Enterprises deploying AI factories face a three-way trust dilemma between model owners, infrastructure providers, and data owners. Confidential computing addresses this by using hardware-backed Trusted Execution Environments (TEEs) and cryptographic attestation to protect data and model weights throughout execution. NVIDIA's reference architecture uses Confidential Containers (CoCo) with Kata Containers to wrap Kubernetes pods in hardware-isolated VMs, removing the host OS and hypervisor from the trust boundary. The architecture covers six core pillars: hardware root of trust with confidential GPUs, Kata Containers runtime, hardened guest OS, attestation service with Key Broker Service, confidential workload lifecycle management, and native Kubernetes/GPU Operator integration. A detailed composite attestation workflow describes how encrypted models are securely deployed and decrypted exclusively inside protected memory. The post also clarifies what CoCo does and does not protect, including application vulnerabilities and network security remaining out of scope.
Table of contents
The AI factory trust dilemmaEnabling secure AI factories with Confidential ContainersOpen reference architecture for a zero-trust AI factoryThreat model and trust boundariesSecure model deployment with composite attestationEcosystem partnersGet startedSort: