Fortanix Confidential AI Protects Proprietary Model IP and Data for Secure AI Inference in Enterprise AI Factories.

Learn More

What Is Encryption in Use and Why It Matters for AI

Mahboob Shaik
Mahboob Shaik
May 28, 2026
5mins
Share this post:
what-is-encryption-in-use

Most tech professionals have a working understanding of encryption. Data gets scrambled before it's stored so that only authorized parties can read it, and it’s encrypted before it travels across a network so that it can't be intercepted in transit. These are well-established practices, widely deployed, and reasonably well understood even outside of security teams.

What's less well understood, and what has become one of the biggest gaps in enterprise AI security, is what happens to data in between while it's being actively processed. When it comes to AI, this is when a model reads, analyzes and generates a response. That window, which has historically been a blind spot in enterprise security architecture, is where “encryption in use” comes in.

The Gap That Encryption at Rest and in Transit Don't Cover

To understand why encryption in use matters, it helps to first think about what the other two forms of encryption actually protect against.

Encryption at rest protects data sitting on a disk or in storage. If someone steals a hard drive or gains unauthorized access to a file system, they can't read the data without the decryption key. That's real and important protection.

Meanwhile, encryption in transit protects data as it moves across a network. If someone intercepts traffic between a client and a server, the encrypted asset can’t be read without the key. And this is also important.

Notably, neither of these protects data while it's being computed on. When an application or, increasingly these days, an AI model needs to process data, it has to be decrypted first. The data is loaded into memory in plaintext, where the computation happens. While it's there, it's exposed, and if an attacker manages to gain access to the infrastructure at the right level, they can see it too.

For most enterprise workloads, this has been accepted; the window of exposure during processing is real but still manageable, given reasonable access controls and network security.

For AI workloads, however, it's a different story.

AI Makes the In-Use Security Gap Urgent

AI models don't just process small, isolated transactions. They process context, and usually a lot of it. A query sent to an enterprise AI model could include customer records, financial data, internal documents, patient information or proprietary business logic. The model needs all that context to generate a useful response, which means it ends up in memory in plaintext during inference.

What’s more, the AI model itself is something very valuable. A so-called “frontier” model, the kind that organizations are increasingly trying to deploy on-premises for sensitive use cases, is built on years of research and enormous compute investment, with proprietary architectural decisions baked into its weights. When that model is loaded into GPU memory for inference, those valuable weights are exposed to anyone with sufficient access to the infrastructure. Model owners can't risk exposing those proprietary model weights, while those using the model don’t want to expose their own sensitive data.

The result is a problem that encryption at rest and in transit wasn't made to solve. The data and the model are most vulnerable at the exact moment they're doing something useful, creating the gap that only encryption in use can close.

How Does Encryption in Use Work?

Confidential Computing is the technology that makes encryption in use practical, as it uses Trusted Execution Environments, or TEEs. A TEE is a physically isolated region within a chip or processor, a secure enclave where computation can happen with strong guarantees enforced by the silicon itself.

Inside a TEE, data remains encrypted in memory and is only decrypted inside the CPU boundary during execution while it's being actively processed. The CPU handles memory encryption transparently, so the computation happens normally even while the contents of that memory are inaccessible to anyone (or anything) outside the enclave. The host operating system, the hypervisor can't read it, or even an administrator with root access to the machine can't inspect what's happening inside.

What ties it all together is the accompanying attestation process. Before a workload begins executing inside a TEE, the hardware performs a cryptographic verification to confirm that the environment meets all the desired standards and that it hasn't been tampered with. Only after that verification succeeds are the encryption keys released, and only into the verified enclave. If anything is wrong, like tampered firmware, unauthorized software, or a compromised environment, the attestation fails, and the keys are withheld. The workload simply doesn't run, and no damage can be done.

This combination of hardware-enforced isolation and cryptographic attestation is what separates encryption in use from conventional security controls. It's not enforced by policies, which can be broken. It's enforced by silicon.

Here’s What It Means in Practice for AI

The practical implications of encryption in use for AI deployments are significant, and they show up in a few specific ways:

  1. Sensitive data can stay where it belongs. One of the biggest barriers to enterprise AI adoption in regulated industries like healthcare, financial services, government and legal is that the most useful AI models are often hosted externally, in cloud environments where data sovereignty requirements prevent sensitive data from traveling. Encryption in use changes that: when data is protected during inference by hardware-enforced TEEs, organizations can run powerful AI models on their most sensitive data without it leaving a controlled, cryptographically protected environment. The model comes to the data, meaning the data doesn't have to go to the model.
  2. Proprietary AI models can be deployed without IP risk. For model owners and developers who have built differentiated AI capabilities, deploying on third-party infrastructure carries the risk that model weights could be extracted by someone with system access. Inside a TEE, model weights are protected throughout inference and never exposed to the host infrastructure. The model owner doesn't have to trust the infrastructure operator since the hardware enforces the protection regardless
  3. Multi-party AI collaboration becomes viable. Some of the most valuable AI use cases require combining data from multiple organizations, such as shared analytics across healthcare providers, to help improve outcomes. With traditional infrastructure, this kind of collaboration would require one party to effectively hand their data to another, with contractual assurances as the main protection. With encryption in use, multiple parties can jointly process data inside a shared TEE where none of them can see the other's raw inputs.

With these factors in play, compliance becomes easily provable. Regulations across healthcare, finance, and data protection require organizations to demonstrate that sensitive data is protected at all times, not just at rest and in transit. Encryption in use, backed by cryptographic attestation records, gives organizations something concrete they can show auditors: verifiable, hardware-level proof that data was protected throughout inference operations.

Learn more about: What is confidential AI?

Two Out of Three Isn’t Enough

Encryption at rest and encryption in transit have been table stakes for years. Any organization with a serious data security posture already has both in place. Encryption in use is the third leg of the stool covering the vital window that the other two don't.

For most workloads, the absence of that third leg has been an acceptable gap. But for AI workloads handling sensitive enterprise data and proprietary models, it simply isn't. The data is too valuable, and the regulatory stakes are too high for organizations to rely on perimeter controls and access management alone.

Encryption in use closes the gap and, more importantly, does so without requiring trust in the infrastructure, the operator, or anyone else in the chain. The protection is enforced by the hardware itself.

Fortanix Confidential AI delivers encryption in use for enterprise AI workloads, protecting sensitive data and proprietary models throughout the inference lifecycle through hardware-enforced Trusted Execution Environments, cryptographic attestation, and attestation-gated key management. Contact us now to learn more about how Fortanix Confidential AI can help protect your business’s most valuable assets.

Confidential Computing
Share this post:

Platform

Fortanix Platform

Confidential AI

Data Security Manager

Confidential Computing Manager

Armet AI

Key Insight

Open Source Platform

Enclave Development Platform®

Solutions

Use Cases

Legacy to Cloud Infrastructure Migration

Regulatory Compliance

Post-Quantum Readiness

Secure, Data-Driven Innovation

Company

About Us

Partners

Careers

Confidential Computing

University

Blog

FAQ

Contact Us

Awards

Events

Webinars

Press

News

Services

Media Kit

Newsletters

Customers

Resources

Support

Fortanix-logo

4.6

star-ratingsgartner-logo

As of January 2026

SOCISOPCI DSS CompliantFIPSGartner Logo

US

Europe

India

Singapore

4500 Great America Parkway, Ste. 270
Santa Clara, CA 95054

+1 408-214 - 4760|info@fortanix.com

High Tech Campus 5,
5656 AE Eindhoven, The Netherlands

+31850608282

UrbanVault 460,First Floor,C S TOWERS,17th Cross Rd, 4th Sector,HSR Layout, Bengaluru,Karnataka 560102

+91 080-41749241

T30 Cecil St. #19-08 Prudential Tower,Singapore 049712