Confidential containers protect the model weights. Stained Glass Transform protects the inference data the model runs on. Together, they unlock zero-trust AI across multi-tenant infrastructure, expanding where sensitive AI workflows can safely run.
Zero-trust AI factories now have a hardware-rooted foundation. With general availability of NVIDIA support for Confidential Containers (CoCo) on Kubernetes, pods run inside hardware-isolated VMs, model weights stay encrypted until remote attestation succeeds, and the host operating system, hypervisor, and root administrator are out of the trust equation.
That foundation addresses the model side of the AI factory trust dilemma. The other side is the inference data. Today, that data is exposed almost everywhere else. It touches numerous other surfaces of the serving stack in plaintext, before, during, and after it touches the GPU enclave. For an AI factory to truly be zero-trust, both sides must be protected simultaneously.
At GTC Taipei, 2026, we’re showing a joint demo built with NVIDIA that closes the data security gap. Protopia’s Stained Glass Transform (SGT) protects the inference data path across the full operational surface of the AI factory. NVIDIA Confidential Computing protects the model and its execution environment. Together they resolve the Trust Dilemma.
The Trust Dilemma
The trade-off that has shaped enterprise AI for years collapses on both sides at once. Data owners no longer choose between the best model, the best infrastructure, and uncompromising data confidentiality. Model providers no longer choose between protecting their IP and reaching the customers who need it most.
Composing model protection and Data Protection
NVIDIA Reference Architecture for zero-trust AI factories secures the model side with Confidential Computing. With CC, encrypted model weights are bound to a specific Trusted Execution Environment (TEE). A Key Broker Service releases the decryption key only after hardware-rooted remote attestation succeeds, so the model is decrypted exclusively inside protected GPU memory. This prevents unencrypted weights from ever being exposed to anyone outside the enclave: the infrastructure operator, host, or unauthorized users and bad actors.
Protopia AI’s Stained Glass Transform (SGT) secures the data side. Before any prompt, document, image, or video frame leaves the data owner’s environment, SGT converts the inference data into a stochastic representation that the target model can reason over & understand directly with no reversing to the original raw/plaintext form. The multi-tenant infrastructure handles only the transformed representation. The raw, plain-text data never lands on a tenant host. As a result, it cannot appear in inference logs, scheduler records, request cache, or anywhere on the fabric.
Both CC and SGT are necessary. Without SGT the data owner needs to ship plaintext to the serving environment, where it lives across application-layer surfaces that fall outside the TEE boundary. Without CC the model provider needs to expose proprietary weights to whatever environment is hosting inference. Neither situation is acceptable which is why both controls must be in place at once.
Enterprises in regulated industries have been forced into a physical trade-off, locking sensitive workloads to on-prem or single-tenant deployments, giving up the flexibility and cost efficiency of hyperscalers and multi-tenant AI factories. Stained Glass Transform eliminates data exposure across the inference path, and paired with NVIDIA Confidential Computing, that trade-off disappears. Together we're delivering Zero-Trust AI Factories that bring frontier AI to sensitive workloads with the economics of multi-tenant infrastructure.
|
NVIDIA Confidential Computing |
Protopia AI Stained Glass Transform (SGT) |
|
NVIDIA Confidential Computing anchors the model side. Encrypted weights are decrypted only inside an attested hardware-isolated execution environment. Host, hypervisor, and infrastructure operator are outside the trust boundary. |
SGT anchors the data side. Inference data is transformed into a stochastic representation upstream of the AI host. The plaintext is inaccessible to any unauthorized user or to the infrastructure operator of the host. |
|
Scope |
Scope |
What the combined stack looks like in practice
The two layers operate as one integrated workflow inside a single Kubernetes cluster. Four architectural steps establish the joint guarantee.
Data path exposure beyond the enclave
The reason this combined story matters is that the operational surface area of an AI factory is much larger than the GPU enclave. Inference server logs, observability pipelines, disk spillage, and east-west fabric traffic between racks, among other surfaces, are all places where sensitive inputs appear in plaintext during normal serving operation. Confidential Computing, by design, is scoped to the hardware-isolated execution environment. The application-layer surfaces and the parts of a cluster that fall outside any single TEE remain outside its boundary. This is also noted in NVIDIA’s zero-trust documentation explicitly under network and storage security.
SGT addresses these surfaces structurally rather than by policy. Because the stochastic transformation happens upstream of the AI host, every downstream component handles only the transformed representation. Since the model the SGT is built for can interpret the transformed data as is, there are no keys needed. As such, a container escape, a misconfigured log file access, or a compromised observability agent yields nothing recoverable. The audit posture is that plain-text sensitive data was never there to be exposed in the first place. This can be verified by inspecting the serving layer without requiring attestation from every component that touched the request.
When SGT runs at the AI Factory entry point, potentially on a confidential computing node or on a NVIDIA BlueField DPU, the rest of the AI factory can be optimized for throughput and scale without having to be hardened to a level the application stack was never designed to deliver.
Widening the aperture for both sides of the market
For years, running frontier models on sensitive enterprise or sovereign data has required one side to control underlying infrastructure. That has narrowed the viable deployment options for both. What the combined stack changes is with SGT covering the data path and CC protecting the model weights, the operator no longer holds either party’s secrets in plaintext, which opens different options for each side of the market.
|
For Regulated Enterprises |
For Frontier-Model Providers |
|
Route sensitive workloads to the most capable model and the most cost-efficient infrastructure available, including multi-tenant AI factories and NVIDIA Cloud Partner endpoints. Unlock access to the best model and most cost-efficient and available infrastructure without risking data confidentiality. |
Deliver proprietary models onto infrastructure chosen for the enterprise’s ROI envelope and data privacy requirements, without exposing IP and without inheriting the data-handling liability of the customer’s regulated content. The addressable market widens beyond the small set of operator-controlled deployments. |
Confidential computing is transforming AI factories into trusted environments. NVIDIA Confidential Computing, combined with Protopia AI's Stained Glass Transform, helps organizations protect sensitive inference data and model IP, enabling more secure AI deployment across multi-tenant infrastructure.
For enterprises in regulated industries, accessing the optimal model for a use case has historically meant one of two compromises. Either:
- The model is pulled into an environment the enterprise fully controls, which limits model choice and elasticity; or
- Sensitive prompts are sent into a vendor-controlled environment, which forces a compromise on data confidentiality and often on cost as well, because the only available mitigation has been hardware-isolated tenancy.
With CC protecting the model and SGT protecting the data path, both compromises lift simultaneously. We’ve seen this play out in regulated industries like financial services, healthcare, or even SLED, where customers want to run frontier models against PII or PHI but have been historically forced into single-tenant deployments to do it safely.
For model providers and frontier-model builders, the same combination removes the requirement to maintain direct hardware control over every environment where the model is served. Encrypted weights, attestation-gated key release, and SGT-protected input data together make it safe to deliver proprietary models onto the infrastructure that best fits the use case’s ROI envelope and the customer’s data privacy requirements at the same time.
This is how our collaboration with NVIDIA makes zero-trust AI factories anywhere inherently architectural and for the first time, you can see it in a single live workflow starting at GTC Taipei.
Experience it at GTC Taipei
The Protopia demo built with NVIDIA launches at GTC Taipei, June 1 to 5, 2026. Visitors can run a live-video feed workflow end to end (from raw data to stochastically transformed), toggle the failure mode, and inspect the data plane and the model-deployment plane independently.
In summary, NVIDIA Confidential Containers gave the industry a hardware-rooted answer for the model side of the AI factory trust dilemma. Stained Glass closes the loop on the data side. The result is Zero-Trust AI Factories that run anywhere, on any scale, without forcing either side to own the infrastructure end to end.
