I met Ivan Krstić for the first time this year, and the first thing I did was thank him.
Krstić runs security engineering at Apple. He built Private Cloud Compute, and when Apple shipped it in 2024, his team documented it more thoroughly than anyone in the industry expected: stateless computation, no privileged access, verifiable transparency, published in enough detail that any outside researcher could check every claim. Ivan’s team didn’t have to do this; it’s actually unprecedented for Apple. They showed their work in an effort to raise the tide for the entire industry. You can use AI and keep your data sovereign.
I thanked Ivan because he did more than just launch a feature. It educated the market. It taught a mainstream audience that a simple chatbot bleeds data: that the second your words leave your device, someone can see them, keep them, train on them. And if a chatbot bleeds, an agent hemorrhages. Apple made that legible to people who’d never otherwise think about it, and along the way it validated everything those of us building confidential AI for the enterprise had been saying into the wind.
Here’s what I told him, and what I still believe. Meta, TikTok, half the industry now get headlines for “adopting confidential AI.” Apple and Ivan were quietly leading the consumer side the entire time: naming the guarantees, setting the bar, showing everyone the way. The rising tide came out of Cupertino.
I’m thrilled to have Ivan keynoting the Confidential Computing Summit in San Francisco on June 23-24. The summit OPAQUE created and runs with the Linux Foundation. Before Ivan takes that stage, here’s why what Apple just shipped should matter to you, even if you never touch an Apple product.
The cost of AI shouldn’t be your data
Here’s what’s in it for you. Any AI that isn’t confidential is feeding on what you put into it (your questions, your files, your business), and most of the time you have no way to know where any of it goes. The cost of using AI should never be your data. Apple just proved it doesn’t have to be.
Private Cloud Compute no longer runs only in Apple’s data centers. It now runs on Google Cloud, on machines Apple doesn’t own. And Apple did it the way Apple does everything: they wrote the whole thing down, published the software, opened it to outside researchers, and kept a record of every machine that anyone can audit. You don’t take their word for any of it. You check.
Sit with what that proves. The most paranoid company on earth ran its most sensitive workloads on a competitor’s machines and showed nobody on those machines could see the data. Not Google. Not Apple’s own operators. Nobody.
That’s the wall every bank and every regulator has been stuck behind. They won’t put the crown jewels into AI because they don’t own the cloud it runs on, so they’ve been told to build everything themselves. Apple just showed that owning the machines was never the requirement. Proving what happens on them is. I’ve said for two years that confidential computing becomes table stakes the way HTTPS did. Nobody voted for the little lock in the browser; it just became the floor, and the sites without it withered. Apple put that lock on AI and ran it on someone else’s cloud to prove it travels. You don’t need your own data center. You need proof. That’s the unlock for public cloud, and it’s the foundation under every sovereign AI plan I’ve looked at this year, from the Gulf to the EU.
Now do it for agents
Everything Apple just shipped protects a single request to a chatbot, the kind Siri makes when it needs more horsepower than your phone has and reaches into the cloud. Left unprotected, even that one request leaks: your words and your context, sitting on a server you don’t control. Confidential AI is what stops it, and Private Cloud Compute is Apple’s version. They closed the chatbot case by making it confidential. That’s the easy one.
Agents are the hard case, and much riskier than a chatbot. They’re the one worth your attention, because that’s where the next decade gets decided.
An agent doesn’t wait for you to ask. It reads your email, opens your files, logs into your accounts, and acts for you. At machine speed. Across systems you’ll never watch live. Every step is a door your data can walk out of.
Here’s the math that keeps me up. Give one agent a 1% chance of leaking something it shouldn’t. For those of us building AI Agents, 1% is very conservative. Fine. You’ll never notice. Run a hundred, and you’re past a coin flip (63%) to get burned. Run a thousand, and a thousand is nothing, that’s a mid-size rollout next year, and you’ll leak data. Not might. Will.
Take that flicker of dread about your words getting hoovered into a frontier lab through a chatbot, and multiply it by a thousand agents that never sleep, acting for you, talking to each other.
Here’s the part I want you to walk away with: this is solvable, and it’s already being solved. The fix for an agent is the same idea Apple used, taken further. Before the agent runs, you prove what it is and exactly what it’s allowed to touch. While it runs, you seal it inside hardware nobody can see into: not the cloud it runs on, not the operator, not even the company that built the agent. After it runs, it leaves a tamper-proof record of everything it did that anyone can check. Identity going in. A sealed room while it works. Receipts coming out. Do that, and an agent can act on your most sensitive data without ever exposing it.
Apple hasn’t built that for agents, and neither has any consumer platform. But it exists. We’re shipping it at OPAQUE (with post-quantum from our partners at TII), and we’re not the only ones. The work now is to make it the default for every agent, the way Apple made it the default for a chatbot on billions of phones. This is what I spend my days, nights, and weekends on (thanks to my wife, Stacey, for understanding).
If a phone can do it, so can your bank and healthcare provider
Every security leader I know has heard the same line for years: verifiable privacy is too slow, too expensive, more than you need. It tends to come from people who do very well when your data flows freely.
No more excuses.
Apple just did it on a phone. Consumer scale, consumer latency, consumer price, a billion times over. Once your iPhone runs verifiable confidential AI on its lunch break, “too hard for the enterprise” isn’t a sentence anyone can finish with a straight face. If Apple can do it for your photos, your bank can do it for your trades, your hospital can do it for your chart, and your damn CRM vendor can do it for your customer, partner, and supplier data!
Make no mistake, whoever controls the data owns the industry.
Faith is not a security model
This is the part I find humorous. Apple did this. The company that won’t confirm a product exists until Tim Cook is holding it on a stage. The most secretive operation in technology became the most transparent about how its AI runs, because at this point letting people verify it for themselves is the only thing that earns trust.
Meanwhile, the lab with “open” right in its name runs the most closed cloud in the business, and asks for your faith anyway. The social network that spent twenty years turning your attention into ad money now hands out “open” model weights like free samples, while the engine underneath runs on the deal it always has: your data is the product. Both take the headlines for “adopting confidential AI” while the core machine keeps eating everything you feed it (your prompts, your files, your behavior) like a piranha that never gets full, to train the next model and monetize the one after that. “Open” on the label tells you nothing about what happens to your data once it’s inside. Open is not private. The only thing that protects your data is proof of what happened to it. Apple delivered that proof. That’s the bar now.
Move first, write the rules
This is good news, and I want to say that plainly, because the privacy conversation always slides toward doom, and doom makes people freeze.
The proof exists. It’s shipping on a billion devices. The floor is set. The people building the next decade of this, the agent builders most of all, don’t get to call it too early or too hard anymore. They can build trust in from the first line of code, while the standards are still wet. And whoever moves first won’t just be safer. They’ll write the rules everyone else has to meet.
Your data should not be the price of using AI. Apple just proved it doesn’t have to be. Now the rest of us go prove it everywhere else.
That starts later this month, when Ivan takes the stage at the Confidential Computing Summit in San Francisco. Come, build with us. www.ConfidentialComputingSummit.com
Aaron Fulkerson 