Confidential Computing Summit 2026

Agents can authenticate, but they still cannot prove what actually ran. When an agent transfers value, calls a sensitive tool, or acts on delegated authority across a boundary, the relying party has no cryptographic way to verify what code executed, what policy governed it, or whether sensitive data stayed inside a trustworthy boundary. OAuth handles authorization, not runtime integrity. IAM labels principals, not measured execution. Prompt-level governance shapes intent, not enforceable policy. These are necessary but insufficient for agents acting autonomously across trust boundaries.

Confidential computing already has the primitives to close this gap: hardware attestation, measured execution, cryptographic evidence of runtime state. This talk presents a practical framework for applying those primitives to agent trust. I walk through a payment-approval agent scenario end-to-end, identify four concrete gaps (hardware-rooted agent identity, measured policy-as-code, portable attestation evidence, cross-cloud federation), and show which are solvable today and which need ecosystem work. Attendees leave with a framework they can use to evaluate or design agent trust architectures.

Real-time payment systems are transforming the global financial ecosystem, with 69 countries implementing real-time networks and transaction volumes continuing to grow. As expectations shift toward instant transactions, infrastructures must support high throughput while maintaining reliability, data integrity, and stronger data protection during processing.

This session explores how modern distributed architectures enable scalable and resilient payment systems while aligning with confidential computing principles. It examines key concepts like the CAP theorem and trade-offs between consistency, availability, and partition tolerance in financial platforms handling sensitive data.

It also covers architectures such as microservices, event-driven systems, CQRS, and serverless computing, along with techniques like distributed caching, database sharding, and dynamic load balancing. Attendees will gain practical insights into building fault-tolerant, scalable payment systems for real-time digital transactions.

AI workloads handle some of the most sensitive data in modern enterprises, from proprietary training datasets to user prompts and high-dimensional embeddings. Yet many AI pipelines are built without the rigorous security practices applied to traditional systems, leaving critical gaps.

Josh and Nina from the CNCF AI Working Group show how to apply Zero Trust principles to secure AI data at every stage: at rest, in transit, and in runtime. Attendees will learn why conventional approaches fail for AI, highlighting risks like prompt injection, embedding poisoning, and GPU memory leakage, and how Zero Trust, combined with confidential computing, provides a stronger security foundation.

We’ll demonstrate how agent identity, continuous attestation, and trusted execution environments (TEEs) enforce runtime trust, while encryption, fine-grained access control, and mTLS protect data at rest and in transit.

Attendees will gain actionable strategies for securing every stage of the AI data lifecycle using modern encryption, policy enforcement, and runtime hardening.

We'll walk through where NVIDIA CC overheads appear in the model inference and training pipeline across GPU architectures and try to understand why

NATO DIANA, NATO’s innovation accelerator, is building a heterogeneous, cross-Allied ecosystem spanning innovators, mentors, test centers, ministries of defense, and other agencies across 32 Allied nations. This is the trust problem the Internet of Agents will face at global scale: how people, organizations, and their respective agents prove identity, authority, and credentials across trust boundaries without leaking private, confidential, or national-security knowledge.
To address this challenge, DIANA sought a “chip-level zero-trust” identity infrastructure. Confidential Computing sits at the root: identity, authentication, authorization, credentialing, and key management are all unified and verified from the chips up. Each entity acts through its agent with its own cryptographic identity, trust boundary, knowledge isolation, and globally verified execution.

In this session, we will share lessons from the DIANA pilot and show why Agentic Identity is the foundational layer of Programmable Trust for the Internet of Agents: a model for sovereign ecosystems where agents interact, coordinate, and transact under hardware-backed guarantees of verifiability, confidentiality, and privacy.

Loan fraud in India is a $4 billion annual problem. Simultaneously, it is very hard to detect and prevent this when each lender sees only their slice of a borrower's activity. India's Open Finance framework, called Account Aggregator, establishes the foundation for coordinated fraud prevention at scale. However, lenders cannot pool raw borrower data to combat it.

Aikya, built on a Trusted Execution Environment, provides the answer by running cross-institutional velocity checks inside a secure enclave where no participant sees another's data, turning a privacy constraint into a structural guarantee.

Sahamati Foundation governs India's Open Finance framework enabling individuals and businesses to share real-time financial data across financial institutions and fintechs with their consent. With over 1,000 participating entities and tens of millions of active data flows, it is one of the largest Open Finance deployments in the world.

AI model advancement demands cross-enterprise data collaboration, but strict privacy regulations create barriers. This session explores a commercialized Data Clean Room in Japan by Acompany and KDDI, a Fortune Global 500 telecom company.
We will share the architecture enabling secure data matching and privacy-preserving AI development. We detail how this satisfies the strict third-party data transfer restrictions under Japan's Act on the Protection of Personal Information (APPI). By keeping the calculation process protected, enterprises can jointly analyze sensitive large-scale datasets—including personal and location data—without exposing raw information to partners.
Furthermore, we explore the relationship between policy discussions and CC in Japan. With CC recognized as an essential data security technology in public and private sectors, we discuss the potential for market expansion. We provide insights into how bridging governance and technology creates a scalable confidential AI infrastructure.

Note: Session content is subject to minor changes.