# Agentic AI security steals the spotlight at Confidential Computing Summit > Source: > Published: 2026-06-25 16:31:26+00:00 For a decade, confidential computing has been chipping away at one of security’s hardest problems: data is well encrypted in transit and at rest, but when a processor works on it, that data sits in memory in the clear, exposed to anyone with privileged host access. “Confidential computing’s aim was to solve this with a trusted execution environment, a subset of the CPU that runs the encrypted workload and handles things like memory encryption,” said [Marina Moore](https://www.linkedin.com/in/marina-moore-5a7242105/), lead security researcher at [Edera](https://edera.dev/). For years the field felt like post-quantum cryptography PhD research scientist types agreeing the work is essential, while waiting for it to reach mainstream practitioners. At the [Confidential Computing Summit](https://events.linuxfoundation.org/confidential-computing-summit/) in San Francisco this week, the breakout use case came into focus: agentic AI. “I was in the really early days of HTTP, and then HTTPS came along pretty quickly,” said [Mike Bursell](https://www.linkedin.com/in/mikebursell/), executive director of the [Confidential Computing Consortium](https://confidentialcomputing.io/). He sees agentic AI where the web sat before certificate authorities and public key infrastructure brokered trust online. “The original agent specifications were not written by security architects,” Bursell said, and “some of it feels in need of refinement.” The gap confidential computing fills is attestation, which provides proof of what runs. The hardware hashes the memory and firmware of a protected execution environment and signs the result inside the chip, Bursell explained, producing a measurement a verifier checks against the expected software. Without it, an agent session shares the early web problem of open windows for hijacking, except the attackers are now agents themselves. The old objection that confidential computing demanded exotic hardware is largely gone, Bursell said, now that it ships in AMD, Intel, and NVIDIA parts and turns on with a click [in Microsoft Azure](https://www.infoworld.com/article/2256355/what-is-azure-confidential-computing.html) or Google Cloud. The goal is to make confidential computing so accessible that secure execution becomes the default assumption rather than a specialized deployment choice, and that trust alarms go off when secure execution criteria are not met, much like how a user visiting a non-HTTPS website is greeted with a warning. Many of the working sessions at the Confidential Computing Summit, hosted by the Linux Foundation, were about turning these mechanisms into standards, following the same path internet security took through bodies such as the IETF and IEEE. [Raghu Yeluri](https://www.linkedin.com/in/raghu-yeluri-17550/), senior principal engineer at Intel, detailed a composite attestation format that Intel, Microsoft, and NVIDIA built so that attestation data can span confidential VMs, their CPUs, and GPUs, without vendor-specific formats. Yeluri said the group hopes to advance that work toward an RFC within the next year. That effort runs through the Confidential Computing Consortium, the Linux Foundation community where competing companies collaborate on shared infrastructure problems. The consortium is not trying to become a registry of trusted agents, Bursell added, but rather a place where companies can develop frameworks, best practices, and, equally important, antipatterns. Identity drew some of the strongest interest at this week’s event. [Pawan Khandavilli](https://www.linkedin.com/in/khpawan/), senior product manager at Microsoft, pointed to agent payment initiatives from Visa, Mastercard, and Google, the FIDO Alliance’s emerging agent work, SPIFFE workload identities, and RFC 8693 token exchange. The pieces already exist, Khandavilli argued, but “the vocabulary is fragmented.” The challenge now is connecting those identity systems to hardware-backed attestation rather than relying solely on software trust. Hardware-isolated environments are only as secure as the shared substrates beneath them. [Zvonko Kaiser](https://www.linkedin.com/in/zvonkok/), principal systems engineer at NVIDIA, argued that attestation protects the trusted execution environment itself but does not eliminate risks in the shared substrates underneath. The processor cache sits below every isolation boundary, and a 2026 technique called [TDXRay](https://tdxray.cpusec.org/#explainer) demonstrated how information could be observed across virtual machine boundaries. No layer above the cache, Kaiser argued, can completely hide what the cache itself sees. The Kubernetes control plane presents another challenge. One etcd store may hold secrets for multiple tenants, while a shared scheduler decides where workloads run. Those shared services create opportunities for compromise that sit outside the guarantees provided by confidential computing hardware. [Antoine Delignat Lavaud](https://www.linkedin.com/in/antoine-delignat-lavaud-27545276/), principal researcher at Microsoft, highlighted another limitation. Attestation can prove that a workload runs on authentic confidential computing hardware, but “it doesn’t tell you where it is running,” leaving questions of data residency and sovereignty unresolved. “Confidential computing is hardware based. If and when vulnerabilities are discovered, it’s much harder to patch those and re-establish the security,” added Edera’s Moore. Microsoft’s Khandavilli outlined four major gaps that still require industry coordination: binding agent identities directly to hardware, bringing attestation into the [Model Context Protocol](https://www.infoworld.com/article/4029634/what-is-model-context-protocol-how-mcp-bridges-ai-and-external-services.html) that increasingly governs tool access, establishing trusted chains when agents delegate work to other agents, and enabling trust relationships across cloud providers. Intel’s Yeluri noted that confidential computing will not solve every security problem, but it provides the foundation upon which higher-level controls can be built. What was clear from the Confidential Computing Summit is that security for AI agents increasingly resembles the trust infrastructure that underpins today’s internet. Certificates, identity brokers, verification services, and cryptographic handshakes established trust between systems that did not know each other. Agentic AI appears headed toward the same destination. For example, last month the Linux Foundation announced DNS-AID, extending domain name system concepts into agent discovery and [introducing an Agent Name Service framework](https://www.infoworld.com/article/4189361/new-linux-foundation-project-aims-to-bring-dns-style-trust-to-ai-agents.html) for agent identity. Who ultimately operates those trust services for agents is “still coming out in the wash,” said Bursell. “Regulators, governments, software vendors, cloud providers, and others may all play roles. If you can’t establish trust, you can’t understand or manage risk.” Confidential computing is focused on the layer beneath those systems, creating ways to verify the environments where agents execute and the actions they perform. If that work succeeds, the trust fabric that emerges around agents may end up looking remarkably similar to the one that quietly powers the internet today.