This article was coauthored by Raghu Yeluri, an Intel Fellow and Lead Security Architect for Confidential AI and Confidential Computing Services in Intel’s Office of the CTO, and Murugiah Souppaya, a Senior Computer Scientist in the Information Technology Laboratory at the National Institute of Standards and Technology (NIST).
A lot has changed since we published our last set of blogs on confidential computing and confidential cloud. GenAI has become a key part of new projects and priorities for businesses and cloud providers. In 2024, much of the focus was on training and creating large language models, open-source vs. closed-source models, inferencing with RAG (Retrieval-Augmented Generation), prompt engineering, and co-pilots that generate code. There was the start of interest in confidential AI, which combines confidential computing and AI. Cloud providers and software vendors started offering solutions to protect prompts, critical models, and RAG pipelines, which include sensitive business documents and data, using confidential computing.
In 2025, we can expect to see an increase in real-world applications of confidential AI, with a focus on how individuals integrate AI into their workflows and applications to innovate and increase their efficiency and productivity without compromising the security and privacy of the data. Additionally, the AI industry has shifted from only making models bigger to also improving their reasoning abilities during inference. This change is because simply increasing model size doesn't help as much anymore, and better inference can make AI systems more efficient and intelligent. OpenAI’s O series models, Google’s Gemini 2.0+, and the recently launched DeepSeek* R1 models are examples of this move towards better reasoning in AI.
The next frontier of AI, which will make huge leaps in 2025 and beyond, is agentic AI. Gartner’s recent research report, “Top Strategic Technology Trends for 2025: Agentic AI” forecasts that by 2028, 33% of enterprise software will incorporate agentic AI, 20% of digital storefront interactions will be conducted by AI agents, and 15% of day-to-day decisions will be made autonomously. However, agentic AI increases the exposure to sophisticated cyber threats, such as the potential for sophisticated cyber threats, such as intelligent malware, prompt injections, and rogue AI agents. If not properly managed, these risks can lead to operational disruptions, governance failures, and significant harm to human life and organizational reputations.
This is the focus of this blog. So, what is agentic AI?
Agentic AI
There is no universal definition of agentic AI, but broadly speaking, it is a paradigm that involves deploying agents or other programs that act autonomously on behalf of humans or other AI systems to make decisions and take actions to achieve specific goals. Unlike current agent models, which are rules-based, agentic AI uses sophisticated reasoning, knowledge, and intelligence to help drive process automation by making decisions and taking actions rather than just responding to questions. Agentic AI has four core attributes/features:
- Autonomous: Operate independently with little to no human oversight or instructions.
- Adaptability: Improve the functionality through machine-supervised/unsupervised/reinforcement learning techniques. A foundational model acts as an orchestrator, generating tasks and workflows, using reasoning and iterative planning to address multi-step problems.
- Decision-Making/Actions: Process and analyze data and make informed decisions to attain goals, employing reasoning methods and algorithms for data processing. With integration with external tools and APIs, these systems ingest vast amounts of data and execute tasks based on plans that are iteratively formulated.
- Communication/Collaboration: Interact with other AI agents and/or humans via diverse modes, including natural language speech.
The level of “agentic-ness,” expressed as the degree to which a system can autonomously and adaptably achieve complex goals in complex environments with limited direct supervision, is on a wide spectrum. The level of agentic-ness determines the type of agentic AI system.
Architecture of Agentic AI Systems
Figure 1 below is a canonical representation of a simplistic agentic AI system architecture. While it shows a single-agent system, multiple agents can be integrated and collaborate in complex agentic AI systems, each with its own set of capabilities and functions.
Figure 1: Agentic AI Architecture
In contrast to non-agentic AI systems, the new component in the agentic AI architecture is a software orchestrator. The orchestrator consumes information about a task that the AI agent is expected to complete, together with some guidance and instructions on how it might be completed. The orchestrator provides the necessary context, specific data via RAG, and any guardrails/policies to be followed to the reasoning/language model, to generate a specific recipe to complete the task. It is system-driven behind the scenes, rather than relying only on what the user is typing into a prompt. The orchestrator autonomously executes a set of actions based on that plan, communicating with different tools, and can regenerate the recipe dynamically when needed as context or data changes.
Agentic AI: Autonomous, iterative, and operating on sensitive data
Agentic AI systems act on behalf of humans and other AI systems. They have access to many identities — directly or indirectly — of users, tools, APIs, data sources, etc. Agentic AI uses these identities to interface with different tools, data sources, and models. Agentic AI systems deal with many enterprise data sources (for example, RAG pipelines that provide the latest business-specific data so the reasoning engine can formulate plans), and much of this data is sensitive and confidential. They have plans and execution workflows that determine the outcomes, output, or decisions. These decisions drive actions as a continuous process, in many cases with little human oversight and intervention. Depending on the level of agentic-ness, some of these actions could be irreversible such as financial transactions, autonomous vehicle movements, and shipping transactions. The context, the data used for decisions, and other related metadata are recorded in a transparency ledger, which is used for the critical requirement of ‘explainability,’ forensics, learning, etc.
Agentic AI systems also have access to user metadata, which is equally sensitive and critical for privacy, reputation, etc. Imagine a user searching for answers from an addiction/mental health-related model, or an enterprise analyst looking for alternate supply chain guidance. Exposure of this metadata has serious implications for the individual and the enterprise. Agentic AI systems will obviously have guardrails — either hard-wired or via policies — to prevent rogue behavior and to adhere to regulations and enterprise security, privacy, and other requirements. Tampering with agentic AI systems could cause operational disruptions, governance breakdowns, and reputational damage.
Agentic AI Security with Confidential Computing and Zero-Trust Architecture
The unprecedented power, opportunity, and flexibility that agentic AI brings also comes with significant requirements for security and trust. Securing agentic AI requires a multi-faceted approach, as agentic AI systems can autonomously take actions based on their learned patterns, making them vulnerable to misuse and attacks. As discussed above, there are many assets in the context of agentic AI systems that need protection. Significant focus is needed on protecting:
- identities
- metadata
- data (RAG, training/tuning data…)
- prompts
- the models, including preventing malicious manipulation
- the orchestrator, including preventing denial of service attacks; and
- the integrity of the transparency ledgers to ensure transparency and explainability in decision-making.
There are typically strong technologies in place to protect these critical assets at rest and in transit, such as symmetric encryption and TLS. These protections, along with many industry best practices for security hygiene in development and deployment, are necessary for securing agentic AI systems. Adoption of zero-trust architectures and principles can help mitigate risk by authenticating and authorizing entities at access time based on defined policies, and minimizing the impact in the event of a breach.
The last frontier of protection is when these assets are used, accessed, and operated upon during the execution cycle of the Agentic AI systems. There is no protection during execution, referred to as in-use protection. This is the weakest link. Adversaries and bad actors target this to compromise, manipulate, initiate data breaches of, and change outcomes of the agentic AI systems, with alarming consequences.
Confidential computing technologies and solutions are perfectly suited for this last frontier protection. According to the Confidential Computing Consortium (CCC), confidential computing is designed to provide privacy, and trust guarantees by executing in attested trusted hardware-enabled execution environments (TEEs). TEEs help ensure that the sensitive information processed by the agent remains confidential and accessible only to authorized entities. TEEs help ensure the integrity of the agent by allowing only authorized code to execute. At execution time, TEEs isolate and increasingly protect the runtime environment from unauthorized external entities by reducing the attack surface. You can read more about confidential computing on this CCC link. Using attested TEEs, confidential computing seeks to guarantee access protection, privacy, and in-use protection of key assets against many different adversaries.
Figure 2 below depicts what the agentic AI architecture would look like with confidential computing. This combination will increasingly protect key assets from infrastructure provider administrators, operators of the infrastructure, operators of the agentic AI systems, and other systems/applications/services running on the same infrastructure.
Figure 2: Agentic AI Architecture with Confidential Computing
Leveraging confidential computing and zero-trust architecture provides a trustworthy approach to securing agentic AI. Confidential computing seeks to safeguard data and code during processing, while zero-trust architecture helps ensure that only authorized entities can access the AI system. Combining these two strategies produces robust protection for sensitive data and agentic AI workloads that minimizes the organization’s risk and the impact of a potential breach.
In future blogs, we will drill down into the various components of the agentic AI software and hardware stack, including the added components needed to seamlessly support confidential computing and zero-trust principles and the operational monitoring, enforcement, and remediation requirements needed in this ‘no implicit trust’ paradigm.
Status of Confidential Computing Technologies
Confidential computing technologies are widely being deployed across public, hybrid, and sovereign cloud environments. Over the past two years, Independent Software Vendors (ISVs) and Cloud Service Providers (CSPs) have actively contributed to the development of confidential computing-enabled applications, databases, AI workloads, and confidential container services. Current-generation hardware from CPU and GPU vendors includes TEE support, with Intel offering Intel® Software Guard Extensions (Intel® SGX) for application isolation and Intel® Trust Domain Extensions (Intel® TDX) for VM isolation, ARM* providing CCA, and AMD* providing AMD SEV-SNP for VM isolation. NVIDIA* H100 Tensor Core Hypervisors and operating systems with native TEE support are available at production quality from several OS vendors and CSPs, with more expected to be released in 2025. Additionally, container runtimes and Kubernetes* orchestration platforms that can detect and utilize TEEs are available, enabling the deployment of agentic AI system components as containers within these secure environments.
As agentic AI gains widespread adoption, helping ensure the security of AI agents and protecting various assets becomes crucial. Confidential computing and agentic AI naturally complement each other, providing a balanced approach that fosters innovation while maintaining the privacy and trust necessary to safeguard society's reputation and functionality in the AI era. Get educated in confidential computing. Incorporate confidential computing and zero-trust principles in your design of agentic AI systems. Talk to your infrastructure provider about their support and availability of confidential computing technologies.
Raghu Yeluri is an Intel Fellow and Lead Security Architect for Confidential AI and Confidential Computing Services in Intel’s Office of the CTO. He is the chief architect of Intel Trust Authority, Industry's first operator independent multi-cloud attestation service for multi-vendor TEEs and confidential workloads, released in 2023. Over the last decade, he has successfully architected multiple solutions for 'trusted computing' that are broadly deployed in many private and public cloud environments. He is a frequent presenter at technical conferences like Kubecon, OC3, Intel Innovation, IBM Think, VMWorld, etc. on Security. Raghu has 10+ patents in security, attestation, confidentiality/integrity protection for containers and VMs, and has co-authored two books on cloud computing and cloud security.