Fortanix Brings Confidential AI to Cisco Secure AI Factory with NVIDIA
Saying that “enterprise AI is moving fast” is a severe understatement. Organizations across healthcare, financial services, government, defense, and more are racing to deploy advanced AI beyond controlled pilot environments into sensitive, regulated workloads where AI can deliver the most meaningful impact.
The challenge is that the infrastructure required to do it safely has lagged the ambition. Processing sensitive data through AI models introduces a class of security risk that conventional protections weren’t made to address, and deploying proprietary frontier models on third-party infrastructure introduces IP risks that model owners can't accept without credible technical guarantees.
Solving it requires a security architecture built into the foundation of AI infrastructure from the ground up.
Today, we are excited to announce that Fortanix Confidential AI is joining the Cisco Secure AI Factory with NVIDIA ecosystem [source], bringing hardware-enforced confidential computing to one of the most comprehensive AI infrastructure platforms available to enterprise organizations anywhere in the world.
The Security Challenge at the Heart of Enterprise AI
Cisco's Secure AI Factory with NVIDIA is built around a premise that resonates with everything Fortanix has been working on: security can't be an afterthought in AI infrastructure. It must be fused into every layer, from silicon to software.
That principle matters enormously as AI workloads grow in sensitivity and scale. Most enterprise AI deployments operate under a significant security blind spot where data is protected at rest and in transit (encrypted on disk or over the network), but the moment it enters active processing during AI inference, that protection disappears. Model weights, input and output data, intermediate computations, and inference outputs all exist in plaintext in memory, visible to the host operating system, the hypervisor, and anyone with sufficient access.
For organizations running AI on patient health records, financial instruments, legal documents, or any other type of classified information, this exposure is a non-starter. And for model owner whose most advanced AI systems represent years of research and billions of dollars of investment, deploying those models on infrastructure they don't control isn't something they're willing to do.
Confidential AI is the architectural response to both of these problems. By running AI workloads inside hardware-enforced Trusted Execution Environments (TEEs), where data remains encrypted in memory throughout active computation and where even privileged administrators have no visibility into the enclave, both the enterprise's data and the model owner's intellectual property can be protected simultaneously. That protection is enforced by silicon, not software policy, and it’s verified cryptographically by any party that needs assurance.
What the Cisco Secure AI Factory Integration Enables
Cisco's Secure AI Factory with NVIDIA is designed to give enterprises a full-stack, modular AI infrastructure that spans from central data centers to edge sites like hospitals, warehouses and manufacturing floors, where real-time decisions can't wait for a round trip to the cloud.
It brings together Cisco UCS compute with NVIDIA Confidential Computing-enabled GPUs [source], Cisco networking powered by either Cisco Silicon One or NVIDIA Spectrum-X switch silicon, Cisco AI Defense for agent-level security, and Cisco Hybrid Mesh Firewall extended to NVIDIA BlueField DPUs for workload-level enforcement.
Fortanix Confidential AI adds the hardware-enforced data-in-use protection layer that completes the security story for sensitive AI workloads across this stack.
At the core of the Fortanix contribution is composite attestation. Before any sensitive workload begins executing inside the Cisco Secure AI Factory environment, Fortanix Confidential Computing Manager (CCM) performs unified verification across both the CPU TEE and the NVIDIA Confidential Computing GPU, covering the complete execution stack in a single, unified chain of trust. This composite approach is critical for AI workloads because inference primarily happens on the GPU, meaning verifying only the CPU-side environment leaves the most sensitive part of the operation outside the verified boundary.
More read on Quali stack automation: https://www.cisco.com/site/us/en/solutions/data-center/stack-automation-quali/index.html
Only after attestation succeeds does Fortanix Data Security Manager (DSM) release encryption keys, and it does so only into the verified TEE. DSM is a FIPS 140-2 Level 3-certified Hardware Security Module with integrated key management, and its attestation-gated key release mechanism ensures that proprietary model weights and enterprise data are decrypted exclusively within authenticated enclaves. If attestation fails at any point for any reason (tampered firmware, unauthorized software, a hardware anomaly, and so on), the workflow stops, and the keys are never released.
Throughout the inference operation, Fortanix CCM continuously monitors the health of the enclave and policy compliance. Any detected integrity violation triggers immediate remediation. The result is a complete, auditable chain of custody over both enterprise data and AI model IP, from workload provisioning through runtime execution.
Powering Confidential AI at the Edge
One of the most important aspects of the expanded Cisco Secure AI Factory architecture is its extension from central data centers to edge sites. AI inference is increasingly happening where data is created and where decisions must be made, but that also introduces a new security surface area.
Edge deployments are, by nature, harder to physically secure than a central data center. Equipment may be in environments with broader physical access, or the infrastructure operator may be a managed service provider or a distributed enterprise IT team rather than a centralized security organization. And the sensitivity of the data being processed at the edge (clinical data, manufacturing telemetry, financial transactions, etc.) is often no less regulated than what runs through the core.
Fortanix Confidential AI provides the same hardware-enforced protections at the edge that it delivers in central data center environments. Because the security is rooted in the NVIDIA GPU silicon itself, and because Fortanix CCM supports local verification, the protection travels with the workload regardless of where it runs. For sovereign and air-gapped deployments, this means confidential AI guarantees remain intact even in disconnected or restricted network environments.
Unlock the Power of Proprietary Frontier Models Across the Cisco Ecosystem
The day-to-day implication of this integration that matters most to enterprises is that it makes access to proprietary frontier AI models possible within the Cisco Secure AI Factory environment.
Today, the most advanced AI models, those purpose-built for complex reasoning, risk modeling, analysis or intelligence applications, are largely unavailable for on-premises deployment because model owners have no reliable mechanism to protect their IP on third-party infrastructure. Conventional infrastructure has no technical barrier to a sufficiently privileged attacker stealing model weights once they're loaded into memory for inference.
That changes with Fortanix; model weights are distributed in encrypted form and decrypted only inside verified TEEs. The model owner doesn't have to trust the infrastructure operator, the enterprise IT team, or any other party in the chain, because the hardware enforces the protection regardless. That gives model providers the confidence to distribute their most advanced systems into enterprise environments for the first time.
For enterprises running the Cisco Secure AI Factory, this means the range of AI capabilities available to them expands significantly. Workloads that previously required a choice between security and model quality no longer require that compromise. The model can come to the data, inside the enterprise's own infrastructure perimeter, with cryptographic proof that both sides of the trust equation are satisfied.
A New Chapter in a Long History
Fortanix Confidential Computing Manager has been validated on Cisco UCS infrastructure for several years, with joint work demonstrating how Intel SGX-based confidential computing can be deployed across Cisco's B-Series, X-Series and C-Series server platforms.
It’s a history that gave both organizations a clear understanding of how confidential computing capabilities integrate with enterprise-grade infrastructure at scale.
The integration with Cisco Secure AI Factory with NVIDIA is the natural evolution of that relationship into the era of GPU-accelerated AI. Where earlier work focused on CPU-based SGX enclaves for database and application workloads, the current integration extends confidential computing to the GPU layer, where AI inference actually happens. Now, the full execution stack is covered by composite attestation, delivering the protections that enterprise AI requires.
Building the Security Layer That Enterprise AI Deserves
The Cisco Secure AI Factory with NVIDIA is one of the most significant enterprise AI infrastructure platforms in the market. Its ability to span from the core data center to the edge, its integration of security at multiple layers of the stack, and its partnership with NVIDIA across compute, networking, and software give enterprise organizations a foundation for deploying AI at proven production scale.
Fortanix is proud to be part of that foundation. The combination of Fortanix Confidential AI with the Cisco Secure AI Factory gives enterprises what they have been longing for: a secure, verifiable, production-grade path to running their most sensitive AI workloads on the most capable models available, all within infrastructure they control.
This is what it means to build AI infrastructure for the real world.
