Apple looked at a simple chatbot, the single most contained form of GenAI there is, and decided the data it leaks is too dangerous to ship to their customers without Confidential AI underneath it. That’s the decision buried inside the announcement everyone covered as “Siri gets Gemini.” The real story is where Gemini runs: when Siri hands your request to Google’s models, it executes inside Private Cloud Compute, Apple’s Confidential AI architecture, on Google’s cloud, under guarantees Apple wrote down and opened to outside researchers. The request never travels on trust. I wrote about what that proves earlier this week. This post is about what it means for the people allocating capital into AI and the people building it.
The short version: Confidential AI just hit escape velocity. Here’s the case.
Confidential AI means proof, not empty promises
Strip away the vendor language and Confidential AI is one thing: verifiability. A third party can check what software ran, where it ran, what rules governed it, and who could see the data. Usually, the answer to that last question is no one. Not the cloud operator. Not Apple. Nobody, because one of the policies requires the model to run inside an encrypted runtime that even the machine’s owner can’t access (called a trusted execution environment, or TEE).
People hear “encrypted runtime” and think the hardware is the point. It isn’t. The hardware is plumbing. The point is provable policies and provable privacy. So how do you trust the cloud, the operator, the model vendor? You don’t. That’s the whole point. Nothing asks for your trust; everything submits to your verification, with the proof anchored in the silicon itself (a technical story for another post). It’s why I keep saying this becomes the floor for AI the way HTTPS (encryption of data in transit) became the floor for the web.
Chatbots leak. Agents hemorrhage.
A chatbot is one request in, one answer out. Even that leaks: your words, your context, your customer’s record, often enough that OWASP ranks sensitive information disclosure second among the risks in every LLM application. That’s the contained case. It’s the one Apple just declared unacceptable for a phone.
An agent runs that risk in a loop. It reads your email, opens files, calls tools, and hands work to other systems, unattended and at machine speed. And it doesn’t take an attacker. An agent doing exactly the job you gave it moves your data constantly: into model APIs, into third-party tools, into logs, into another agent’s context. Places you don’t control and mostly can’t see. No breach, no villain. Just plumbing.
The adversarial case is worse. Every useful agent carries what Simon Willison named the lethal trifecta: private data, untrusted content, and a channel to the outside world. This is consensus, not my opinion. OWASP publishes a threat taxonomy just for agents, and Anthropic published an entire zero-trust playbook for them, naming five threat categories from prompt injection to memory poisoning.
Now wire agents together, the way every enterprise is planning to this year: thousands of steps a day, around the clock, and whatever the per-step risk is, compounding turns it into a certainty. Here’s why you should care. Every leak is a transfer of assets. Your data lands in someone else’s AI model, and someone else’s business model, and whoever controls the data controls the industry. Apple deployed Confidential AI to protect the smallest risk surface in AI, a single chatbot request. Enterprises are wiring up the largest with nothing underneath it.
Apple just set the bar every enterprise will be measured against
Escape velocity is the moment a category stops needing evangelism, when the question flips from “do I really need this?” to “why don’t you have it?” Three things flipped it this month.
First, the existence proof landed at the hardest difficulty setting. Apple just rolled out the largest Confidential AI deployment in history: every iPhone, at consumer latency, consumer cost, consumer scale. Every objection enterprises have leaned on, too slow, too expensive, more than we need, just got falsified a billion times over by a phone.
Second, this is already how the giants operate. Meta runs WhatsApp message AI through private processing. Google built Private AI Compute so Gemini can process your personal data in a sealed environment that, in Google’s own words, not even Google can access. Anthropic and TikTok run their own implementations. And Microsoft, Google, and NVIDIA ship the underlying confidential infrastructure across their clouds and silicon. The pattern is consistent: every company with world-class security talent, when forced to put AI against sensitive data at scale, lands on the same architecture. When that many teams solve the same problem independently and arrive at one answer, you’re looking at convergence.
Third, the talent wall is real, and it’s where the market forms. Apple spent years and one of the best security teams on earth building PCC. Very few organizations have that bench or those resources, and almost none should build it themselves. That’s why companies like OPAQUE exist: to make Confidential AI deployable without first becoming Apple. For investors, that gap, between proven necessity and scarce ability to self-build, is the shape of every great infrastructure market I’ve seen. The web didn’t make every company write its own TLS stack. It made certificate authorities and load balancers inevitable. And if you’re wondering why the clouds don’t just own this layer: no agentic system runs entirely in one cloud. Agents cut across clouds, SaaS platforms, and on-prem systems, and a proof that stops at one vendor’s wall isn’t proof. The layer that verifies everything can’t belong to any one of the things being verified.
Malicious agents are probable, and runtime proof is becoming law
Two forces make this urgent rather than eventual.
The first is the threat model. Mythos-class models and their successors make it probable, not hypothetical, that a malicious actor places itself inside your environment wearing an agent as a costume. And agents are architected to be data-leaky; movement of data across systems is the job description. An employee touching sensitive data is a risk you’ve spent decades learning to govern. A compromised agent operating at machine speed is a different animal entirely. In a regulated industry, neither is acceptable without proof of containment.
The second is the rulebook. The new wave of regulation doesn’t ask for your policy binder. It asks for runtime proof: what ran, where, under what rules. Automated, hardware-signed, verifiable by a third party. Faith-based compliance is ending, and the only architecture that produces those receipts natively is the one Apple just put in your pocket.
So here’s the question every board should be asking. If Apple can deliver verifiable Confidential AI under consumer requirements for speed, scale, and price, why can’t your bank? Your hospital? Your government agencies? The software vendors holding your customer, partner, and supplier data?
I said no more excuses last week. The proof ships on a billion devices.
Whoever builds it in first writes the rules
If you build agents, the bar is now public and the standards are still wet. Build verifiability in from the first line of code and you won’t just be safer, you’ll write the rules your competitors have to meet. If you allocate capital, you’re watching a category cross from evangelism to expectation, with regulatory tailwinds and a supply side that can’t be improvised.
Ivan Krstić, who built Private Cloud Compute, is keynoting at our conference, the Confidential Computing Summit, in San Francisco, June 23-24. If you want to see where this architecture goes after the chatbot, that’s the place. Come build with us.
And there’s a deeper current under all of this that deserves its own post: who ends up controlling the world’s cognitive infrastructure, the layer that will quietly steer every industry, government, and social system, and what data sovereignty has to do with ensuring the answer isn’t “one or two companies.” That’s next.
Aaron Fulkerson 