Composite Attestation: How It Works and Why You Need It
You have trust issues.
That might not be a flattering thing to hear in most situations, but when it comes to AI security, it’s a good thing to know.
“Trust” is a loaded word in security, used loosely in ways that obscure what it actually means in practice. When a security architect asks whether a system can be trusted, they're really asking: what verifiable evidence exists that this environment is what it claims to be, and how was that evidence produced?
For AI workloads running on modern confidential computing infrastructure, the answer to that question is attestation. And for AI workloads specifically, where inference spans both CPU and GPU processing, the answer is composite attestation.
This is What Attestation Does
Attestation is when a computing environment proves its own integrity. Before a sensitive workload begins executing, the hardware generates a cryptographic report, a signed statement describing the state of the trusted execution environment (TEE).
It includes everything from the CPU or GPU identity and firmware versions to the software stack loaded into the TEE and a measurement of the code about to run. That report is signed by a key embedded in the silicon at the time of manufacture, making it something only genuine hardware from the vendor can produce.
Then, the system or service responsible for deciding whether to release encryption keys or allow the workload to proceed verifies the report against your predefined requirements. If everything matches, trust is confirmed, and the workload proceeds. But if anything doesn't match (unexpected firmware, modified code, unrecognized hardware identity), verification fails and the workload is blocked.
This is much different from conventional access controls and software-based security policies. It doesn't ask if the system has the right credentials. It asks, "Is this system's hardware and software stack exactly what it's supposed to be, and can that be mathematically proven?" That’s huge when the workload you're protecting involves sensitive data or proprietary AI models that your business can't afford to expose to a compromised environment.
There’s a Problem That CPU-Only Attestation Doesn't Solve
Standard confidential computing attestation, available on Intel TDX and AMD SEV-SNP processors for years, covers the CPU execution environment. It can verify that a workload is running inside a genuine, hardware-isolated CPU TEE, that the firmware hasn't been tampered with, and that the code loaded into the enclave matches expected measurements.
That’s sufficient for conventional workloads, but it doesn’t cover AI inference.
The reason, of course, is that AI inference doesn't primarily happen on the CPU. It happens on the GPU. A large language model loaded for inference has its weights, activations, and intermediate computations in GPU memory, where the actual model execution occurs. This is also where data is processed, proprietary model architecture is in active use and outputs are generated.
CPU-only attestation verifies the integrity of the orchestration layer, but it says nothing about what's happening on the GPU. It can't verify that GPU memory is genuinely isolated or if the firmware has been modified.
For a security team designing an AI inference pipeline, that’s a major concern. You've essentially verified that the front door is locked, but you haven't verified what's happening inside the room where the sensitive work actually takes place.
What Composite Attestation Adds
Composite attestation extends cryptographic verification across both the CPU and GPU environments, producing a single, unified attestation report that covers the complete execution stack where AI inference actually happens.
The process works in both directions. The GPU, like the CPU, can generate a hardware-signed attestation report that verifies its own identity, firmware state and security configuration. What composite attestation adds is the ability to bind these two attestation reports into a single chain of trust, in which the CPU TEE's measurement includes a verified reference to the GPU's attestation, and the entire composite is verified as a unit before any encryption keys are released or any workload proceeds.
This eliminates the type of attacks that CPU-only attestation leaves open. In a system with only CPU attestation, an attacker who has compromised the GPU can potentially extract model weights or inference data while the CPU-side attestation reports everything as normal.
Fortanix Confidential Computing Manager delivers composite attestation across CPU and GPU environments for enterprise AI workloads, providing the unified chain of trust that sensitive inference deployments require. Learn more about Fortanix Confidential AI.
The CPU doesn't know the GPU is compromised because it isn't verifying the GPU. Composite attestation makes this attack impossible: the GPU's state is part of the verified chain, and any discrepancy between what the GPU reports and what's expected causes the entire attestation to fail.
The result of all this is what both parties involved in AI deployments want: the enterprise and the model owner each get cryptographic proof that the complete inference environment is genuine, unmodified and operating as expected.
For AI, This Is Specifically the Right Architecture
There are reasons why composite attestation matters for AI in ways it doesn't for many other workloads.
Most enterprise applications are CPU-bound. Sensitive processing, including database queries, application logic and authentication workflows, happens on the CPU, and CPU-level attestation is sufficient to verify the integrity of that processing. The GPU, if present, is handling non-sensitive rendering or compute tasks with lower confidentiality requirements.
It’s the opposite with AI inference. The GPU processes the most sensitive assets in the system: the input data, which often contains regulated or proprietary information, and the model weights, which represent the model owner's core intellectual property.
CPU attestation alone creates a verified perimeter around the less sensitive part of the workload while leaving the most sensitive part (everything happening in GPU memory) outside the verified boundary.
There's also the agentic AI factor. Modern enterprise AI deployments increasingly involve agentic systems that execute multi-step workflows, access external data sources, and operate over extended sessions. Each step in an agentic workflow is an opportunity for a compromised component to intercept or manipulate data. But composite attestation, applied at each step, ensures that the entire execution chain can be verified, not just the entry point.
For teams evaluating whether a confidential AI deployment actually delivers the protection it promises, composite attestation makes the "yes" answer verifiable rather than assumed.
Attestation Is the Foundation of Verifiable Trust
For security architects, the value of composite attestation isn't that it makes AI workloads harder to attack, although it does. What’s bigger, however, is that it changes the nature of the trust claims being made.
Without composite attestation, security for an AI inference pipeline rests on a combination of access controls, software policies, and trust in the infrastructure operator. These are all legitimate controls, but they're all also bypassable given sufficient access or motivation. The trust they provide is conditional at best.
With composite attestation, the trust claim is cryptographic and provable. You're not asking whether the infrastructure operator's policies are sound, or whether their access controls are properly configured. You're literally verifying, mathematically, that the hardware and software environment where your data and model are being processed is exactly what it's supposed to be.
That's what verifiable security looks like for AI. Not trust that's contractually agreed upon, but trust that's proven.
