TL;DR
NVIDIA publishes open reference architecture for deploying proprietary AI models securely using confidential computing, Kata Containers, and hardware-backed TEEs without exposing model weights or data to infrastructure operators.
Key Points
- Architecture combines CPU TEEs with NVIDIA confidential GPUs (Hopper, Blackwell) for encrypted AI workloads
- Uses Kata Containers to wrap Kubernetes pods in hardware-isolated VMs, removing host OS from trust boundary
- Implements composite attestation workflow via Remote Attestation Procedures (RATS) for secure model key release
- Developed with open source projects and ecosystem partners including Red Hat, Intel, Anjuna Security, Fortanix, and others
Why It Matters
Solves the three-way trust dilemma in enterprise AI: model providers can deploy proprietary models without exposing weights, infrastructure operators gain workload verification without trusting tenants, and data owners ensure sensitive information stays encrypted throughout execution. This unblocks on-premise AI adoption for regulated industries with strict data residency requirements.
Source: developer.nvidia.com