When Agents Handle Secrets: A Survey of Confidential Computing for Agentic AI

TL;DR

This survey explores how confidential computing, especially Trusted Execution Environments, can enhance security in agentic AI systems that handle sensitive data and operate across distributed platforms.

Contribution

It provides a comprehensive taxonomy of TEE platforms, an agent-centric threat model, a comparative analysis of CC defenses, and outlines open challenges for secure agentic AI deployment.

Findings

Six TEE platforms are systematically compared for deployment and performance.

Current CC defenses transfer well to single-call inference but need adaptation for agentic AI.

No complete end-to-end security framework for agentic AI using confidential computing exists yet.

Abstract

Agentic AI systems, specifically LLM-driven agents that plan, invoke tools, maintain persistent memory, and delegate tasks to peer agents via protocols such as MCP and A2A, introduce a threat surface that differs materially from standalone model inference. Agents accumulate sensitive context, hold credentials, and operate across pipelines no single party fully controls, enabling prompt injection, context exfiltration, credential theft, and inter-agent message poisoning. Current defenses operate entirely within the software stack and can be silently bypassed by a sufficiently privileged adversary such as a compromised cloud operator. Confidential computing (CC) offers a hardware-rooted alternative: Trusted Execution Environments (TEEs) isolate agent code and data from privileged system software, while remote attestation enables verifiable trust across distributed deployments. This survey synthesizes the design space in four parts: (i) a unified taxonomy of six TEE platforms (Intel SGX, Intel TDX, AMD SEV-SNP, ARM TrustZone, ARM CCA, and NVIDIA H100 CC) covering deployment roles and performance tradeoffs; (ii) an agent-centric threat model spanning perception, planning, memory, action, and coordination layers mapped to nine security goals; (iii) a comparative survey of CC-based defenses distinguishing findings that transfer from single-call inference versus what requires new agentic designs; and (iv) six open challenges including compound attestation for multi-hop agent chains and GPU-TEE performance at LLM scale. While several hardware trust primitives appear mature enough for targeted deployments, no broadly established end-to-end framework yet binds them into a coherent security substrate for production agentic AI.