Tubegraph

Confidential AI and its impact

10 min read

From: aidotengineer

AI is transforming industries such as healthcare, finance, automation, and digital marketing [00:00:09]. However, a significant barrier to its widespread adoption is trust [00:00:17]. Confidential AI addresses this by enabling models to run on sensitive data without exposure, deploying proprietary models without loss of control, and facilitating collaboration in non-deterministic environments without relying solely on blind trust [00:00:18]. This approach opens up new possibilities for developers working with sensitive data, proprietary models, or untrusted partners [00:00:58].

Foundation: Confidential Computing

The core technology behind Confidential AI is confidential computing [00:01:10]. It addresses the overlooked problem that data and models are most vulnerable during processing (training, fine-tuning, inference), not just when stored or in transit [00:01:21].

Trusted Execution Environments (TEEs)

Trusted Execution Environments (TEEs) are a key component, representing a secure and isolated part of the processor, such as Intel TDX, AMD SEV-SMP, or Nvidia GPU TEs [00:01:37]. A TEE creates a confidential environment where code and data are protected during execution, isolated by instructions built into the chip during manufacturing [00:01:53]. Workloads within this environment are protected in memory and invisible to the host OS, hypervisor, or even the hardware owner [00:02:08].

Cryptographic Attestation

Beyond isolation, a TEE generates a cryptographic attestation – a signed proof that the workload ran inside verified hardware using unmodified code [00:02:24]. This provides strong assurances that the workload is protected and verifies that what’s inside the TEE is a real TEE in a properly manufactured, TEE-capable chip [00:02:40]. In essence, a TEE allows secure execution of sensitive computations and proof that they ran as intended, enabling AI models to run on sensitive data without exposing either the model or the data [00:03:14].

Why Confidential AI is Critical: Real-World Problems Solved

Confidential AI is critical because it addresses numerous real-world challenges faced by developers:

  • Healthcare: Obtaining permission to use medical data for building or fine-tuning medical AI models is exceptionally difficult due to strict regulations, data silos, and a reluctance of hospitals and labs to share raw datasets [00:03:51]. Confidential AI helps overcome this by allowing models to be trained on sensitive data without exposure [00:04:41].
  • Personal AI Agents: For personal AI agents that manage private data (inbox, calendar), mass adoption is hindered by user concerns about data sharing, developer concerns about storage security, and enterprise/regulator demands for strong guarantees [00:04:50]. Confidentiality is the missing piece for their real-world adoption [00:05:34].
  • Digital Marketing and Custom Analytics: Fine-tuning models on real user behavior data is desired, but privacy laws (GDPR, CCPA), internal security rules, and ethics often block or risk upsetting regulators [00:05:47]. Confidential AI bridges the gap between technical possibility and what is legally and ethically allowed [00:06:14].
  • AI Model Monetization: Developers of domain-specific models (legal, medical, financial) want to monetize their creations but risk losing control of their intellectual property (IP) if they allow others to run models without protection [00:06:22]. Simultaneously, customers are unwilling to expose their sensitive data for testing or production [00:06:47]. Confidential AI allows both parties to benefit without relinquishing control [00:07:04].
  • Model Training and Provenance: Even if a model is trained on sensitive data, proving its provenance (tracking back to initial datasets) is a challenge [00:07:10]. Attested execution makes it possible to guarantee that a model was trained as stated and that inference outputs relate only to the original data sets [00:07:37].

Traditional cloud setups, built on trust and legal contracts rather than provable guarantees, fall short in these scenarios [00:07:58].

Super Protocol: Making Confidential AI Real

Super Protocol is a confidential AI cloud and marketplace designed for secure collaboration and monetization of AI models, data, and compute [00:08:26].

Key Features

  • TE-Agnostic Infrastructure: Super Protocol runs on Intel, Nvidia, and AMD TEEs and aims to support future platforms as major chip makers integrate TEEs [00:08:41].
  • Edge-Ready Architecture: It has validated ARM confidential computing compatibility, aiming to deliver end-to-end confidential AI from personal edge devices to the cloud [00:09:01].
  • Swarm Computing Principles: Scales across distributed GPU nodes with no single point of failure and automatic workload redistribution [00:09:25].
  • Fully Decentralized: Orchestrated entirely by smart contracts on BNB Chain, with no human intervention [00:09:40].
  • Zero Barrier to Entry: Users do not need TEE expertise to run or attest workloads [00:09:52].
  • Open Source: All parts of Super Protocol are open source, functioning as a protocol (like HTTPS for data in transit) to protect data while AI is working on it [00:10:03].

GPUless, Trustless, Limitless

Super Protocol enables what it calls “GPUless, trustless, limitless” AI:

  • GPUless: This refers to removing dependency, not GPUs [00:10:28]. It allows running accelerated AI workloads across independent GPU nodes without being locked into specific cloud vendors or centralized providers, and without needing to buy or rent GPUs for extended periods [00:10:37]. Users maintain control, and unauthorized access is technically impossible due to TEEs and open-source architecture [00:10:59].
  • Trustless: Confidential computing is the foundation of trustless AI [00:11:15]. It replaces blind trust with built-in cryptographic proofs [00:31:37]. Every workload produces a cryptographic proof showing what ran, where, and how, without exposing the actual workload data [00:32:00]. This means users don’t have to trust the provider or platform because they can verify the execution independently and transparently down to the hardware level [00:32:51].
  • Limitless: This involves removing legal, technical, and organizational barriers [00:11:23]. Traditional cloud platforms impose limits on data, geography, and control, hindering access to sensitive datasets, cross-border collaboration, and model monetization without relinquishing IP [00:11:38]. They are also often unfit for agentic, non-deterministic AI where autonomous agents interact and evolve [00:11:58]. Super Protocol removes these limits, allowing training, deployment, and monetization across organizations and jurisdictions with full confidentiality and ownership [00:12:14].

Case Studies and Demos

Super Protocol demonstrates its capabilities through various real-world case studies and practical demonstrations.

Digital Marketing Case Study: Realize and Mars

Realize, a company using AI to measure ad reactions through facial expressions, needed more biometric video data to improve its AI accuracy for brands like Mars [00:13:05]. Privacy laws (GDPR, CCPA) and data ownership concerns made partners reluctant to share sensitive footage [00:13:32].

Realize used Super Protocol’s confidential AI cloud, where AI training ran inside secure TEEs using powerful chips like Nvidia H100s/H200s and Intel Xeons [00:13:45]. Smart contracts and open-source certification automated and verified every step [00:14:00]. Data and models remained completely secure and inaccessible even to the cloud provider, Super Protocol, or Realize [00:14:10]. This verifiable confidentiality led providers to share four times more sensitive footage, boosting the training set by 319% [00:14:24]. Accuracy jumped to 75%, on par with human performance, resulting in a 3-5% sales increase for Mars across 30 brands in 19 markets [00:14:37].

Healthcare Case Study: BEAL and Titonix

The Brain Electrophysiology Laboratory (BEAL) needed to submit perfect documentation for a new epilepsy diagnostic device to the FDA [00:15:19]. This typically involved weeks of manual audits, NDAs, and risks of exposing trade secrets, with any mistake causing significant delays [00:15:42]. BEAL wanted to use Titonix’s AI-powered audit tool but worried about exposing their data and Titonix’s model in traditional cloud environments [00:16:01].

Titonix used Super Protocol’s confidential AI cloud [00:16:17]. The audit ran inside secure TEEs (Nvidia H100/H200 GPUs and Intel TDX CPUs) [00:16:22]. Automation by smart contracts and cryptographic proof ensured all files and models stayed encrypted and readable only within the secure environment, hidden from Super Protocol, BEAL, Titonix, or anyone else [00:16:32]. This reduced audit time from weeks to 1-2 hours, eliminated leak risks, protected IP, and prevented 120-day re-review delays, allowing BEAL to deliver life-saving tools sooner [00:16:53].

Super AI Marketplace Demo

The SuperAI marketplace, built on confidential and decentralized architecture, enables monetization for authors of closed-source models [00:18:10]. Models are deployed in TEEs and accessible via link or API, remaining confidential and not downloadable [00:18:31]. Users can deploy models in a few clicks, and a verification tool confirms deployment in a confidential environment, encrypted connection, and untampered AI engine [00:18:00].

Agentic AI and Automated Workflows Demo

Super Protocol enables building secure automated AI workflows for processing sensitive data, like medical data using N8N [00:21:39]. Running everything inside TEEs, inaccessible even to server admins, and combining low-code automation with decentralized infrastructure, delivers fully confidential, compliant, and verifiable medical AI [00:21:58]. An example workflow demonstrates processing an X-ray image and patient data: the workflow cleans input, invokes an AI model for X-ray analysis, generates a structured medical report, and emails it securely to the doctor [00:22:17]. All credentials (API keys, Gmail) are securely stored and isolated within the TEE [00:23:36].

Scaling Distributed Inference Demo

Super Protocol enables distributed inference using VLLM across multiple GPU servers without reliance on a single provider, demonstrating its “GPUless” advantage [00:26:16]. While VLLM partitions models across nodes for efficiency, traditional setups expose data and model code [00:26:37]. Super Protocol secures this by running every VLLM node inside a confidential VM powered by TEE hardware, linked by a private overlay network [00:27:01]. Data, model weights, and intermediate activations are processed and decrypted only within each confidential environment, with all inter-node communication encrypted [00:27:12]. This prevents sensitive material from leaving the secure boundary or being exposed to any host [00:27:26]. The demo showed a single large LLM (Mistral 22B) running across four GPU nodes (H100/H200s) provided by different owners (Alice, Bob, Carol, David) in a fully confidential mode [00:27:38]. On-chain reports verify that the image and model hashes match expectations for each participant, confirming integrity [00:30:31].

Beyond Trust: Cryptographic Proofs and Verifiability Demo

Super Protocol replaces blind trust with built-in cryptographic proofs, making every run verifiable independently and transparently down to the hardware level [00:31:35]. A cryptographic attestation, a signed proof from the hardware itself, verifies that a model executed in a real TEE using unmodified code on verified hardware inside a secure open-source runtime [00:32:20]. If attempts are made to bypass the system, the protocol prevents the application and data from loading [00:32:58].

A multi-party training example demonstrates Alice’s lab and Bob’s clinic (sensitive data) collaborating with Carol’s research center (training engine) to train a new model for early cancer detection [00:33:13]. All three inputs run inside a TEE, inaccessible to the cloud host, Super Protocol, or even the participants [00:33:50]. Data and source code remain private, with control remaining with each party [00:34:07]. The training is fully automated and verified by a certification center and smart contracts on BNB Chain’s Layer 2 [00:34:15].

Upon boot, a Confidential Virtual Machine (CVM) contacts an open-source certification authority for remote attestation, receiving a certificate if it’s genuine and running in an attested TEE [00:34:49]. Before data enters, an open-source trusted loader inside the CVM is attested, creates a signed key pair, and checks every component [00:35:17]. If any check fails, the process stops to protect all parties [00:35:33]. Data owners upload encrypted datasets, granting the CVM access, and the trusted loader verifies hashes before training begins [00:36:39]. Data and the engine are only ever decrypted inside the TEE during training [00:38:13]. Only Carol receives the encrypted output (the trained model and artifacts), while encryption keys never leave the TEE [00:38:27]. An integrity report, signed inside the TEE, is published on OPBNB as part of the order report, providing public, tamper-proof evidence of the job’s execution in a certified environment with approved inputs [00:39:53].

Conclusion

Confidential AI offers a practical path forward for developers, addressing crucial privacy and trust issues in AI development [00:43:05]. With solutions like Super Protocol, developers can run models on private data without exposure, deploy proprietary models without losing control, fine-tune without compliance risk, and verify execution with cryptographic proof [00:42:31]. It provides a simple, transparent, verifiable, and secure-by-design approach that is GPUless, trustless, and limitless [00:42:53].

Graph View

Backlinks