Five Vendors, One Month: Confidential Computing Arrives for AI Agents

NVIDIA, Microsoft, Cisco, Fortanix, and HPE all shipped confidential computing capabilities targeting agentic AI workloads between late April and late March 2026. That is not a coincidence. It reflects a threat model that enterprises have been escalating quietly for the past year: AI agents are now high-privilege actors inside corporate networks, and the existing security stack was not built for them.

The same month, from multiple directions

NVIDIA made its Secure AI solution generally available in CUDA 12.8, bringing hardware-enforced confidential computing to H100 and H200 GPU clusters. The technology, called Protected PCIe (PPCIE), runs inference and training workloads inside Confidential Virtual Machines that span up to eight GPUs and four NVLink switches. TEE support covers AMD SEV-SNP (EPYC Milan and Genoa processors) and Intel TDX (Emerald Rapids and Granite Rapids Xeon Scalable). NVIDIA removed NVLink encryption in this release to reduce overhead, a security-for-speed trade-off worth flagging. No independent PPCIE benchmarks have been published, so the real-world performance cost of hardware-enforced confidential computing at inference scale remains an open question.

Fortanix, which built its Confidential AI platform on top of NVIDIA's stack, demonstrated Armet AI at GTC 2026: a turnkey platform for running agentic AI in regulated environments. It chains composite attestation (CPU and GPU TEE jointly verified) with HSM-gated key release. The practical effect: a cryptographic audit trail from chip to workload, with keys held back until attestation passes.

HPE announced that its ProLiant DL380a Gen12 servers, which pair BlueField DPUs, Spectrum-X networking, and NVIDIA accelerated compute, will be certified for Fortanix Confidential AI, targeting Q3 2026. The DPU piece matters: without network I/O isolated from the host CPU, the attestation chain can be broken at the I/O boundary.

Cisco launched Duo Agentic Identity on March 23, working at a different layer entirely. Rather than hardening compute, it treats AI agents as identity objects. Agents register in Duo Directory with a human owner, authenticate via OAuth 2.1, and all tool calls issued through Model Context Protocol pass through an MCP gateway that evaluates each request against a fine-grained authorization engine before it reaches target systems. A shadow agent detection layer covers agents never formally registered, the AI equivalent of shadow IT, except with broader system access than most shadow apps ever had.

Microsoft followed with Agent 365, a control plane for enterprise agents going GA on May 1 at $15/user/month. It extends Defender, Entra, and Purview to agent workflows: security teams get visibility into what agents are accessing, DLP policies apply to agentic browsing, and Zero Trust controls reach the full AI lifecycle from data ingestion through deployment.

Why traditional CC does not transfer cleanly

Confidential computing has existed for years in the context of VMs and enclaves, protecting data from a hostile cloud operator or co-tenant. Agents create a more complex threat surface, and it's worth being precise about why.

A language model running inference inside a TEE protects model weights and prompts in use. That blocks a compromised hypervisor from reading sensitive data. But agents do not just sit in enclaves. They call tools. They read documents, query APIs, write to databases. Each tool call is a potential exfiltration vector, happening at machine speed without a human in the loop.

The threat model includes prompt injection (malicious content in external data sources hijacking agent behavior), tool call hijacking, credential accumulation from agents never deprovisioned, and multi-tenant inference where one tenant's workload shares compute with another's. Per IBM's 2025 Cost of a Data Breach Report, cited in Bessemer's analysis of agent security risks, shadow AI breaches average $4.63 million per incident, $670,000 more than a standard breach. Bessemer also reports that 48% of security professionals now rank agentic AI as their most dangerous attack vector.

What Q1 2026 produced is a layered response. NVIDIA's PPCIE handles hardware-enforced isolation at the compute layer. Composite attestation chains CPU TEE to GPU TEE for end-to-end verification. DPU-level network isolation closes the I/O gap. MCP-layer access control governs which tools agents can invoke. Agent 365 provides the audit plane.

What the convergence signals

Bessemer's framework for agent security identifies three stages: inventory what agents exist across endpoints, SaaS platforms, and API gateways; enforce least privilege through continuous configuration monitoring; deploy runtime protection that operates at machine speed. That maps onto what these five vendors shipped this quarter. GTC and RSAC fell within the same two-week window, and the industry coalesced around a common threat model faster than usual.

The more telling observation is what is missing. There are no independent benchmarks for PPCIE at production inference scale, no published attestation latency numbers, and no evidence of interoperability between NVIDIA's attestation infrastructure and Cisco's MCP gateway. A security architecture that works in each vendor's reference deployment but fragments across a multi-vendor stack is not enterprise-ready. Nobody has solved that yet.

What to watch

The HPE-Fortanix DL380a Gen12 certification (Q3 2026) will be an early test of whether composite attestation holds at rack scale. Microsoft's Agent 365 GA on May 1 will indicate whether centralized agent governance gains traction outside the Microsoft ecosystem.

The harder question is whether MCP becomes a trust protocol, not just a tool invocation protocol. Right now it defines how agents call tools. Extended to carry attestation evidence, it would let a downstream system verify the calling agent ran inside a certified TEE, closing the most significant gap in this architecture. No vendor has committed to that extension yet.