Agentic AI Security: The New Focus of Confidential Computing

What happened?

At the Confidential Computing Summit held in San Francisco, the dominant theme was the convergence of confidential computing and agentic artificial intelligence. For a decade, confidential computing has addressed one of the hardest security problems: data is well encrypted in transit and at rest, but when a processor works with it, that data resides in memory in plaintext, exposed to anyone with privileged access to the host. Marina Moore, principal security researcher at Edera, explained that confidential computing creates a Trusted Execution Environment (TEE), a secure subset of the CPU that runs encrypted workloads and manages memory encryption. For years, the field seemed like a matter for post-quantum cryptography researchers, waiting to reach generalist practitioners. Now, with the rise of autonomous agents that execute complex tasks without human oversight, this technology becomes essential. Mike Bursell, executive director of the Confidential Computing Consortium, compared the current state of agentic AI to the early days of the web before HTTPS: the original protocols for agents were not designed by security architects and need refinement.

Why is it important?

Agentic AI allows systems to act autonomously, making decisions and executing actions on behalf of users or companies. This means agents handle sensitive data, from access credentials to financial or health information. Without a trust layer ensuring that the code being executed is as expected and that data is not intercepted, agents are vulnerable to hijacking and manipulation. Confidential computing provides hardware attestation: a hash of the TEE's memory and firmware is signed inside the chip, generating a measurement that a verifier can compare against the expected software. This allows confirming that the agent runs in an intact environment and has not been altered. Without this guarantee, any agent could be impersonated or its data exposed to attackers with privileged host access. The required hardware is no longer exotic: AMD EPYC processors with Secure Encrypted Virtualization (SEV), Intel Xeon with Software Guard Extensions (SGX) and Trust Domain Extensions (TDX), and NVIDIA H100 with GPU TEE incorporate it, and it is available on cloud platforms like Microsoft Azure with Confidential Computing and Google Cloud with Confidential VMs with a simple click. The goal is for secure execution to become the default option, not a specialized implementation decision.

Consequences and next steps

The summit focused on turning these mechanisms into standards, following the same path internet security took with the IETF and IEEE. Raghu Yeluri from Red Hat led sessions on identity and attestation, key areas for interoperability. The adoption of confidential computing for agentic AI is expected to accelerate trust in autonomous deployments, enabling use cases such as financial agents executing transactions without human intervention (e.g., an agent that negotiates and settles stock trades), healthcare assistants accessing medical records (complying with HIPAA and GDPR), or industrial automation systems controlling critical processes in power plants or factories. However, challenges remain: key management (how to rotate and store keys within the TEE), interoperability between TEE providers (e.g., an agent verified in an Intel enclave being able to attest to a service in an AMD enclave), and software certification for confidential environments (ensuring the code running has no vulnerabilities). The community is working on open specifications through the Confidential Computing Consortium and the IETF, with drafts like Remote Attestation Procedures (RATS) to ensure any agent can verify its execution environment.

What readers should know

• Confidential computing is not a futuristic technology: it is available today in commercial CPUs (AMD, Intel, NVIDIA) and public clouds (Azure, Google Cloud, AWS with Nitro Enclaves).
• For AI agent developers, integrating hardware attestation is the next logical step to ensure the security of their applications, similar to how HTTPS was adopted for the web.
• Companies deploying autonomous agents should demand that their cloud or infrastructure providers offer trusted execution environments and verify they support remote attestation.
• Standardization is key to avoid proprietary solutions that fragment the ecosystem; initiatives like the Confidential Computing Consortium and the IETF are working on it.

"Without attestation, an agent cannot prove it is who it says it is or that its execution has not been compromised. Confidential computing closes that gap." — Mike Bursell

For context, the adoption of confidential computing in agentic AI recalls the transition from HTTP to HTTPS in the early 2000s: initially a complex technical option, but with standardization (TLS/SSL) and regulatory pressure (GDPR, PCI DSS) it became ubiquitous. Similarly, hardware attestation is expected to become a regulatory requirement for autonomous agents in regulated sectors like finance, healthcare, and energy. According to data from the Confidential Computing Consortium, the confidential computing market will grow from $5.6 billion in 2023 to $15.6 billion in 2028, driven by AI and sensitive workloads. The summit also highlighted the need for education: many developers are unaware of how to integrate TEEs into their pipelines, so guides and SDKs (like Microsoft's Open Enclave SDK and Intel's Gramine) are being created. In summary, the convergence of confidential computing and agentic AI is not just a technical trend but a critical enabler for the mass adoption of trustworthy autonomous agents.