Tubegraph

Confidential AI and its applications

13 min read

From: aidotengineer

AI is transforming various sectors, including healthcare, finance, automation, and digital marketing [00:00:11]. However, a significant barrier to its broader adoption and utility is trust, specifically how to process sensitive data and deploy proprietary models without losing control or exposing information [00:00:17]. Confidential AI addresses this by enabling secure operations and collaboration in non-deterministic environments without relying on blind trust [00:00:30].

Core Technology: Confidential Computing

The foundation of confidential AI is confidential computing [00:01:17]. This technology solves a critical and often overlooked problem: the vulnerability of data and models during processing (training, fine-tuning, or inference), rather than just during storage or transit [00:01:26].

Trusted Execution Environments (TEEs)

Trusted Execution Environments (TEEs) are a core component of confidential computing [00:01:37]. A TEE is a secure, isolated part of a processor (like Intel TDX, AMD SEV-SMP, or Nvidia GPU TEEs) [00:01:43]. It creates a “confidential environment” where code and data are protected even during execution [00:01:53]. This isolation is provided by instructions built into the chip during manufacturing [00:02:03].

Once a workload enters a TEE, it is protected in memory, invisible to the host OS, hypervisor, or even anyone with system access, including the hardware owner [00:02:10].

Cryptographic Attestation

Beyond isolation, a TEE generates a cryptographic attestation, which is a signed proof that the workload ran inside verified hardware using unmodified code [00:02:24]. This attestation is crucial for two reasons:

  • It provides strong assurances that the workload is truly protected by the hardware [00:02:40].
  • It allows for statements about what the workload actually is, confirming it ran in a real, properly manufactured TEE-capable chip [00:02:50].

In essence, a TEE allows for sensitive computations to be run securely and for their intended execution to be proven [00:03:14]. This enables running AI models on sensitive data without exposing either the model or the data [00:03:24].

Why Confidential AI is Critical: Real-World Problems and Solutions

Confidential AI addresses several significant challenges that hinder the widespread adoption and development of AI technology. Traditional cloud setups, built on trust and legal contracts, often fall short of providing the provable guarantees needed for sensitive enterprise AI workloads [00:08:01].

Healthcare

Developing or fine-tuning medical AI models faces immense challenges in accessing data [00:03:51]. Hospitals and labs are reluctant to share raw datasets, even for models that could improve patient outcomes, due to tight controls, high generation costs, and data siloing [00:04:06]. Existing regulations and security policies often prevent models from being brought to the data, making training on real data a process of months of negotiation for even small datasets, and cross-provider collaboration nearly impossible [00:04:21]. Confidential AI offers a solution to unlock this data [00:04:41].

Personal AI Agents

The mass adoption of personal private AI agents (e.g., managing inboxes, calendars, documents) is hindered by the need for deep access to sensitive, private data [00:04:50]. Users worry about data sharing, developers fear data theft or misuse, and enterprises/regulators require strong guarantees against liability [00:05:11]. Confidentiality is the missing piece for real-world adoption of these technologies [00:05:34].

Digital Marketing

In digital marketing and custom analytics, the desire to fine-tune models on real user behavior is often blocked by privacy laws (like GDPR and CCPA), internal security rules, and ethical concerns [00:05:47]. This creates a significant gap between what’s technically possible and what’s legally and ethically permissible [00:06:14].

AI Model Monetization

For developers who build domain-specific models (e.g., for legal, medical, or financial use), monetizing these models is challenging [00:06:22]. They want others to use and pay for their models but are unwilling to give away their models or weights, which is a risk if unprotected [00:06:36]. Conversely, customers are not willing to expose their sensitive data for testing or production [00:06:47]. Confidential AI allows both parties to benefit without relinquishing control [00:07:04].

Model Training and Provenance

Proving the provenance of an AI model—allowing users to track its training back to initial datasets—is another overlooked problem [00:07:10]. With attested execution, it becomes possible to guarantee that a model was trained exactly as claimed, and that inference outputs relate only to the original datasets [00:07:37].

Super Protocol: Making Confidential AI Possible

Super Protocol is a confidential AI cloud and marketplace designed for secure collaboration and monetization of AI models, data, and compute [00:08:26]. It aims to make confidential AI not just possible but also usable [00:08:11].

Key features of Super Protocol:

  • TEE Agnostic Infrastructure It runs on Intel, Nvidia, and AMD TEEs, with plans to support future TEEs from major chip makers [00:08:41].
  • Edge-Ready Architecture It has validated ARM confidential computing via ARMv9 emulation, enabling end-to-end confidential AI from personal edge devices to the cloud [00:09:01].
  • Swarm Computing Principles It scales across distributed GPU nodes, ensuring no single point of failure and automatic workload redistribution [00:09:27].
  • Decentralized Fully orchestrated by smart contracts on BNB chain, without human intervention [00:09:40].
  • Zero Barrier Entry Users do not need TEE expertise to run or attest workloads [00:09:51].
  • Open Source All parts of Super Protocol are open source, functioning as a protocol rather than a service [00:10:03]. Similar to HTTPS, it protects data while AI is working on it [00:10:16].

GPUless

“GPUless” signifies removing dependency, not GPUs [00:10:31]. Super Protocol allows users to run accelerated AI workloads across independent GPU nodes without being locked into any cloud vendor or centralized provider [00:10:37]. Users maintain control over their GPU resources, whether self-owned or rented [00:10:53]. Due to TEEs and the open-source architecture, unauthorized access by hardware providers, Super Protocol, or third parties is technically impossible [00:11:02].

Trustless

“Trustless” means verifiable by design [00:31:57]. Every workload generates a cryptographic proof showing what ran, where, and how, without exposing the actual workload data [00:32:03]. This attestation, signed by the hardware, verifies that the model executed in a real TEE using unmodified code on verified hardware inside a secure, open-source runtime [00:32:35]. This eliminates the need to trust the provider or platform, as verification is possible [00:32:51]. If attempts are made to bypass the protocol, sensitive data will not be exposed as the system won’t allow the application and data to load and run [00:32:58].

Limitless

“Limitless” refers to removing legal, technical, and organizational barriers [00:11:22]. Traditional cloud platforms impose limits on data, geography, and control, restricting access to GPU instances, sensitive datasets, cross-border collaboration, and model monetization [00:11:38]. They are also often unfit for agentic, non-deterministic AI where autonomous agents interact and evolve [00:11:58]. Super Protocol removes these limits, enabling AI training, deployment, and monetization across organizations and jurisdictions with full confidentiality and ownership [00:12:14].

Case Studies and Demonstrations

Digital Marketing Case Study: Realize and Mars

Realize, a company using AI to measure ad reactions by analyzing facial expressions, needed more biometric video from external partners to improve AI accuracy [00:13:05]. However, privacy laws like GDPR and CCPA, along with data ownership concerns, made providers reluctant to share sensitive footage [00:13:32].

Realize utilized Super Protocol’s confidential AI cloud for its Mars project [00:13:45]. AI training ran inside secure TEEs using powerful chips like Nvidia H100s/H200s and Intel Xeons [00:13:48]. Smart contracts automated every step, verified by both hardware and Super Protocol’s open-source certification, ensuring data and models remained completely secure and inaccessible even to the cloud provider, Super Protocol, or Realize themselves [00:14:00].

This verifiable confidentiality led providers to share four times more sensitive footage, increasing the training set by 319% [00:14:24]. AI accuracy jumped to 75%, on par with human performance [00:14:37]. For Mars, this resulted in a 3-5% sales increase across 30 brands in 19 markets [00:14:47]. This demonstrates how provable data privacy unlocks data, leading to better models, smarter AI, and real business impact [00:14:55].

Healthcare Case Study: BEAL and Titonix for FDA Approval

BEAL (Brain Electrophysiology Laboratory) needed to submit perfect documentation for FDA approval of a new epilepsy diagnostic device [00:15:19]. This typically involved 2-4 weeks of manual audits, multiple NDAs, and risks of exposing trade secrets [00:15:42]. Even a small mistake could cause a 120-day delay [00:15:51]. They sought to use Titonix’s AI-powered audit tool but worried about exposing BEAL’s data and Titonix’s model in traditional cloud environments [00:16:01].

Titonix used Super Protocol’s confidential AI cloud [00:16:15]. The audit ran inside secure TEEs using Nvidia H100/H200 GPUs and Intel TDX CPUs [00:16:19]. All steps were automated, orchestrated by smart contracts, and backed by cryptographic proof [00:16:32]. Files and models remained encrypted, readable only within the secure environment, and completely hidden from Super Protocol, BEAL, Titonix, or any other party [00:16:36].

The results were transformative: audit time dropped from weeks to 1-2 hours [00:16:53]. There was zero risk of leaks, BEAL’s and Titonix’s IP remained fully protected, and no re-review delays occurred [00:16:59]. This allowed BEAL to move faster, stay secure, and deliver life-saving tools sooner, proving that guaranteed confidentiality can transform even the most sensitive processes like FDA clearance audits [00:17:12].

Super AI Marketplace Demo

The SuperAI marketplace is built on a confidential and decentralized architecture, with no centralized components or data centers [00:18:13]. A blockchain-based ecosystem manages relationships and financial settlements between AI model/data providers, confidential computing hardware providers, and clients [00:18:19].

Confidential computing ensures models remain private and authors retain full control, allowing models to be leased but not downloaded [00:18:31]. Models and user data are inaccessible even to clients during processing, as they are deployed within the TEE [00:18:41]. The marketplace aims to enable monetization for authors of closed-source models through various scenarios like per-hour, fixed, and revenue sharing [00:18:57].

A demonstration showed deploying a DeepSeek model on an H100 GPU within a fully confidential environment [00:19:42]. The order is created on the blockchain, and the engine and model are downloaded into the confidential computing environment for execution [00:20:19]. The deployed model is accessible via a link or API [00:20:41]. A verification step confirms the model is deployed in a confidential environment, the connection is encrypted, and the AI engine has not been tampered with [00:21:10].

Agentic AI and Automated Workflows Demo

Super Protocol enables building secure automated AI workflows for processing sensitive medical data using N8N, a low-code automation platform [00:21:50]. By running everything inside TEEs—inaccessible to server admins or Super Protocol—and combining low-code automation with a decentralized infrastructure, it delivers fully confidential, compliant, and verifiable medical AI [00:22:01].

A simple use case demonstrated a doctor uploading an X-ray image and patient personal data via a protected web form [00:22:17]. This data is passed into an automated N8N workflow running inside a TEE on Super Protocol [00:22:25]. The workflow cleans the input, invokes an AI model to analyze the X-ray, generates a structured medical report, and securely emails it to the doctor [00:22:33]. Personal data is separated from diagnostic input, with the AI model receiving only necessary information [00:24:15]. Credentials for API keys and email services are securely stored and isolated within the TEE [00:23:26]. This solution can easily adapt to other medical imaging and lab test use cases [00:25:57].

Distributed Inference / Scaling Demo

Super Protocol enables distributed inference using VLLM across multiple GPU servers without relying on any single provider, embodying the “GPUless” concept [00:26:16]. VLLM partitions large language models by layers, assigning computation to different nodes in an overlay network, which improves memory efficiency and throughput [00:26:37].

To secure this, every VLLM node runs inside a confidential VM powered by TEE hardware, interconnected over a private overlay network [00:27:01]. Data, model weights, and intermediate activations are decrypted and processed only inside each confidential environment, with all inter-node communication encrypted, ensuring no sensitive material leaves the secure boundary [00:27:12].

A demonstration showed launching distributed VLLM inference in confidential mode across four GPU nodes (provided by different host owners) [00:27:31]. A custom Docker file based on the official VLLM repository was used [00:27:55]. The Docker image was built, exported, and uploaded to decentralized storage using the SPCTL CLI tool [00:28:16]. Configuration files for each participant’s role (master node and workers) were prepared [00:28:41]. The Mistral model (22 billion parameters) was preloaded for inference across the four GPU hosts in one confidential workflow [00:29:48]. After deployment, on-chain reports confirmed that the image and model hashes matched expectations, verifying the integrity of the orders [00:30:31]. This setup provides both security via TEE hardware and improved performance through parallel processing [00:31:26].

Replacing Trust with Cryptographic Proofs

Super Protocol replaces blind trust with built-in cryptographic proofs, making every run verifiable independently and transparently down to the hardware level [00:31:40]. When a workload runs, it generates a cryptographic attestation—a signed proof from the hardware itself—verifying execution in a real TEE using unmodified code on verified hardware inside a secure, open-source runtime [00:32:20].

A demonstration illustrated a multi-party scenario involving Alice’s lab and Bob’s clinic (sensitive datasets) and Carol’s research center (training engine) [00:33:13]. The goal was to train a new model for early cancer detection on Alice’s and Bob’s data without exposing either the data or Carol’s intellectual property [00:33:42]. All three inputs run inside a TEE, inaccessible to anyone, including the cloud host, Super Protocol, or even the participants themselves [00:33:51].

The process is automated by the verified engine, Super Protocol’s certification center, and smart contracts on BNB Chain Layer 2 [00:34:18]. A confidential virtual machine (CVM) handles multiple jobs [00:34:49]. On boot, the CVM contacts an open-source certification authority for a remote attestation [00:34:57]. If the check passes, a certificate confirms the CVM is genuine and running in an attested TEE [00:35:05]. Additionally, a trusted loader within the CVM is attested, creates a signed key pair, and checks every component; if any check fails, the process stops to safeguard data and models [00:35:17].

Carol uploads her container-based training engine to her encrypted storage, providing its hash and source code for Alice and Bob to verify [00:35:50]. Alice and Bob upload and encrypt their datasets using the SPCTL CLI tool [00:36:39]. They grant the CVM access, specifying the verified engine’s hash and the CVM’s ID, ensuring only that specific CVM can decrypt the data [00:37:16]. Carol places the main order to process the workload [00:37:46]. The trusted loader performs hash comparisons, blocking the job if anything diverges, ensuring training only starts if every hash matches [00:37:56]. Data and the engine are only decrypted inside the TEE, protected from all parties [00:38:13]. Only Carol receives the encrypted output (the newly trained model and artifacts) [00:38:27]. Encryption keys never leave the TEE, keeping Alice, Bob, Super Protocol, and the hardware vendor blind to the results [00:38:35].

After every job, raw inputs are wiped, and an order report is published on-chain, providing public, tamper-proof evidence that the job ran in a certified environment with approved inputs [00:41:09]. This report includes certificates, processed inputs, and timing, allowing anyone to verify the image (executable workload) and data hashes [00:40:23]. This process turns complex, multi-party, trust-heavy collaboration into a push-button workflow, requiring no expertise in confidential computing [00:41:47].

Conclusion

Confidential AI, powered by Super Protocol, offers a practical path forward for developers by addressing fundamental trust issues in AI deployment and collaboration [00:43:05]. It enables:

  • Running models on private data without exposure [00:42:37].
  • Deploying proprietary models without losing control [00:42:39].
  • Fine-tuning without compliance risk [00:42:42].
  • Verifying execution with cryptographic proof [00:42:45].

Super Protocol provides a solution that is simple to use, transparent, verifiable, and secure by design [00:42:53], characterized as GPUless, trustless, and limitless [00:42:59]. This transforms privacy into performance and confidence into revenue across data-driven industries [00:15:09].

Graph View

Backlinks