When Agents Handle Secrets: A Survey of Confidential Computing for Agentic AI

This arXiv survey examines security vulnerabilities in agentic AI systems—LLM-driven agents that manage credentials, coordinate across networks, and invoke external tools—and proposes confidential computing (hardware-based TEEs) as a defense against privileged adversaries. The research identifies that current software-only security measures cannot protect against compromised cloud operators, positioning trusted execution environments as a necessary infrastructure layer for production deployment of autonomous AI systems.

The emergence of agentic AI introduces a fundamentally different threat landscape than static model inference. Unlike a single API call that processes an input and returns output, agentic systems maintain persistent state, hold authentication credentials, coordinate with peer agents, and operate across heterogeneous infrastructure. This expansion of responsibility creates attack surfaces: prompt injection can manipulate agent behavior, context exfiltration leaks sensitive data, credentials become theft targets, and inter-agent communication can be poisoned. Current defenses—sandboxing, input validation, monitoring—operate entirely within software layers that adversaries with cloud-level privileges can bypass.

Confidential computing addresses this by moving trust boundaries into hardware. Trusted Execution Environments (TEEs) like Intel SGX, AMD SEV-SNP, and ARM CCA provide isolated execution enclaves where agent code and data remain cryptographically protected even from system administrators and hypervisors. The survey's taxonomy of six TEE platforms reveals material tradeoffs: SGX offers mature isolation but limited memory; TDX and SEV-SNP scale to entire VMs; ARM CCA provides hardware-enforced compartmentalization; NVIDIA H100 CC brings GPU-accelerated inference within protected boundaries. Remote attestation enables verifiable trust chains across distributed agent deployments—critical for multi-hop agent coordination.

For AI infrastructure builders and enterprises deploying autonomous agents at scale, this research validates that hardware-rooted security is becoming essential rather than optional. The identified open challenges—particularly compound attestation for agent chains and GPU-TEE performance at LLM scale—represent genuine engineering obstacles that infrastructure providers must address before mainstream adoption. The absence of an established end-to-end framework suggests competitive opportunity in standardization.

• →Agentic AI systems accumulate attack surface through credential management, persistent memory, and cross-system coordination that software-only defenses cannot adequately protect.
• →Confidential computing via TEEs shifts trust boundaries from software to hardware, preventing privileged adversaries like compromised cloud operators from accessing sensitive agent data.
• →Six mature TEE platforms exist but present different deployment tradeoffs: memory constraints (SGX), VM-level isolation (TDX/SEV-SNP), GPU acceleration (NVIDIA H100 CC), and ARM alternatives.
• →Critical unsolved challenges include attestation mechanisms for multi-hop agent chains and achieving GPU-backed LLM performance within TEE constraints at production scale.
• →No comprehensive production framework currently exists binding TEE primitives into a coherent security substrate for agentic AI, creating both engineering challenges and standardization opportunities.