Fortanix Confidential AI Protects Proprietary Model IP and Data for Secure AI Inference in Enterprise AI Factories.

Learn More

Apple Just Made the Case for Confidential AI - For All of Us

Mahboob-Shaik
Mahboob Shaik
Jun 11, 2026
5mins
Share this post:
confidential-ai-use-cases

This week at WWDC, Apple announced [source] something that quietly rewrites the rules of private AI in the cloud: Private Cloud Compute (PCC) is expanding beyond Apple’s own data centers for the first time. New Apple Intelligence workloads will run on Google Cloud, on NVIDIA Blackwell GPUs with Confidential Computing, Intel CPUs with TDX, and Google’s Titan security chip.

The most privacy-obsessed company in consumer technology, the company that built PCC on its own silicon specifically because it didn’t trust anyone else’s, has just decided that confidential computing on third-party infrastructure is good enough to carry its brand promise.

If you’ve followed our work at Fortanix, you know why we find this moment so satisfying. This is the architecture we’ve been telling enterprises to adopt for years. Now it’s the architecture protecting hundreds of millions of iPhones.

What Apple actually announced

When Apple launched PCC in 2024, it set a high bar in the AI privacy space.

  1. Stateless computation - no user data retained after the request
  2. Enforceable guarantees - security enforced technically, not by policy
  3. No privileged runtime access - no admin backdoors, period
  4. Non-targetability - attackers can't single out any one user
  5. Verifiable transparency - researchers can independently verify it all.

Running PCC entirely on its own silicon, in its own data centers, Apple showed the world that cloud AI and true privacy aren't a trade-off: user data could stay provably protected, backed by cryptographic proof rather than policy promises.

The new announcement changes the implementation, not the promise. To run its most demanding Apple Intelligence workloads, agentic tool use, complex reasoning on the next generation of Apple Foundation Models built in collaboration with Google, Apple extended PCC onto Google Cloud using hardware it doesn’t own, in data centers it doesn’t operate.

How? With the same Confidential Computing building blocks, the rest of the industry has access to:

Trusted execution environments: Intel TDX isolates the CPU side; NVIDIA Confidential Computing protects the GPU side. Data stays protected inside TEE even from the cloud provider’s own administrators.

Remote attestation: Before a single byte of user data leaves a device, the device cryptographically verifies that the infrastructure is running exactly the software Apple approved, nothing more, nothing tampered. Apple even roots attestation for sensitive components in two independent vendors’ roots of trust, so no single party can be the weak link.

Hardware-rooted key release: Attested keys live in a separate, dedicated, confidential VM, isolated from anything that touches external input. Keys are released only to workloads that first prove their integrity.

Verifiable transparency: Apple maintains a cryptographically verifiable, append-only ledger of every piece of Google Cloud hardware in the PCC fleet, and publishes binaries for public inspection. Apple put it plainly in their own announcement: the industry has had these confidential inference primitives for a while, but they’d never been assembled into an end-to-end pipeline at global scale. Now they have.

The part most coverage will miss

One of the important aspects in Apple's post that deserves the spotlight: Apple treats confidential computing as the necessary foundation and then builds layered protections on top of it. The entire stack firmware, host OS, guest OS, and application code is pulled into Apple's trusted computing base, subject to attestation and transparency guarantees. Inference software is recycled on short time-to-live cycles. Request parsing happens in isolated namespaces. Defense-in-depth, everywhere.

Fortanix Confidential AI was built with the same thinking, and the CCC's 3 Degrees [ link ] paper now codifies it. A trusted execution environment [TEE] is just the starting point; the technical aspects around it include who attests to what, who controls the keys, whether the workload's integrity is part of the proof, and what actually happens when a check fails. In the paper's terms, that's Level 3 and the CCC calls it the baseline, not the aspiration. We agree. It's how the product was designed from day one.

So what does this mean for your enterprise?

Apple invested years of world-class engineering and collaborated with Google, NVIDIA, and Intel to make this a reality. And while PCC itself is unique to Apple, the security pattern at its heart attest the infrastructure first, release keys only to verified workloads, then process data, is one any enterprise can adopt. It's the pattern Fortanix Confidential AI was built around:

Fortanix Confidential AI: delivers end-to-end protection for proprietary frontier models, sensitive data, and inference across the full AI lifecycle. The joint Fortanix-NVIDIA solution, built on Confidential Computing, keeps both sensitive data and model IP encrypted and inaccessible to the underlying infrastructure. Enterprises can now run advanced AI where their data resides, while model providers keep their critical IP fully protected.

  • Confidential Computing Manager (CCM) handles the part Apple has spent enormous effort getting right: attestation. CCM verifies CPU and GPU evidence together [Composite Attestation], enforces policy on what’s allowed to run, and gives you an auditable trail of exactly what software touched your data.
  • Data Security Manager (DSM) Keys are released only to workloads that pass attestation, following the same secure key release pattern Apple uses to keep attested keys isolated from external inputs.

The pattern Apple validated this week, Attest first, Secure key release second, process data third, verify everything, is exactly the pattern Fortanix Confidential AI is built around. The difference is that you don't have to build it yourself.

The bigger signal

For years, the question we heard from enterprise security leaders was some version of: “Confidential computing sounds great, but is it real? Is it mature? Will the performance hold up for AI workloads?”

Apple just answered all three questions in public, at the scale of Apple Intelligence, with its brand reputation on the line. When the company whose entire pitch is privacy decides that NVIDIA Confidential Computing and Intel TDX on someone else’s cloud meet its bar, the “is it ready” debate is over.

The new question is the one that actually matters: when your customers’ data flows into AI systems, your models, your agents, your RAG pipelines, can you prove, cryptographically, that no one else can see it?

confidential computing
Share this post:

Platform

Fortanix Platform

Confidential AI

Data Security Manager

Confidential Computing Manager

Armet AI

Key Insight

Open Source Platform

Enclave Development Platform®

Solutions

Use Cases

Legacy to Cloud Infrastructure Migration

Regulatory Compliance

Post-Quantum Readiness

Secure, Data-Driven Innovation

Company

About Us

Partners

Careers

Confidential Computing

University

Blog

FAQ

Contact Us

Awards

Events

Webinars

Press

News

Services

Media Kit

Newsletters

Customers

Resources

Support

Fortanix-logo

4.6

star-ratingsgartner-logo

As of January 2026

SOCISOPCI DSS CompliantFIPSGartner Logo

US

Europe

India

Singapore

4500 Great America Parkway, Ste. 270
Santa Clara, CA 95054

+1 408-214 - 4760|info@fortanix.com

High Tech Campus 5,
5656 AE Eindhoven, The Netherlands

+31850608282

UrbanVault 460,First Floor,C S TOWERS,17th Cross Rd, 4th Sector,HSR Layout, Bengaluru,Karnataka 560102

+91 080-41749241

T30 Cecil St. #19-08 Prudential Tower,Singapore 049712