Confidential Computing Summit 2026

Unlike server-side confidential AI, on-device confidential AI must balance strong protection of sensitive personal data with efficient operation under limited computational resources.

In this talk, we explore the impacts of CC on on-device AI performance for various AI models and tools by identifying some root-causes. First, we recognise that CC overheads vary across AI models during critical operations such as data read/write, model loading and inference phases, supported by detailed experiments. Second, we investigate multiple designs for AI agent tools in CC, especially by considering different AI memory modules, that present distinct overheads compared to traditional AI models. To enable systematic evaluation, we develop a modular software framework integrated with the open-source ISLET CC project. This framework supports configurable benchmarking of AI agent tools, and will be publicly released to foster the reproducibility and collaboration within the CC community. Lastly, since these performance drops can negatively impact the user experience, we propose a set of techniques that minimise the overhead related with model loading while ensuring robust privacy protection.

Kubernetes shares host kernels, network stacks, storage paths, and control planes across tenants. These shared primitives become attack surfaces when tenants cannot trust each other or the infrastructure operator.

We enumerate the threat surfaces in confidential Kubernetes deployments, from eBPF snooping and conntrack hijacking to hardware-assisted virtualization rootkits. We then present a production architecture that eliminates shared-trust assumptions by flattening the virtualization stack so every workload runs as a TEE-protected guest, gating all secrets, identities, and device access on a composite attestation chain, and wrapping each shared primitive in a hardened overlay for compute, network, storage, control-plane, identity, and observability.

Attendees will learn which Kubernetes primitives leak across tenant boundaries, how composite attestation closes those gaps, and practical steps toward true multi-tenancy in confidential Kubernetes deployments.

AI agents are making decisions, calling tools, and talking to other agents, often with access to sensitive data they shouldn't be able to see in plaintext. The usual answer is to just trust the infrastructure, but that falls apart in multi tenant clouds and cross org workflows. This talk covers what it actually takes to run agentic AI workloads inside Trusted Execution Environments. I'll walk through the architecture for isolating agent-to-agent communication using confidential VMs, how attestation works when agents need to dynamically invoke external tools, and the gotchas we hit around key management and session state. We'll look at real performance numbers and what the overhead looks like on GPU backed inference inside TEEs and where the bottlenecks actually are. Attendees will leave with a concrete reference architecture for deploying AI agents with hardware-rooted trust boundaries, plus practical guidance on attestation flows for multi-party agent pipelines. If you're building agentic systems that handle regulated or sensitive data, this talk gives you a starting point that doesn't require rearchitecting everything from scratch.

Every regulated industry runs on the same uncomfortable bargain:multi parties with conflicting interests agree to trust each other procedurally, because no tech mechanism exists to verify the claims they're making. An MRI running an AI diagnostic model involves at least 5 stakeholders:the AI vendor protecting IP, the hospital safeguarding patient data, the device mfg ensuring FW integrity, the regulator verifying the cleared algorithm is actually running, and the patient who never consented to their scan training someone else's model. Today, all of them take each other on faith. Confidential computing changes that equation from trust assumptions to trust evidence.This talk examines 2 concrete problem domains where we are applying HW-rooted attestation and PKI-based trust services to solve real, urgent problems. 1st, we walk through the brownfield medical device challenge: how do you retrofit TPM-based measured boot, model integrity verification, and remote attestation onto med. devices already deployed in the field without disrupting clinical operations? 2nd, we present DigiCert's work on AI agent ID for agentic AI systems; a problem that extends CC principles into the SW ID layer

This presentation shows a real-world example of our private cloud introducing Confidential VMs based on SEV-SNP where application in container is included in trust boundary.

At LY Corporation, as part of our privacy enhancement for LINE (messaging app with 194 million active users), we provide Confidential VMs powered by AMD SEV-SNP in our private cloud. This ensures that even employees cannot access data input to AI systems, and that the data remains protected even in the event of infrastructure compromise.

This session focuses on two parts: one is mobile client perspective, the other is cloud-user perspective.

In our Confidential VM implementation, the whole system including application can be attested to the mobile clients using Attestation Report feature of SEV-SNP.

Our implementation includes SEV-SNP support in OpenStack, OVMF provisioning to ensure attestation, and our OS image to ensure that only the expected application is running. By designing the chain of trust, everything including OVMF, kernel, OS image and container image is included inside the trust boundary, while cloud users can use the common OS image.

In the agentic era, deploying proprietary AI on-premises raises a critical question: how do you protect model IP when infrastructure admins have full hardware access? This session introduces Private Model as a Service (PMaaS), a production-ready reference architecture that secures AI model weights across their entire lifecycle using hardware-rooted Trusted Execution Environments (TEEs).

We dive into the technical orchestration of Confidential Containers (CoCo) and KServe to build a cryptographically verified inference pipeline with vLLM. Model weights are distributed and decrypted exclusively inside hardware-verified CPU TEEs (Intel TDX, AMD SEV-SNP) with GPU memory protection (NVIDIA H100/B200). Remote attestation via a Key Broker Service (KBS) ensures decryption keys are only released to policy-compliant, verified environments.

We also cover the challenges of running vLLM inside restricted TEEs and our work upstreaming GPU attestation logic into Kata Containers and CoCo. Attendees leave with a practical blueprint for deploying zero-trust confidential AI workloads that decouple model security from infrastructure trust.