Skip to content

Confidential Inference

Problem

Sensitive inference needs general-purpose model execution with protection from infrastructure operators or other tenants.

When To Use

Use TEEs when performance and model flexibility matter and hardware trust is acceptable.

When Not To Use

Avoid this pattern when side-channel risk is unacceptable or when attestation cannot be made understandable to relying parties.

Typical Architecture

Model code runs inside a TEE. Clients verify attestation, establish secure channels, send inputs, and receive outputs.

Threat Model

Infrastructure operators are not fully trusted. Hardware vendors and enclave implementation become part of the trust base.

Privacy Properties

Inputs and model data are protected in use, subject to hardware assumptions, enclave design, and side-channel controls.

Tools And Building Blocks

TEEs, remote attestation, confidential containers, key release services, access controls, and audit logging.

Common Failure Modes

Attestation confusion, enclave misconfiguration, side channels, logging plaintext, and weak output controls.

Open Research Problems

Attestation usability, multi-cloud portability, side-channel resilience, and composable guarantees with DP.

Confidential RAG, TEEs, side channels, deployments.