Aaron Fulkerson, CEO of OPAQUE – Interview Series

Aaron Fulkerson, CEO of OPAQUE, is a longtime enterprise software entrepreneur and open-source pioneer whose career spans more than two decades of building and scaling technology platforms focused on trust, data, and digital transformation. Before joining OPAQUE in 2023, he founded MindTouch, helping grow it into a widely adopted enterprise knowledge platform before its acquisition by NICE Systems, and later led the launch of ServiceNow Impact, one of the fastest-growing business units in ServiceNow history. Throughout his career, Fulkerson has worked at the intersection of emerging technologies, enterprise software, and open ecosystems, while also advising multiple technology startups and organizations. More recently, he has become a prominent advocate for Confidential AI, arguing that privacy, governance, and verifiable trust will be foundational requirements as AI systems become embedded into critical enterprise workflows.

OPAQUE is a Confidential AI company that emerged from the renowned UC Berkeley RISELab, the same research ecosystem that helped create technologies such as Apache Spark and Databricks. The company has developed a platform that enables enterprises to run AI models, agents, and workflows on highly sensitive data while maintaining cryptographically verifiable privacy and compliance guarantees. Rather than forcing organizations to choose between AI innovation and data security, OPAQUE uses confidential computing, encrypted runtime environments, and hardware-attested execution to ensure sensitive information remains protected before, during, and after AI processing. Its technology is designed for highly regulated industries including finance, insurance, healthcare, and high-tech, with customers and partners that include ServiceNow, Anthropic, Accenture, and other enterprise organizations seeking to move AI projects from pilot programs into production without exposing proprietary or regulated data.

You’ve built and scaled multiple enterprise platforms over your career, so what prompted you to step into the CEO role at OPAQUE and focus your next chapter on trust, privacy, and AI governance?

I’ve spent nearly two decades building enterprise platforms, first at MindTouch, which is still used by a billion users annually, and then at ServiceNow, where I created their fastest-growing product. Both taught me the same lesson: the most powerful technology only wins when people trust it.

When I met OPAQUE’s co-founders Raluca Ada Popa, Ion Stoica, and Rishabh Poddar, I saw a rare combination of talent and vision. Raluca is one of the world’s foremost researchers in privacy and security. Ion co-founded Databricks. Rishabh built the core cryptographic systems that became OPAQUE’s foundation.

At UC Berkeley’s RISELab, they had created something I immediately recognized as generational. Cryptographic proof that data remains private throughout every AI workflow. Not promises. Not policies. Proof.

I looked at where AI was heading, agents acting autonomously across enterprise systems at machine speed, and I saw the same gap Vint Cerf has warned about for 30 years: no trust layer. The internet survived without one because humans were the guardrail. The agentic web will not have that luxury. That is what pulled me in.

With MCP (the Model Context Protocol, a standard that allows AI agents to securely access tools, applications, and data) emerging as a common foundation, how do you see this changing the way enterprises deploy and scale agentic AI?

MCP is an important step in how enterprises deploy and scale agentic AI. Think of it as a universal connector for AI workflows. It standardizes how agents plug into tools, applications, and data, reducing real friction and speeding up experimentation.

But standardizing access alone does not make agentic AI safe or scalable. As these connections proliferate, with more agents, more tools, and more data sources, the data bleed surface area expands with every new integration. Each connection point that lacks runtime enforcement is a potential exposure vector. When AI agents interact with sensitive systems and proprietary logic, encryption at rest and network controls aren’t enough. The security boundary has shifted to runtime, and that shift becomes more urgent as the ecosystem scales.

Having verifiability at these essential connection points will be mission-critical for the enterprise. Enterprises can scale agentic AI when MCP-style access is paired with cryptographic proof of what code ran, where it ran, and under what policy—before, during, and after execution. Access plus verifiability. That’s the combination that unlocks production.

As MCP standardizes agent access, where do you see the biggest gaps today when it comes to security, policy enforcement, and trust in agent-driven systems?

We completed our 2026 AI Leak Surface research and published a summary of our findings, “A Dozen Ways Your AI Stack Is Bleeding Data,” which touches on this. We identified 46 exposure vectors across 8 categories spanning the full AI trust boundary: compute, control, application, and the handoffs between them. That’s without considering malicious actors. These are scenarios where nothing is broken, logs look clean, and your system is still leaking data.

The biggest gaps aren’t in connectivity; MCP is solving that. The gaps are in what happens after an agent connects. Most organizations can’t answer three basic questions: How does our AI actually behave? Who controls it? And how do we prove policies were enforced?

Our research showed that boundaries are configured but never enforced. A policy exists in a document, a config file, or a deploy-time setting, but the running system isn’t constrained by it. An AI executive assistant puts material non-public information on a calendar invite. A RAG copilot serves board-level financials to a junior analyst. A vendor SDK silently exfiltrates 10 million queries over 12 months. In every case, the access controls were in place. The data leaked anyway.

Until enterprises close the gap between configured policy and enforced policy, MCP standardizes the front door. But the house is still unguarded.

When AI agents are given access to sensitive systems and proprietary data, what new privacy and compliance risks tend to surface that enterprises are often unprepared for?

Most enterprises think about privacy in terms of data at rest or in transit. That model breaks in agentic workflows because the biggest risk is data exposure while it’s being used.

Here’s what I mean. A performance car manufacturer runs AI across its assembly line. The raw data seems harmless: sensor readings, timing sequences, quality checks. But an LLM can now reconstruct proprietary manufacturing processes from that data exhaust. What was noise five years ago is now a blueprint for a competitor.

Our AI Leak Surface research documents this pattern across dozens of scenarios. Operational telemetry tools capture full AI payloads by default, and one European bank had 2.1 million prompts containing PII flowing to a US SaaS instance because nobody changed the APM defaults. Agent memory bleeds context between sessions. Chain-of-thought traces expose complete investigative records to observability platforms accessible by contractors. Traditional compliance frameworks weren’t designed to detect this kind of leakage. They assumed humans were moving data at human speed.

Why is Confidential AI becoming a necessary counterpart to MCP, and how does it address challenges that access standards alone cannot solve?

MCP solves who can access what and how, while Confidential AI solves what happens once access is granted. They’re complementary layers.

Access standards alone can’t prevent runtime compromise, policy drift, or unauthorized data use. Think about it this way: MCP gives you a standardized way to connect agents to your systems. Confidential AI gives you cryptographic guarantees that once connected, those agents can only do what they’re authorized to do, and you can prove it.

Confidential AI delivers those guarantees at runtime across data, identity, code, and communication. It provides verifiable proof of execution and ensures that privacy and policy enforcement don’t stop at the access boundary but persist as AI actively reasons, generates, and acts. Without it, MCP is a solid foundation. But foundations alone don’t make a building secure.

In practical terms, what does verifiable trust look like for an enterprise running autonomous AI agents across critical workflows?

Verifiable trust means I can prove what code ran, where it ran, under which policies, what data was accessed, and how the system behaved over time.

In practice, take an insurance company using AI agents to process demand letters. Before execution, hardware attestation verifies the agent’s identity and the integrity of the environment. During execution, cryptographic policy binding within a hardware-backed Trusted Execution Environment (TEE) ensures that data remains protected and that policies are enforced. After execution, a tamper-proof audit trail records exactly what happened.

The risk in agentic workflows isn’t that an agent goes rogue. The real risk is that you can’t demonstrate whether a policy was enforced or whether sensitive data was protected while agents were operational—before, during, and after. That’s what verifiable trust looks like.

As agentic systems operate at machine speed, why does traditional human oversight break down, and how should organizations rethink governance in this new environment?

For decades, the internet had an invisible guardrail: us. Humans read content, click intentionally, and don’t silently act across a hundred systems simultaneously.

Agentic AI erases those assumptions overnight. Agents operate continuously, make decisions at machine speed, and can be manipulated by environments designed for humans but exploitable by machines. A malicious webpage doesn’t need to trick an AI the way it tricks a person; it can simply instruct it.

At just 1% risk per agent, a network of 100 agents faces a 63% probability of a breach. Scale to a thousand and you’re at 99.99%. Human-in-the-loop governance cannot keep pace with those numbers. Oversight has to shift from reactive review to runtime guarantees. That means zero-trust workflows, policy enforcement by default, and verifiable execution that doesn’t depend on a human catching the failure after the fact.

What are the most common security failures you see when enterprises experiment with agentic AI without a built-in trust layer?

The pattern I see most often is that enterprises let agents act and coordinate without any cryptographic guarantees around their behavior. They’re processing sensitive IP on hope.

What follows is predictable, and we’ve documented the specific patterns in our AI Leak Surface research. Runtime compromises bypass traditional perimeter defenses because the agent is already inside the network. Autonomous agent chains create cascading failures. One exploited agent triggers a domino effect across connected systems. Proprietary logic leaks through data exhaust that nobody thought to monitor. Agents lose the ability to distinguish enterprise intent from malicious input because there’s no verifiable identity or policy binding at runtime.

These aren’t hypothetical. We mapped 46 vectors where data escapes its intended controls, even when nothing appears broken. AI agents generate and share data at machine speed. Without verifiable runtime safeguards built into the workflow, failures propagate faster than any security team can detect or respond.

How are leading organizations balancing the need to unlock advanced AI capabilities while still protecting their most sensitive data assets?

The organizations getting this right treat privacy and governance as accelerators, not brakes. That’s the key insight.

What I’m seeing in the field is that leading enterprises pair advanced AI capabilities with confidential AI platforms that deliver verifiable guarantees, not just compliance checklists. They’re unlocking sensitive data for AI innovation while ensuring proprietary information stays protected, even when workflows run autonomously.

The old framing was capability versus security. The organizations moving fastest have rejected that trade-off entirely. They build verifiable trust into the foundation of their AI strategy, enabling them to put their most valuable data to work. At the same time, competitors are still stuck in pilot mode, running AI on sanitized datasets that don’t move the needle.

Based on what you are seeing today, how do you expect enterprise AI governance models to evolve over the next few years as agentic systems move from pilots into full production?

Governance is going to evolve from paperwork to proof. That’s the simplest way I can put it. Early governance models were built for human-paced software: policies on paper, approvals before deployment, reviews after something went wrong. Agentic systems break every one of those assumptions. They operate continuously, act autonomously, and generate cascading effects at machine speed.

What we’re seeing is governance moving toward runtime verifiability as the new security boundary, supported by cryptographic guarantees that prove behavior across every stage of an agent’s lifecycle, before, during, and after. The same pattern we saw with HTTPS is becoming the default for web traffic. Nobody debates whether to encrypt web connections anymore. Within a few years, nobody will debate whether to verify AI execution at runtime. It’ll be table stakes.

Thank you for the great interview, readers who wish to learn more should visit OPAQUE.