Everyone is rushing to adopt AI, but a critical paradox is blocking its true potential: the very models that promise transformative insights require access to our most sensitive data. How can enterprises leverage powerful AI without exposing customer PII, intellectual property, or regulated financial information? It’s the biggest question holding back innovation, and the industry’s first answer has been a surge of interest in Confidential Compute.
With the recent buzz around Apple's Private Cloud Compute (PCC), Google’s Private AI Compute, and the new open-source project, OpenPCC, the message is clear: the future of AI must be private. These technologies are a vital step forward, but they are only one piece of a much larger puzzle. They protect the transaction, but not the data.
At its core, private cloud compute for AI acts like a secure, private tunnel between a user and a model. Technologies like PCC and OpenPCC are designed to do a few things very well:
This is a necessary and important evolution for protecting the privacy of an individual AI query. It ensures that the sensitive question you ask and the answer you receive are shielded from prying eyes during that specific interaction. But what about the data’s journey before and after those few milliseconds of inference?
Focusing only on the inference transaction leaves critical security gaps that cannot be ignored.
1. It’s Focused on the Traffic, Not the Data Itself. Confidential compute protects the query while it's in use, but your data doesn't live in a query. It lives in data lakes, databases, and object stores. It’s created, copied, and moved across your enterprise. Protecting the inference "pipe" is useless if the data source itself is a leaky bucket. This is the part most often left out of the conversation.
2. Hardware is Not Infallible. These systems place immense trust in a hardware root of trust. However, as security researchers have proven, hardware can be vulnerable. Side-channel attacks like TPM-Fail have demonstrated that it's possible to extract the very cryptographic keys meant to protect the enclave, completely undermining the promised security. Relying solely on the hardware for protection is a risky bet.
3. It's for Inference, Not Training. Finally, today's private cloud compute solutions are almost exclusively designed for running queries (inference). They do not address the far greater data exposure risk posed by training or fine-tuning models on sensitive corporate datasets, which often entails massive, persistent access to information.
At Virtru, we believe a comprehensive AI privacy strategy requires addressing security at every level, from silicon to the data itself.
Before you can trust a "secure tunnel," you must be able to cryptographically prove that the workload and hardware at each end are genuine and uncompromised. Virtru is deep in the trenches, building the foundational plumbing to make this verification seamless and scalable. Our engineering teams are solving the complex challenge of hardware-attested workload identity for GPU-accelerated AI. We are creating the infrastructure to verify a workload’s integrity within a secure hardware enclave and make it compatible with modern, enterprise-grade service-mesh architectures, a problem that standard tools can't address. This work moves beyond simply trusting the hardware to actively verifying it.
A trusted compute environment is necessary, but not sufficient. The ultimate goal is to protect the data. Virtru’s philosophy is that security must be embedded in the data itself, providing persistent protection and control no matter where it moves.
This is achieved through two core principles:
By combining a foundation of trusted compute with a data-centric security model, Virtru is enabling a new generation of powerful AI use cases that don't compromise on privacy. Our upcoming capabilities will allow you to:
Before an AI can query your data, that data must be secured at rest. With the Virtru Data Security Platform, organizations will be able to govern and protect data in their existing data lakes. Using our ABAC-enforced policies, you can ensure that an AI agent (or any user) can discover and read only the files it is explicitly authorized to access, preventing wholesale data exposure.
Retrieval-Augmented Generation (RAG) is a powerful AI pattern, but it often requires models to access large volumes of sensitive documents. With the Virtru Data Security Platform, you will be able to build a RAG application that preserves privacy end-to-end. Our platform will convert source documents into protected vector embeddings that can be searched without revealing the content. When the AI retrieves the most relevant document chunks to inform its answer, Virtru ensures the model only receives the specific data it and the user are authorized to see, for only as long as it needs it. The AI gets the context it needs to be effective without the risk of a jailbreak resulting in the wrong data being requested.
While our current focus addresses inference and RAG use cases, we recognize that training and fine-tuning AI models on sensitive corporate datasets represents an even greater data exposure challenge. Virtru can currently provide some data-centric protections for these workflows, but our roadmap includes extending the coverage of these workflows, ensuring that persistent access to training data maintains the same granular control and auditability.
Confidential Compute is an important part of the AI privacy story, but it’s only the beginning. A truly comprehensive strategy cannot treat the query as an island; it must account for the entire data lifecycle.
It requires building on a foundation of verifiable, hardware-attested compute, a challenge Virtru is actively working to address. And it demands a persistent, data-centric security layer that protects data everywhere it lives and enforces granular control based on owner-defined policies.
Don't just secure your queries; secure your data. That's how you unlock AI's full potential without sacrificing privacy and control.
Ready to explore data-centric security for your AI workflows? Whether you're securing data lakes before AI ingestion or building privacy-preserving RAG applications, our product team can help you evaluate the right approach. Join the Confidential AI Early Access Program to connect with Virtru experts.
A: Private Cloud Compute (PCC) technologies like Apple's PCC and Google's Private AI Compute create a secure, encrypted tunnel between users and AI models. They encrypt prompts and outputs during transit and use hardware-based confidential computing to isolate computation. However, PCC only protects the AI query transaction itself—not your underlying data in databases and data lakes before or after the AI interaction. For complete protection, you need data-centric security that protects the data everywhere it lives, not just during the AI query.
A: Confidential Computing protects data during the AI transaction—like a secure tunnel for your query. Data-centric security protects the data itself, everywhere it goes. With data-centric security, each piece of data is wrapped in its own encryption and access controls that travel with it, so it's protected in storage, during processing, and after the AI uses it. Think of it this way: Confidential Computing secures the pipe, data-centric security secures the water flowing through it.
A: Protecting sensitive data in AI requires a three-layer approach: (1) Verify your AI compute environment is secure through hardware attestation, (2) Encrypt and embed access policies directly into your data so it's protected everywhere—in data lakes, during AI training, and during queries, and (3) Use Attribute-Based Access Control (ABAC) to ensure only authorized users and AI models can access specific data based on roles, clearance levels, and purpose. This protects your data across the entire AI lifecycle, not just during individual queries.