformative potential, but the risk of sensitive data bleeding beyond governed boundaries remains unacceptable for many compliance and security teams. Organizations can no longer rely on black-box AI systems or accept the risk of uncontrolled data exposure, unverifiable execution, or AI workflows that outpace governance. As AI adoption accelerates, trust has become the bottleneck, and auditors are demanding verifiable proof. This panel brings together enterprise leaders navigating the real-world challenge of deploying AI in environments where compliance is non-negotiable. Panelists will share how they are balancing innovation with operational control, meeting the demands of governance teams and regulators, and building the verifiable guardrails needed to move from pilot to production. The discussion will explore why Confidential AI is becoming foundational for enterprises that need to operationalize AI without compromising governance, auditability, or trust.
Moderators
avatar for Aaron Fulkerson

Aaron Fulkerson

OPAQUE, CEO

Speakers
avatar for Shyam Menon

Shyam Menon

Senior Director of Product- Machine Learning & Fraud, Mitek Systems


avatar for Nikhil Gulati

Nikhil Gulati

Global Head, Engineering & AI, Polyphonic, Johnson & Johnson

avatar for James Edwards

James Edwards

Senior Director, IT, Midland Credit Management

avatar for Reshma Shetty

Reshma Shetty

Senior Director of Engineering, ServiceNow

Tuesday June 23, 2026 1:45pm - 2:10pm PDT
Courtyard

2:15pm PDT

Panel Discussion: State of the Union: Confidential AI From the Field - Moderated by Aaron Fulkerson, OPAQUE
Tuesday June 23, 2026 2:15pm - 2:45pm PDT
Confidential AI is moving rapidly from experimentation to production. Across industries, enterprises are demanding secure, verifiable AI infrastructure for sensitive workloads, regulated data, and autonomous agents. Leaders from across the ecosystem share a State of the Union from the field: where Confidential AI is gaining traction, what's driving demand, emerging use cases, deployment challenges, and the infrastructure requirements shaping the next wave — plus what it actually takes to move from pilot to production over the next 12 months.
Moderators
avatar for Aaron Fulkerson

Aaron Fulkerson

OPAQUE, CEO

Speakers
avatar for Nelly Porter

Nelly Porter

Director of Product Management, GCP Confidential Computing and Encryption, Google

avatar for Jonathan Dotan

Jonathan Dotan

Founder & CEO, EQTY Lab
EQTY Lab builds tools to reinvent trust in AI. As a serial founder, Jonathan has spent over 25 years navigating the intersection of technology and governance as a C-suite leader, investor, and researcher. He is also the founding director of The Starling Lab at Stanford University... Read More →
avatar for Antoine Delignat-Lavaud

Antoine Delignat-Lavaud

Principal Researcher, Microsoft
avatar for Harold Gilkey

Harold Gilkey

Director, Product Security Office, AMD
Harold Gilkey is a Director in AMD's Product Security Office, with a particular focus on confidential computing. He works across architecture, product, and engineering teams to extend hardware-rooted trust from silicon through the software stack, building on AMD's confidential computing... Read More →
avatar for Dr. Chaouki Kasmi

Dr. Chaouki Kasmi

Technology Innovation Institute, Chief Innovation Officer
Dr. Chaouki Kasmi is the Chief Innovation Officer at the Technology Innovation Institute (TII), is a cutting-edge UAE-based scientific research center. In his role, Dr. Kasmi spearheads the development and implementation of productization and industrialization strategies while overseeing... Read More →
Tuesday June 23, 2026 2:15pm - 2:45pm PDT
Courtyard

3:00pm PDT

From Pixels To Agents: Optimizing On-Device Performance of Confidential Computing in AI Evolution - Savas Ozkan, Samsung Research UK, Samsung Electronics
Tuesday June 23, 2026 3:00pm - 3:25pm PDT
Unlike server-side confidential AI, on-device confidential AI must balance strong protection of sensitive personal data with efficient operation under limited computational resources.

In this talk, we explore the impacts of CC on on-device AI performance for various AI models and tools by identifying some root-causes. First, we recognise that CC overheads vary across AI models during critical operations such as data read/write, model loading and inference phases, supported by detailed experiments. Second, we investigate multiple designs for AI agent tools in CC, especially by considering different AI memory modules, that present distinct overheads compared to traditional AI models. To enable systematic evaluation, we develop a modular software framework integrated with the open-source ISLET CC project. This framework supports configurable benchmarking of AI agent tools, and will be publicly released to foster the reproducibility and collaboration within the CC community. Lastly, since these performance drops can negatively impact the user experience, we propose a set of techniques that minimise the overhead related with model loading while ensuring robust privacy protection.
Speakers
avatar for Savas Ozkan

Savas Ozkan

Engineering Manager, Samsung Research UK
Savas Ozkan received the Ph.D. degree from the Department of Electrical and Electronics Engineering, Middle East Technical University, Ankara, Turkey. Currently, he is leading Efficient Machine Learning Group at Samsung Research UK, focusing on on-device AI solutions for vision, language... Read More →
Tuesday June 23, 2026 3:00pm - 3:25pm PDT
Mint Ballroom
  Breakout Sessions
  • Slides Attached Yes

3:00pm PDT

NVIDIA Confidential Computing Attestation for Next-Generation AI Hardware - Rob Nertney & Spencer Gilson, NVIDIA
Tuesday June 23, 2026 3:00pm - 3:25pm PDT
NVIDIA's attestation infrastructure was born from Confidential Computing - securing Hopper GPUs with hardware-rooted, in-band attestation. As AI hardware evolves to rack-scale systems like Vera Rubin NVL72, attestation must evolve with it: new devices, new modes, and new challenges.

This talk covers three dimensions of that evolution. First, we discuss how CC attestation scales to rack-level with Vera Rubin, including NVIDIA's multi-node solution for CC and the challenge of attesting dozens of GPUs, CPUs, and NVSwitches as a unified trusted system. Second, we show how attestation patterns proven in CC are extending to new modes and device types - including fleet intelligence and out-of-band attestation. Third, we share the standards and interoperability challenges we have encountered along the way: inconsistent implementations across the ecosystem, gaps in attestation policy standards, and binding discrete components into trusted subsystems to prevent relay and substitution attacks.

Attendees will leave understanding where NVIDIA attestation is heading and what we have learned about the open problems the ecosystem must solve together.
Speakers
avatar for Rob Nertney

Rob Nertney

Principal software architect, NVIDIA, NVIDIA
Rob Nertney is a principal software architect for confidential computing. He has spent nearly 15 years architecting the features and deployment of accelerator hardware into hyperscale environments for both internal and external use by developers. He has several patents in processor... Read More →
avatar for Spencer Gilson

Spencer Gilson

Senior Systems Software Engineer, NVIDIA
Spencer is a senior system software engineer working on attestation at NVIDIA. He specializes in designing, developing, and maintaining critical services with an emphasis on security and reliability.
Tuesday June 23, 2026 3:00pm - 3:25pm PDT
Courtyard

3:00pm PDT

Trust Is the Next Bottleneck: Why the Agentic Economy Needs Confidential Computing - Pawan Khandavilli, Microsoft
Tuesday June 23, 2026 3:00pm - 3:25pm PDT
Agents can authenticate, but they still cannot prove what actually ran. When an agent transfers value, calls a sensitive tool, or acts on delegated authority across a boundary, the relying party has no cryptographic way to verify what code executed, what policy governed it, or whether sensitive data stayed inside a trustworthy boundary. OAuth handles authorization, not runtime integrity. IAM labels principals, not measured execution. Prompt-level governance shapes intent, not enforceable policy. These are necessary but insufficient for agents acting autonomously across trust boundaries.

Confidential computing already has the primitives to close this gap: hardware attestation, measured execution, cryptographic evidence of runtime state. This talk presents a practical framework for applying those primitives to agent trust. I walk through a payment-approval agent scenario end-to-end, identify four concrete gaps (hardware-rooted agent identity, measured policy-as-code, portable attestation evidence, cross-cloud federation), and show which are solvable today and which need ecosystem work. Attendees leave with a framework they can use to evaluate or design agent trust architectures.
Speakers
avatar for Pawan Khandavilli

Pawan Khandavilli

Senior Product Manager, Microsoft
Pawan Khandavilli is a senior product manager in Azure Confidential Computing (ACC) with a focus on serverless and confidential computing. Pawan has previously worked at Fortanix and the Royal Bank of Canada in a variety of roles with a focus on applying innovative security technologies... Read More →
Tuesday June 23, 2026 3:00pm - 3:25pm PDT
Gold Ballroom

3:00pm PDT

Virtual Session: DriftlessAF: An Open Source Agentic Reconciler Framework Proven at Scale - Manfred Moser, Chainguard
Tuesday June 23, 2026 3:00pm - Wednesday June 24, 2026 5:30pm PDT

Speakers
avatar for Manfred Moser

Manfred Moser

Senior Principal DevRel Engineer, Chainguard
Manfred Moser is a Senior Principal DevRel Engineer at Chainguard, bringing a profound focus on software supply chain security to the open source world and our Chainguard Libraries product. A dedicated community leader and published author, his technical expertise spans decades as... Read More →
Tuesday June 23, 2026 3:00pm - Wednesday June 24, 2026 5:30pm PDT
Virtual Session

3:30pm PDT

"If It's Shared, It's Vulnerable": Is Kubernetes the Right Platform for Confidential Compute? - Zvonko Kaiser, NVIDIA
Tuesday June 23, 2026 3:30pm - 3:55pm PDT
Kubernetes shares host kernels, network stacks, storage paths, and control planes across tenants. These shared primitives become attack surfaces when tenants cannot trust each other or the infrastructure operator.

We enumerate the threat surfaces in confidential Kubernetes deployments, from eBPF snooping and conntrack hijacking to hardware-assisted virtualization rootkits. We then present a production architecture that eliminates shared-trust assumptions by flattening the virtualization stack so every workload runs as a TEE-protected guest, gating all secrets, identities, and device access on a composite attestation chain, and wrapping each shared primitive in a hardened overlay for compute, network, storage, control-plane, identity, and observability.

Attendees will learn which Kubernetes primitives leak across tenant boundaries, how composite attestation closes those gaps, and practical steps toward true multi-tenancy in confidential Kubernetes deployments.
Speakers
avatar for Zvonko Kaiser

Zvonko Kaiser

Principal Systems Engineer, NVIDIA
Zvonko is a Principal Systems Engineer at NVIDIA, working on the Cloud Native Technologies team. Focusing right now on all things related to confidential computing, zero-trust, especially in the context of accelerators.
Tuesday June 23, 2026 3:30pm - 3:55pm PDT
Mint Ballroom
  Breakout Sessions
  • Slides Attached Yes

3:30pm PDT

GKE Hypercluster: Kubernetes TEEs for AI at Scale - Komei Nakamoto & Keith Moyer, Google
Tuesday June 23, 2026 3:30pm - 3:55pm PDT
GKE Hypercluster brings large-scale operation of Trusted Execution Environments to Kubernetes, and was co-designed with Anthropic to meet their security and scale. In this talk we explain the linked runner architecture that drastically reduces the Trusted Compute Base (TCB) by completely separating high-value workload execution from the standard container orchestration control plane. In this model, sensitive AI workloads are offloaded to a dedicated, “sealed” virtual machine. The Kubernetes scheduling and orchestration remains on a non-sealed "parent" node, preserving Kubernetes primitives (ie. Pods, Network Policy) and operational familiarity while achieving workload isolation. The execution environment is built on a hardened and attested OS, removing non-essential services and preventing administrative shell access. Integrity is guaranteed through attestation and container signature verification.

This design establishes a strict chain of trust, offers isolation from the Kubernetes operator and Cloud Service Provider, supports high-performance AI accelerators within the sealed boundary, and enhances scalability by managing isolated environments with a reduced system footprint.
Speakers
avatar for Keith Moyer

Keith Moyer

Technical Lead, Confidential Computing, Google
Keith Moyer is the Technical Lead for Confidential Computing at Google Cloud. He has spent the last 10 years dedicated to making verifiable trust accessible and useful, with over 20 years of experience spanning cloud security and embedded systems. He holds a BS in Computer Engineering... Read More →
avatar for Komei Nakamoto

Komei Nakamoto

GKE AI Security Tech Lead, Google
Komei is a software engineer at Google, and the Tech Lead for the GKE AI Security team focused on making GKE a secure platform for running AI workloads.
Tuesday June 23, 2026 3:30pm - 3:55pm PDT
Courtyard
  Breakout Sessions
  • Slides Attached Yes

3:30pm PDT

Who is Calling? Identity for Agents with AAuth - Dick Hardt, Hellō
Tuesday June 23, 2026 3:30pm - 3:55pm PDT
The weaknesses of shared secrets — API keys and bearer tokens — are being exploited in the agentic era. They get copied to every workload that uses them, they leak, and they prove nothing about who is actually calling.

Software has changed. Agents now assemble themselves at runtime and call services they've never seen, across organizations and trust domains. Inside the enterprise we have mTLS; on the open web we fall back to bearer tokens, which travel anywhere but prove nothing.

AAuth gives every agent its own cryptographic identity — verifiable by any party, with no pre‑registration and no shared secret. The agent proves possession of a key on every request, and carries who it is, who it is acting on behalf of, and what it's authorized to do in one signed token.

So when an agent calls, the resource knows who's calling — and on whose authority.

Speakers
avatar for Dick Hardt

Dick Hardt

Founder/CEO, Hellō
Agentic Identity and AAuth. 
Tuesday June 23, 2026 3:30pm - 3:55pm PDT
Gold Ballroom

4:00pm PDT

Agentic Zero Trust: at Rest, in Transit, and at Runtime - Nina Polshakova, Solo.io & Josh Halley, Cisco
Tuesday June 23, 2026 4:00pm - 4:25pm PDT
AI workloads handle some of the most sensitive data in modern enterprises, from proprietary training datasets to user prompts and high-dimensional embeddings. Yet many AI pipelines are built without the rigorous security practices applied to traditional systems, leaving critical gaps.

Josh and Nina from the CNCF AI Working Group show how to apply Zero Trust principles to secure AI data at every stage: at rest, in transit, and in runtime. Attendees will learn why conventional approaches fail for AI, highlighting risks like prompt injection, embedding poisoning, and GPU memory leakage, and how Zero Trust, combined with confidential computing, provides a stronger security foundation.

We’ll demonstrate how agent identity, continuous attestation, and trusted execution environments (TEEs) enforce runtime trust, while encryption, fine-grained access control, and mTLS protect data at rest and in transit.

Attendees will gain actionable strategies for securing every stage of the AI data lifecycle using modern encryption, policy enforcement, and runtime hardening.
Speakers
avatar for Nina Polshakova

Nina Polshakova

Senior Principal Software Engineer, Solo.io
Nina is a software engineer at Solo.io, working on AI Gateway projects. She contributes to open source projects, including Kubernetes, Istio, kagent, agentgateway, and kgateway. A CNCF Ambassador and former Kubernetes v1.33 Release Lead, she’s also a member of the Cloud Native AI... Read More →
avatar for Josh Halley

Josh Halley

Principal Architect, Cisco
Josh Halley, is a Principal Architect and published technical author, in the office of the CTO at Cisco,
focused on next generation technologies and technical transformation for some
of Cisco’s largest global customers. His main focus today is in the domains of AI Operations, leading and supporting multiple teams in their generation of Agentic AI systems to support todays and tomorrows future technologies use cases... Read More →
Tuesday June 23, 2026 4:00pm - 4:25pm PDT
Gold Ballroom
  Breakout Sessions
  • Slides Attached Yes

4:00pm PDT

Governing AI Agents at the Hardware Boundary - Imran Siddique, OPAQUE Systems
Tuesday June 23, 2026 4:00pm - 4:25pm PDT
AI agents are making real decisions: filing tickets, moving money, deploying code, operating infrastructure. The question is no longer what the agent should do. The question is: can you prove governance was actually enforced?

Right now, all agent governance is software. Policy engines, identity checks, audit logs, credentials: everything lives in the same trust boundary as the agent itself. If someone compromises the runtime, every control disappears. Policies get bypassed. Credentials get exfiltrated. Audit logs get forged.
Software governance makes promises. Hardware governance provides proofs.

I will walk through what my team has built (the Agent Governance Toolkit), where the software limits are, and how TEE-backed enforcement closes those gaps. Concrete architecture, real code, honest gap analysis.
Speakers
avatar for Imran Siddique

Imran Siddique

Chief Platform Officer, Opaque Systems
Imran Siddique is Chief Platform Officer at Opaque Systems and the creator of the Agent Governance Toolkit.Imran holds 20+ patents in AI systems, data platforms, and sustainability infrastructure, and has published research papers on agentic architecture and distributed systems... Read More →
Tuesday June 23, 2026 4:00pm - 4:25pm PDT
Courtyard

4:00pm PDT

Running AI Agents Inside TEEs Without Losing Your Mind - Sonali Mishra, Nutanix
Tuesday June 23, 2026 4:00pm - 4:25pm PDT
AI agents are making decisions, calling tools, and talking to other agents, often with access to sensitive data they shouldn't be able to see in plaintext. The usual answer is to just trust the infrastructure, but that falls apart in multi tenant clouds and cross org workflows. This talk covers what it actually takes to run agentic AI workloads inside Trusted Execution Environments. I'll walk through the architecture for isolating agent-to-agent communication using confidential VMs, how attestation works when agents need to dynamically invoke external tools, and the gotchas we hit around key management and session state. We'll look at real performance numbers and what the overhead looks like on GPU backed inference inside TEEs and where the bottlenecks actually are. Attendees will leave with a concrete reference architecture for deploying AI agents with hardware-rooted trust boundaries, plus practical guidance on attestation flows for multi-party agent pipelines. If you're building agentic systems that handle regulated or sensitive data, this talk gives you a starting point that doesn't require rearchitecting everything from scratch.
Speakers
avatar for Sonali Mishra

Sonali Mishra

Principal Product Manager - AI & Cloud Native, Nutanix
As a Principal Cloud Native at Nutanix, I am passionate about driving innovation and empowering organizations to build secure and resilient solutions in their cloud-native journey. With our significant presence in US government, I aim to ensure organizations can adopt Kubernetes securely... Read More →
Tuesday June 23, 2026 4:00pm - 4:25pm PDT
Mint Ballroom
  Breakout Sessions
  • Slides Attached Yes
 
Wednesday, June 24
 

12:45pm PDT

Characterizing NVIDIA Confidential Computing Overheads Across Model Inference & Training - Tanya Verma, Tinfoil
Wednesday June 24, 2026 12:45pm - 1:10pm PDT
We'll walk through where NVIDIA CC overheads appear in the model inference and training pipeline across GPU architectures and try to understand why
Speakers
avatar for Tanya Verma

Tanya Verma

Cofounder, Tinfoil
Tanya is the cofounder of Tinfoil, which provides verifiably private AI. Before Tinfoil, she was a cryptography engineer at Cloudflare where she designed and deployed privacy and security protocols used by billions of users on the internet.* Speaker Email: [email protected]* Speaker Headshot: attached... Read More →
Wednesday June 24, 2026 12:45pm - 1:10pm PDT
Gold Ballroom

12:45pm PDT

PetalGuard, A Privacy-preserving Federated Learning Framework - Victor Sucasas, TII
Wednesday June 24, 2026 12:45pm - 1:10pm PDT


Speakers
avatar for Victor Sucasas

Victor Sucasas

Senior Director, TII
Dr. Victor Sucasas is a cryptography engineer and researcher specializing in privacy-preserving technologies, confidential computing, and secure AI systems. He is Senior Director Cryptography at Technology Innovation Institute in Abu Dhabi, where he leads the Privacy Enhancing Technologies... Read More →
Wednesday June 24, 2026 12:45pm - 1:10pm PDT
Courtyard
  Breakout Sessions
  • Slides Attached Yes

1:15pm PDT

Building Trusted AI Factories with NVIDIA Accelerated Confidential Computing - Erik Bohnhorst, NVIDIA
Wednesday June 24, 2026 1:15pm - 1:40pm PDT
As AI transitions from experimentation to production, securing sensitive data, proprietary models, prompts, and agentic workflows is critical. To build trusted AI systems that scale effectively, confidential computing has emerged as a fundamental pillar, ensuring that governance, control, and privacy remain intact.
The session will cover hardware-rooted trust, workload isolation, attestation, secure runtimes, and practical implementation patterns using NVIDIA reference architectures. Attendees will come away with a clear view of how to apply confidential AI in real-world deployments, including regulated workloads, secure multi-party collaboration, and production-ready agentic systems.

Speakers
EB

Erik Bohnhorst

NVIDIA, Director of Product Management
Erik Bohnhorst is a Director of Product Management at NVIDIA, specialized in building infrastructure software that powers modern AI. Erik has been at NVIDIA since 2014, and focuses on making AI workloads run effortlessly, efficiently, and securely on Kubernetes and virtualized p... Read More →
Wednesday June 24, 2026 1:15pm - 1:40pm PDT
Courtyard

1:15pm PDT

Open Source, Confidential by Design: The Linux Stack for Agentic AI - Brittany Kaiser, Alpha Compute; Allen Roush, Thoughtworks; & Shaw Walters, Eliza Labs; & Tina Zhen, Flashbots
Wednesday June 24, 2026 1:15pm - 1:40pm PDT
Agentic AI is rapidly becoming part of critical infrastructure, but today's deployments still rely on trust assumptions that were never designed for autonomous systems handling sensitive data.

This session brings together Brittany Kaiser, Allen Roush, and Shaw Walters to discuss how Linux, confidential computing, and open-source agent frameworks can form the foundation for a new generation of verifiable AI systems. The conversation will cover confidential agents, attestation, decentralized coordination, data sovereignty, and why open infrastructure is essential to ensuring that AI remains private, auditable, and user-controlled.  Attendees will gain practical and strategic insights into the emerging architecture of confidential agents and the role Linux will play as the operating system of the sovereign AI era.

Speakers
avatar for Tina Zhen

Tina Zhen

Co-Founder & Steward, Flashbots


avatar for Brittany Kaiser

Brittany Kaiser

CEO, Alpha Compute Corp
Brittany Kaiser is Chief Executive Officer of Alpha Compute Corp. (Nasdaq: ALP), where she leads strategy in confidential computing, data sovereignty, and AI infrastructure. A globally recognized authority on data rights, digital assets, and AI governance, she became a leading voice... Read More →
avatar for Allen Roush

Allen Roush

Lead AI Researcher, Thoughtworks
Allen Roush is Lead AI Researcher at Thoughtworks USA, where he focuses on improving the creativity, coherence, and practical reliability of AI systems. He joined Thoughtworks in 2025 after senior technical and AI leadership roles at organizations including Oracle and Intel. His research... Read More →
avatar for Shaw Walters

Shaw Walters

Founder, Eliza Labs
Shaw Walters is the founder of Eliza Labs, the creators of the ElizaOS agentic open-source framework. With a robust background in artificial intelligence and machine learning, Shaw has championed an open-source and transparent approach that has positioned Eliza Labs at the forefront... Read More →
Wednesday June 24, 2026 1:15pm - 1:40pm PDT
Gold Ballroom

1:45pm PDT

Confidential Computing for Sovereign AI: The Emerging Opportunity in Japan - Takeharu Kondo & Shuzo Ueki, Acompany Co., Ltd.
Wednesday June 24, 2026 1:45pm - 2:10pm PDT
As generative AI and AI agents rapidly evolve, interest in Sovereign AI is growing worldwide. In Japan, demand is increasing for trusted AI infrastructure across sectors such as defense, healthcare, manufacturing, telecommunications, and critical infrastructure. This session introduces the latest trends in Sovereign AI and Confidential Computing (CC) in Japan.
Japan is advancing Confidential Computing enabled data centers, secure data collaboration platforms, and privacy-preserving AI environments. Expectations are also growing for CC adoption in government-led projects and critical infrastructure sectors.

In this session, we discuss the opportunities surrounding Sovereign AI in Japan for AI model providers, cloud providers, GPU vendors, and data center operators. Through real-world examples, we explore how CC is becoming a core technology for building Trusted AI Infrastructure in the AI agent era.

Speakers
avatar for Shuzo Ueki

Shuzo Ueki

CFO, Acompany Co., Ltd.
Shuzo Ueki is CFO of Acompany Co., Ltd., where he oversees finance, business development, and strategic partnerships. He has experience in strategy consulting, venture capital, corporate carve-outs, and startup financing, and has advised companies across multiple industries on business... Read More →
avatar for Takeharu Kondo

Takeharu Kondo

Co-founder / Chief Research and Development Officer, Acompany Co., Ltd.
Takeharu Kondo is Co-founder and Chief R&D Officer of Acompany, a Japanese startup building Confidential AI — AI you can trust with your most sensitive data. Since co-founding the company in 2018, he has led applied R&D that turns Confidential Computing and privacy-enhancing technologies... Read More →
Wednesday June 24, 2026 1:45pm - 2:10pm PDT
Courtyard
  Breakout Sessions
  • Slides Attached Yes

1:45pm PDT

How OPAQUE Enables Hardware-enforced AI Governance- Rishabh Poddar, OPAQUE Systems
Wednesday June 24, 2026 1:45pm - 2:10pm PDT
Your AI stack is bleeding data and you can't prove otherwise. This talk covers the OPAQUE Confidential AI Platform and how it enforces AI governance.

Speakers
avatar for Rishabh Poddar

Rishabh Poddar

Co-Founder & CTO, OPAQUE Systems
Co-Founder & CTO of OPAQUE Systems. PhD, UC Berkeley.
Wednesday June 24, 2026 1:45pm - 2:10pm PDT
Gold Ballroom
  Breakout Sessions
  • Slides Attached Yes

2:15pm PDT

Regulatory Panel Discussion: Brittany Kaiser, Alpha Compute; Mark Bower, Anjuna; & Moderated by Aaron Fulkerson, OPAQUE Systems
Wednesday June 24, 2026 2:15pm - 2:45pm PDT


Moderators
avatar for Aaron Fulkerson

Aaron Fulkerson

OPAQUE, CEO

Speakers
avatar for Brittany Kaiser

Brittany Kaiser

CEO, Alpha Compute Corp
Brittany Kaiser is Chief Executive Officer of Alpha Compute Corp. (Nasdaq: ALP), where she leads strategy in confidential computing, data sovereignty, and AI infrastructure. A globally recognized authority on data rights, digital assets, and AI governance, she became a leading voice... Read More →
avatar for Mark Bower

Mark Bower

Chief Strategy Officer, Anjuna Security.
Mark Bower is a data security expert with 20+ years shaping how the world protects information. He's led breakthroughs in data protection, privacy, and risk reduction across the U.S., Australia, U.K., and EU. At Anjuna, he drives confidential computing strategy for the future of AI... Read More →
Wednesday June 24, 2026 2:15pm - 2:45pm PDT
Courtyard

3:00pm PDT

From Trust Assumptions To Trust Evidence: Why PKI and Confidential Computing Are Converging - Brian Trzupek, DigiCert
Wednesday June 24, 2026 3:00pm - 3:25pm PDT
Every regulated industry runs on the same uncomfortable bargain:multi parties with conflicting interests agree to trust each other procedurally, because no tech mechanism exists to verify the claims they're making. An MRI running an AI diagnostic model involves at least 5 stakeholders:the AI vendor protecting IP, the hospital safeguarding patient data, the device mfg ensuring FW integrity, the regulator verifying the cleared algorithm is actually running, and the patient who never consented to their scan training someone else's model. Today, all of them take each other on faith. Confidential computing changes that equation from trust assumptions to trust evidence.This talk examines 2 concrete problem domains where we are applying HW-rooted attestation and PKI-based trust services to solve real, urgent problems. 1st, we walk through the brownfield medical device challenge: how do you retrofit TPM-based measured boot, model integrity verification, and remote attestation onto med. devices already deployed in the field without disrupting clinical operations? 2nd, we present DigiCert's work on AI agent ID for agentic AI systems; a problem that extends CC principles into the SW ID layer
Speakers
avatar for Brian Trzupek

Brian Trzupek

Sr. Vice President Product, DigiCert
Brian Trzupek is SVP of Product at DigiCert. A crypto and security tech by day and night, Trzupek brings nearly two decades of expertise on many security subjects to the team. He is often brainstorming use cases for enterprise PKI (Public Key Infrastructure) facilitated by the industry-leading... Read More →
Wednesday June 24, 2026 3:00pm - 3:25pm PDT
Mint Ballroom
  Breakout Sessions
  • Slides Attached Yes

3:00pm PDT

Global Agentic Identity and Programmable Trust: Lessons Learned From the NATO DIANA Pilot - Manu Fontaine, Hushmesh Inc.
Wednesday June 24, 2026 3:00pm - 3:25pm PDT
NATO DIANA, NATO’s innovation accelerator, is building a heterogeneous, cross-Allied ecosystem spanning innovators, mentors, test centers, ministries of defense, and other agencies across 32 Allied nations. This is the trust problem the Internet of Agents faces at global scale: how people, organizations, and their respective agents prove identity, authority, and credentials across trust boundaries without leaking private, confidential, or national-security knowledge.

To address this challenge, DIANA sought a “chip-level zero-trust” identity infrastructure. Confidential Computing sits at the root: identity, authentication, authorization, credentialing, and key management are all unified and verified from the chips up. Each entity acts through its agent with its own cryptographic identity, trust boundary, knowledge isolation, and globally verified execution.

In this session, we will share lessons from the DIANA pilot and show why Global Agentic Identity is the foundational layer of Direct Programmable Trust for the Internet of Agents: a model for sovereign ecosystems where agents interact, coordinate, and transact under hardware-backed guarantees of verifiability, confidentiality, and privacy.

Speakers
avatar for Manu Fontaine

Manu Fontaine

Founder and CEO, Hushmesh Inc.
Manu Fontaine is the Founder and CEO of Hushmesh, a dual-use, early-stage, Delaware Public Benefit Corporation in the Washington DC area. Hushmesh leverages Confidential Computing technology to develop, deploy, and operate "the Mesh": the Programmable Trust infrastructure for the... Read More →
Wednesday June 24, 2026 3:00pm - 3:25pm PDT
Gold Ballroom
  Breakout Sessions
  • Slides Attached Yes

3:00pm PDT

Q-Day Survival Guide: What the Post-quantum Cryptography Transition Means for Confidential Computing - Arthur Savage, Red Hat
Wednesday June 24, 2026 3:00pm - 3:25pm PDT
Cryptographic algorithms will one day be broken by large quantum computers, necessitating the replacement of classical cryptography (like RSA) with post-quantum cryptography (PQC). This event, called Q-day, is a rolling deadline with previous estimates falling around 2035. However, in early 2026, many groundbreaking developments rapidly shortened Q-day estimates to 2030 or sooner, leaving little time to execute this unprecedented global cryptographic overhaul.

This talk will put Q-day in context for the audience: timelines, the recent scientific breakthroughs and how they alter threat models in open source, and which gaps and blockers are most pressing. Then, we view these blockers through the lens of confidential computing, from hardware to software. We will discuss current risks and best practices, then open the audience to discussion of the needs of diverse applications across the confidential computing ecosystem. This talk is both informative and information-gathering, fostering mutual understanding and collaboration to integrate PQC before time runs out. This talk will be technical, but no prior knowledge about PQC is necessary and we welcome participation from all.
Speakers
avatar for Arthur Savage

Arthur Savage

Software Engineer, Red Hat
Arthur Savage is a software engineer at Red Hat with a passion for cybersecurity. He has a Master's degree in Electrical and Computer Engineering with specialties in data analytics, image forensics, and post quantum cryptography.
Wednesday June 24, 2026 3:00pm - 3:25pm PDT
Courtyard
  Breakout Sessions
  • Slides Attached Yes

3:30pm PDT

Privacy-Preserving Fraud Intelligence for India's Open Finance Ecosystem Using TEEs - Kiran Gopinath, Sahamati Foundation & Rene Kolga, Google Cloud
Wednesday June 24, 2026 3:30pm - 3:55pm PDT
Loan fraud in India is a $4 billion annual problem. Simultaneously, it is very hard to detect and prevent this when each lender sees only their slice of a borrower's activity. India's Open Finance framework, called Account Aggregator, establishes the foundation for coordinated fraud prevention at scale. However, lenders cannot pool raw borrower data to combat it.

Aikya, built on a Trusted Execution Environment, provides the answer by running cross-institutional velocity checks inside a secure enclave where no participant sees another's data, turning a privacy constraint into a structural guarantee.

Sahamati Foundation governs India's Open Finance framework enabling individuals and businesses to share real-time financial data across financial institutions and fintechs with their consent. With over 1,000 participating entities and tens of millions of active data flows, it is one of the largest Open Finance deployments in the world.
Speakers
avatar for Kiran Gopinath

Kiran Gopinath

Chief Innovation Officer and Head Sahamati Labs, Sahamati Foundation
As Chief Innovation Officer at Sahamati, Kiran leads initiatives shaping India’s Account Aggregator ecosystem, one of the world’s fastest-growing Open Finance networks and is the founder of Sahamati Labs, where he drives innovation at the intersection of AI, Open Finance. His... Read More →
avatar for Rene Kolga

Rene Kolga

Sr Product Manager, Google Cloud
Rene Kolga, CISSP, has over 15 years of cybersecurity experience in the areas of endpoint protection, insider threat, encryption and vulnerability management. Currently, he is a Product Manager at Google on the Confidential Computing team. Prior to Google, Rene worked for Symantec... Read More →
Wednesday June 24, 2026 3:30pm - 3:55pm PDT
Gold Ballroom
  Breakout Sessions
  • Slides Attached Yes

3:30pm PDT

Realizing Confidential VMs Ensuring Privacy of AI Features at LY Corporation in a Real-World Cloud - LY Corporation - Hiroki Narukawa & Akihiro Misawa, LY Corporation
Wednesday June 24, 2026 3:30pm - 3:55pm PDT
This presentation shows a real-world example of our private cloud introducing Confidential VMs based on SEV-SNP where application in container is included in trust boundary.

At LY Corporation, as part of our privacy enhancement for LINE (messaging app with 194 million active users), we provide Confidential VMs powered by AMD SEV-SNP in our private cloud. This ensures that even employees cannot access data input to AI systems, and that the data remains protected even in the event of infrastructure compromise.

This session focuses on two parts: one is mobile client perspective, the other is cloud-user perspective.

In our Confidential VM implementation, the whole system including application can be attested to the mobile clients using Attestation Report feature of SEV-SNP.

Our implementation includes SEV-SNP support in OpenStack, OVMF provisioning to ensure attestation, and our OS image to ensure that only the expected application is running. By designing the chain of trust, everything including OVMF, kernel, OS image and container image is included inside the trust boundary, while cloud users can use the common OS image.
Speakers
avatar for Akihiro Misawa

Akihiro Misawa

Infrastructure Engineer, LY Corporation
An infrastructure engineer at LY Corporation, working on system infrastructure. Involved in OS image management, automation, and internal tooling to support service operations at scale.
avatar for Hiroki Narukawa

Hiroki Narukawa

Software Engineer, LY Corporation
Software Engineer in LY Corporation, working on IaaS. Mainly developing software running inside hypervisors. Narukawa often scopes on low layer problems. Working on developing software and managing version of OpenStack, qemu, libvirt
Wednesday June 24, 2026 3:30pm - 3:55pm PDT
Mint Ballroom
  Breakout Sessions
  • Slides Attached Yes

3:30pm PDT

WhatsApp Private Processing - Kevin Hui, Yunqi Li, Elizabeth Li, Henry Wang & Varun Patil, Meta
Wednesday June 24, 2026 3:30pm - 3:55pm PDT
WhatsApp (Meta) launched its flagship Confidential Computing use-case last year (https://engineering.fb.com/2025/04/29/security/whatsapp-private-processing-ai-tools/), introducing one of the first large-scale applications of confidential computing. In this presentation, we will go over an overview of how Private Processing works, the operational lessons we learned while deploying confidential virtual machines at the scale of WhatsApp, and where we think the evolution of our Private Processing stack will take us for years to come.

Topics:
- CVM hardening
- Binary transparency
- OHTTP
- Remote Attestation TLS (RA-TLS)
- Debugging CVMs in production
- Virtual Research Environment
- And others
Speakers
avatar for Elizabeth Li

Elizabeth Li

Tech Program Manager, Meta
Elizabeth manages the Private Compute Program at Meta. She is responsible for leading the Private Compute Platform Team to build the platform foundation, including Confidential Virtual Machine(CVM) & Communication, CVM & Host Transparency, Developer experiences improvement,  and... Read More →
avatar for Henry Wang

Henry Wang

SWE, Meta
N/A.
avatar for Kevin Hui

Kevin Hui

Software Engineer, Meta
Kevin works on the Private Compute Platform team at Meta. This team is responsible for the infrastructure surrounding Private Processing and other privacy-preserving products at Meta leveraging Trusted Execution Environments.

Kevin focuses on the build tooling and virtualization aspects of Confidential Virtual Machines, enabling developers at Meta to write privacy-first products without having to worry about the low-level details surrounding confidential computing... Read More →
avatar for Varun Patil

Varun Patil

Research Scientist, Meta Platforms Inc
Varun is a researcher at Meta building Private Processing, WhatsApp's secure and private AI inference platform powered by trusted execution.
avatar for Yunqi Li

Yunqi Li

Research Scientist, Meta
Yunqi works on the WhatsApp Server Privacy team, where they contribute to core messaging systems and privacy-focused technologies including Trusted Execution Environments (TEE), Binary Transparency, and Audit Transparency.

At the intersection of systems engineering and applied... Read More →
Wednesday June 24, 2026 3:30pm - 3:55pm PDT
Courtyard

4:00pm PDT

A Large-Scale Data Clean Room Case Study in Japan: Confidential Computing and Privacy Regulations - Takao Takenouchi & Takeharu Kondo, Acompany Co., Ltd.
Wednesday June 24, 2026 4:00pm - 4:25pm PDT
AI model advancement demands cross-enterprise data collaboration, but strict privacy regulations create barriers. This session explores a commercialized Data Clean Room in Japan by Acompany and KDDI, a Fortune Global 500 telecom company.

We will share the architecture enabling secure data matching and privacy-preserving AI development. We detail how this satisfies the strict third-party data transfer restrictions under Japan's Act on the Protection of Personal Information (APPI). By keeping the calculation process protected, enterprises can jointly analyze sensitive large-scale datasets—including personal and location data—without exposing raw information to partners.

Furthermore, we explore the relationship between policy discussions and CC in Japan. With CC recognized as an essential data security technology in public and private sectors, we discuss the potential for market expansion. We provide insights into how bridging governance and technology creates a scalable confidential AI infrastructure.

Note: Session content is subject to minor changes.
Speakers
avatar for Takao Takenouchi

Takao Takenouchi

VP of Public Affairs & Strategic Alliance, Acompany Co., Ltd.
Takao Takenouchi, Ph.D., is VP of Public Affairs & Strategic Alliance at Acompany Co., Ltd. He has nearly 20 years of experience in security and privacy technologies across major technology companies and startups in Japan. His work spans privacy-enhancing technologies, including Confidential... Read More →
avatar for Takeharu Kondo

Takeharu Kondo

Co-founder / Chief Research and Development Officer, Acompany Co., Ltd.
Takeharu Kondo is Co-founder and Chief R&D Officer of Acompany, a Japanese startup building Confidential AI — AI you can trust with your most sensitive data. Since co-founding the company in 2018, he has led applied R&D that turns Confidential Computing and privacy-enhancing technologies... Read More →
Wednesday June 24, 2026 4:00pm - 4:25pm PDT
Gold Ballroom
  Breakout Sessions
  • Slides Attached Yes

4:00pm PDT

Overview of the AWS Nitro System: Building Trust Through Secure Cloud Infrastructure - Matthew Wilson, Amazon
Wednesday June 24, 2026 4:00pm - 4:25pm PDT
The AWS Nitro System is the foundation for modern Amazon EC2 instances that enables AWS to innovate faster, reduce cost for customers, and deliver added benefits like increased security and new instance types. We've applied formal methods to the Nitro System since day one. AWS has reimagined our virtualization infrastructure. Traditionally, hypervisors protect physical hardware and BIOS, virtualize CPU, storage, and networking, and provide management capabilities. The Nitro System breaks apart those functions, offloads them to dedicated hardware and software, and reduces costs by delivering nearly all server resources to instances.

This session explores the architecture and security model of the Nitro System, demonstrating how offloading virtualization functions minimizes the hypervisor attack surface and enables features like secure boot and Nitro Enclaves. We'll introduce the Nitro Isolation Engine, where we've applied formal methods. Starting from proving correctness properties of early boot firmware and the API endpoint component of the Nitro Controller, the Nitro Isolation Engine is a minimal trusted computing base and is a default capability of AWS Graviton5 processors
Speakers
avatar for Matthew Wilson

Matthew Wilson

Vice President/Distinguished Engineer at Amazon, Amazon
Matt Wilson is a Vice President and Distinguished Engineer at Amazon Web Services. He leads the technical architecture of the Amazon Software Development Experience (ASBX) division, which owns secure software development lifecycle tools and processes. Matt was a lead designer of the... Read More →
Wednesday June 24, 2026 4:00pm - 4:25pm PDT
Courtyard
  Breakout Sessions
  • Slides Attached Yes

4:00pm PDT

Private Model as a Service: Zero-Trust Blueprint for Protecting AI Weights - Marcos Entenza & Jens Freimann, Red Hat
Wednesday June 24, 2026 4:00pm - 4:25pm PDT
In the agentic era, deploying proprietary AI on-premises raises a critical question: how do you protect model IP when infrastructure admins have full hardware access? This session introduces Private Model as a Service (PMaaS), a production-ready reference architecture that secures AI model weights across their entire lifecycle using hardware-rooted Trusted Execution Environments (TEEs).

We dive into the technical orchestration of Confidential Containers (CoCo) and KServe to build a cryptographically verified inference pipeline with vLLM. Model weights are distributed and decrypted exclusively inside hardware-verified CPU TEEs (Intel TDX, AMD SEV-SNP) with GPU memory protection (NVIDIA H100/B200). Remote attestation via a Key Broker Service (KBS) ensures decryption keys are only released to policy-compliant, verified environments.

We also cover the challenges of running vLLM inside restricted TEEs and our work upstreaming GPU attestation logic into Kata Containers and CoCo. Attendees leave with a practical blueprint for deploying zero-trust confidential AI workloads that decouple model security from infrastructure trust.
Speakers
avatar for Jens Freimann

Jens Freimann

Engineering Manager, Red Hat
Jens Freimann is an Engineering Manager at Red Hat working on open-source virtualization and cloud infrastructure. With a background contributing to projects like QEMU and KVM, his current work centers around hardware-backed security and Confidential Computing. Lately, he has been... Read More →
avatar for Marcos Entenza

Marcos Entenza

Sr. Principal Product Manager, Red Hat
Marcos Entenza, a.k.a Mak, works on the core Red Hat OpenShift Container Platform for hybrid and multi-cloud environments to enable customers to run Red Hat OpenShift anywhere. Mak is an experienced Product Manager passionate about building scalable infrastructures, and he oversees... Read More →
Wednesday June 24, 2026 4:00pm - 4:25pm PDT
Mint Ballroom
 
  • Filter By Date
  • Filter By Venue
  • Filter By Type
  • Audience
  • Slides Attached
  • Timezone

Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.