Thought Leaders
A Framework for Understanding the Confidential Computing Landscape

Confidential Computing Is Having a Moment
The confidential computing space is experiencing a wave of innovation across multiple fronts simultaneously. Trusted Execution Environments (TEEs) are maturing and becoming easier to deploy. (Fully Homomorphic Encryption) FHE is closing the performance gap that has kept it theoretical for years. And the Web3 ecosystem continues to push zero-knowledge proof technology forward at a remarkable pace, with general-purpose zkVMs now proving arbitrary computation orders of magnitude faster than even two years ago.
At the same time, the rise of agentic AI is creating new urgency around trust, privacy, and verifiability. As AI systems move beyond generating content and begin taking actions on behalf of users, organizations are increasingly asking whether traditional security and compliance controls are sufficient for autonomous software operating at enterprise scale.
At DataTribe, we have been spending significant time in this space, talking to startups, evaluating the technology, and trying to understand where the most durable opportunities will emerge. Here is how we are thinking about it.
A Framework for Confidential Computing
When we look at the confidential computing landscape, we find it useful to break it into three distinct pillars. Each represents an independent guarantee. Importantly, they do not overlap: a solution that delivers one pillar does not automatically deliver the others.
-
Protected Compute: Input, processing, and output all remain protected end to end. Even the operator running the computation cannot see anything.
-
Compute Integrity: Cryptographic verification that the correct computation actually ran, even on potentially adversarial hardware.
-
Private Collaboration: Multiple parties jointly compute over their combined data without any party revealing its inputs to the others.
Each pillar maps to different buyer needs, technology stacks, and competitive dynamics. Today we focus on the first two: Protected Compute and Compute Integrity.
The AI Privacy Paradox and Protected Compute
AI has been a major catalyst for interest in Protected Compute. Enterprises are increasingly anxious about the data they share with LLM providers, and demand for confidential inference is growing.
But there is a paradox worth noting. The same enterprise that agonizes over sending customer transcripts to an AI provider happily routes compensation data through ADP, funnels its pipeline into Salesforce, and hands patient records to its EHR vendor. The protection in every case is the same: a contract with data protection promises and compliance reports. No cryptographic guarantees. So why are AI providers treated differently?
There are real reasons. The fear that data will be used for training, absorbed into model weights, and could surface in another customer’s output has no analog in traditional SaaS. The value exchange feels asymmetric, with enterprises perceiving that their data may improve the provider’s product for competitors. And regulators are paying specific attention to AI data handling in ways they have not applied to the existing SaaS stack. AI providers have begun entering into contracts with protections similar to traditional SaaS agreements, but the speed of adoption and the fear of “shadow AI,” where employees use AI services that are not under contract with the enterprise, add urgency that conventional SaaS procurement hasn’t recently faced.
Whether these concerns are fully rational or partly driven by the novelty of AI, they are creating real buying urgency. The more interesting question is whether this urgency stays confined to AI or spreads. If enterprises start demanding cryptographic data protection from their LLM providers and then realize the logical inconsistency of not demanding it from everyone else, the total addressable market for Protected Compute expands dramatically beyond AI inference.
FHE vs. TEEs for Protected Compute
Two primary technology approaches compete for Protected Compute, and they represent fundamentally different trust models.
TEEs such as AMD SEV-SNP, Intel TDX, and NVIDIA’s confidential GPUs are the pragmatic choice today. They deliver Protected Compute with minimal performance overhead and are already available as native offerings from the major cloud providers. The trust assumption is in the silicon vendor and, to varying degrees, in the cloud provider operating the hardware.
FHE takes a purely mathematical approach. Data stays encrypted throughout the entire computation, and the security guarantee does not depend on trusting any hardware or operator. The tradeoff has historically been performance: FHE operations have been many orders of magnitude slower than plaintext computation, limiting it to narrow use cases.
That gap is closing faster than many people realize. Hardware acceleration is a major driver. Niobium’s purpose-built FHE accelerator cards are delivering several orders of magnitude improvement over software-only FHE. Cornami, whose chief scientist is Craig Gentry (widely credited as the inventor of FHE), has claimed “near plaintext speeds” for LLM inference using FHE, though independent benchmarks have not been published. Another company has demonstrated FHE-based LLM inference on a Llama 3 70b model at speeds approaching unencrypted performance. These claims warrant scrutiny, but the trajectory is clear: the performance gap that kept FHE theoretical is narrowing rapidly.
If FHE becomes fast enough for production workloads, the implications are profound. You no longer need to trust the silicon vendor, the cloud provider, or anyone with physical access to the hardware. Your security guarantee becomes mathematical, not operational.
For investors, this creates an important strategic question: are you betting on hardware trust becoming more trustworthy (the TEE path), or on cryptographic performance improving enough to make math-only solutions practical (the FHE path)? Most near-term revenue is on the TEE side. The long-term defensibility argument may favor the mathematical approach, at least for some compute domains.
Compute Integrity: From Insider Threat to Adversarial Environments
Compute Integrity addresses a different problem: how do you know the right computation actually ran?
In controlled environments like enterprise data centers and hyperscaler clouds, TEEs handle this reasonably well. Attestation mechanisms let you verify that the expected code was loaded into a genuine TEE before sending data. This is valuable for protecting against insider threats, compromised infrastructure, or deployment issues. For most enterprise use cases, TEE-based attestation is good enough.
But “good enough” depends on your threat model. In truly adversarial environments, where you have no control over the hardware and the operator may be actively hostile, TEE guarantees degrade. Recent research has demonstrated practical attacks against TEE attestation using low-cost hardware interposers, and the major chip vendors have acknowledged that physical attacks fall outside their threat model. In a well-run data center with physical security, this residual risk is manageable. On an unknown node in a decentralized compute network, it is not.
This is precisely why the Web3 world has been the primary driver of zero-knowledge proof innovation. ZK proofs provide mathematical certainty about compute integrity regardless of the hardware environment. If the proof verifies, the computation was correct, whether the proven compute was done in a secure facility or in someone’s garage.
The pace of improvement here has been remarkable. General-purpose zkVMs now let developers write normal Rust code and generate proofs automatically, without hand-writing cryptographic circuits. Succinct’s SP1 Hypercube proves Ethereum blocks in under 12 seconds on 16 GPUs. ZKsync’s Airbender reports over 21 million cycles per second on a single H100.
For AI workloads specifically, zkML is making progress but remains expensive. Proving LLM inference still runs thousands of times slower than the inference itself. Smaller models like classifiers and embedding models are approaching practical ZK provability now, and frontier LLM proving is likely two to three years out. An interesting middle ground is “optimistic” verification, where proofs are generated only when results are challenged rather than for every computation, dramatically reducing amortized cost.
Where This Is Heading
The confidential computing space is at an inflection point. Innovation is happening across TEEs, FHE, and ZK simultaneously, each driven by different communities with different priorities but converging on a shared set of problems.
The dynamics around what buyers find most urgent will determine which approaches gain traction first. Enterprises focused on regulatory compliance and cloud data protection will likely pull TEE-based solutions forward. The AI wave may accelerate demand for FHE if performance continues to improve. Decentralized compute and Web3 applications will continue pushing ZK technology toward broader applicability.
We also expect hybrid architectures to emerge as a practical middle ground. TEEs for privacy combined with ZK proofs for integrity, for instance, give you strong confidentiality with mathematical certainty on correctness. This combination works well for scenarios where the hardware environment is partially trusted but not fully controlled.
This framework is becoming especially relevant around the Linux Foundation’s Confidential Computing Summit in San Francisco last week, where a central theme was whether confidential computing can serve as the security layer that makes agentic AI deployable at enterprise scale. As organizations begin giving AI agents access to sensitive systems, data, and workflows, the questions of protected compute, compute integrity, and verifiable trust move from theoretical architecture discussions to operational requirements.
For startups, the opportunities are substantial across the stack: making TEE-based confidential compute easier for SaaS companies to adopt, building the tooling that brings FHE from research to production, creating the infrastructure for ZK-based compute integrity in enterprise contexts, and developing the trust broker and attestation layers that sit between customers and cloud providers. We continue to study this space and are excited by the founders we are meeting. Different workloads, threat models, and regulatory regimes will demand different combinations of the three pillars. The companies that win will be the ones that pick a pillar, solve it decisively, and make it easy for enterprises to adopt.












