Protecting sensitive data used with AI is a critical part of our commitment to providing advanced and secure cloud infrastructure. Confidential Computing cryptographically protects data in use in hardware-based Trusted Execution Environments (TEEs) with verifiable data integrity.
We are thrilled to share our latest Confidential Computing innovations across our hardware ecosystem that help further strengthen verifiable privacy in cloud AI deployments.
Confidential AI at global scale
By scaling our Confidential AI capabilities globally, we help ensure that AI inference and fine-tuning workloads can run with enforceable privacy guarantees.
Democratizing Confidential AI: Confidential G4 VMs with NVIDIA RTX PRO 6000 Blackwell GPUs in preview
We are excited to announce a landmark moment for accessible Confidential AI at global scale: Confidential VMs and Confidential GKE Nodes on the accelerator-optimized G4 machine series, featuring NVIDIA RTX PRO 6000 Blackwell Server Edition GPUs.
What makes this a game-changer is its global scale and flexibility. Confidential G4 is available in every Google Cloud region that the standard G4 is available, across multiple consumption models including On Demand, Reservations, DWS Flex Start, and Spot/Preemptible.
“As organizations scale AI across multiple infrastructure environments, maintaining privacy and control over data and execution becomes increasingly challenging. Google Cloud Confidential G4 VMs powered by NVIDIA RTX PRO 6000 Blackwell GPUs are a meaningful addition to the expanding Confidential AI infrastructure ecosystem. As AI workflows now span agents, data sources, and infrastructure boundaries, Super Protocol provides a consistent Confidential AI operating model across Google Cloud Confidential VMs, other clouds, and on-premises environments — abstracting away confidential computing complexity and allowing teams to focus on AI outcomes,” said Yulia Gontar, COO, Super Protocol.
Powered by 5th Generation AMD EPYC Turin CPUs leveraging AMD SEV, the G4 machine series with NVIDIA RTX PRO 6000 Blackwell GPUs activates robust hardware-based security. This architecture helps ensure that sensitive data is protected during processing inside the TEE, while also encrypting data as it travels between the CPU and GPU.
“GCP’s Confidential G4 VM was the obvious choice for Vertebrae because privacy and security are non-negotiable for our customers. Our product processes sensitive work discussions, so we need to support hardware-signed attestation that both CPU and GPU are running in a trusted execution environment. Using confidential computing on Google Cloud lets us deliver the frontier of AI privacy in the cloud,” said Andy Qin, CEO, Vertebrae.
With Confidential G4, you can unlock AI inference, fine-tuning, HPC, and use cases involving highly restricted data, sensitive models, or private prompts, all with minimal performance impact. Get started with Confidential G4 VMs and Confidential G4 GKE Nodes.
Enabling end-to-end private inference: Open-source Prompt Encryption SDKs
Even as we make Confidential AI accessible, we understand that protecting sensitive data in AI workloads goes beyond securing the model execution environment. The prompts and responses themselves can contain highly-confidential information. To provide cryptographic protection for the entire inference lifecycle, we are happy to announce the open-source launch of our Prompt Encryption SDKs, now available on GitHub.
This toolkit helps you establish an end-to-end secure channel for your AI inference workloads, ensuring that prompts are cryptographically protected from the moment they leave the client until they are processed in the TEE; model responses are similarly protected all the way back to the client.
Prompt and response encryption using Prompt Encryption SDK.
The Client SDK is integrated into the client application and works in tandem with the Server SDK integrated into the inference server running in the TEE. Once the SDKs have been used to establish an attested TLS session, the client can be confident that the server is running an authorized workload within a verified Confidential Computing environment.
The client app can then send encrypted prompts to the inference server, knowing that only this server will be able to decrypt and process it in the TEE. Once the server has a response ready, it sends it back via the same encrypted channel to the client app.
You can get started today with the GitHub repository and the Codelab.
Enabling Apple Private Cloud Compute on Google Cloud
Our commitment to privacy is deeply exemplified by our collaboration with Apple to expand Private Cloud Compute (PCC) on Google Cloud.
We are proud to collaborate with Apple to extend Apple’s privacy and security commitments to PCC on Google Cloud. Our platform supports Apple’s PCC privacy commitments with a layered security approach built upon Google Cloud’s infrastructure. This includes leveraging Google Cloud Confidential Computing with Intel TDX, NVIDIA Confidential Computing with NVIDIA Blackwell GPUs, our Titanium security architecture with the Titan chip, and a co-engineered open-source host stack to ensure verifiable transparency.
Together, these technologies help Apple PCC on Google Cloud meet stringent requirements for data protection and user privacy. To dive deeper into this collaboration, read our blog post: Powering the next era of Confidential AI.
Advancing confidential foundations
Google Cloud is committed to making Confidential Computing capabilities broadly available across our infrastructure. Our goal is to integrate hardware-based security features deeply into our foundational compute offerings, allowing customers to enhance data protection without compromising performance or operational flexibility.
Bringing Intel Trusted Domain Extensions (TDX) to the C4 machine series
Confidential VMs with Intel TDX on the C4 machine series will be available in preview soon.
Powered by the latest 6th Generation Intel Xeon processors, this integration offers a significant leap in compute density and performance for data-intensive workloads. By using Intel TDX, C4 instances create hardware-isolated Trust Domains (TDs) that protect sensitive applications and data from the underlying host and hypervisor.
This architecture provides confidentiality and privacy while enabling remote attestation so you can cryptographically verify the environment before processing sensitive data. Best of all, you can turn Confidential Computing on with a few clicks and no code changes.
Expanding Live Migration capabilities
Running mission-critical production environments requires high availability and continuous uptime, even during scheduled cloud maintenance.
Live Migration on C3D-based Confidential VMs is now generally available. This capability allows Google Cloud to perform planned hardware maintenance without interrupting workloads or exposing encrypted guest memory, ensuring seamless uptime for long-running confidential applications.
Enhancing trust and collaboration: Innovations in Confidential Space
Confidential Space is a Confidential Computing environment designed to enable secure multi-party computation and data sharing. It allows organizations to collaborate on sensitive data, such as for joint machine learning or data analytics, without revealing the data to each other or to Google Cloud.
“Google Cloud Confidential Space allows us to provide financial institutions with security guarantees similar to or better than an on-prem service,” said Olivier Richaud, vice-president, Platforms and Site Reliability Engineering, Symphony. “Transitioning such security and privacy-sensitive customers to a cloud-based SaaS service would have been impossible without the power of Confidential Computing.”
A key design principle of Confidential Space is to remove the workload operator from the trust boundary, providing cryptographic assurance that only the authorized, attested workload can access the data.
“As AI systems increasingly act on behalf of consumers in financial services, trust in how data is processed becomes paramount. At Sahamati, we see Google Cloud Confidential Space as a foundational technology for enabling privacy-preserving AI in India’s Open Finance ecosystem, creating the trust needed for innovation while maintaining strong security and accountability guarantees,” said Kiran Gopinath, chief innovation officer, and Head, Sahamati Labs.
Our new advancements for Confidential Space provide greater flexibility and stronger assurances. Key updates include:
Independent Verification: Integration with Intel Trust Authority
We are pleased to announce that Intel Trust Authority (ITA) is now generally available as an independent attestation verifier service for Confidential Space.
This integration enables organizations to independently verify the integrity of the Confidential Space environment using Intel’s hardware-rooted attestation before encryption keys are released to workloads. By decoupling attestation verification from the cloud service provider, customers benefit from enhanced transparency, stronger assurance, and a more robust trust model.
“With Confidential Computing woven into our core infrastructure, Google Cloud and Intel are making hardware‑rooted security and independent attestation part of the default fabric of modern compute. From Intel TDX‑powered C4 Confidential VMs running production workloads, to Confidential Space with Intel Trust Authority — now generally available — enabling verifiable multi‑party collaboration, customers can now encrypt, verify, and scale their most sensitive AI and data workflows without rewriting applications or compromising performance, even in the most demanding regulatory environments,” said Anand Pashupathy, general manager and vice-president, Intel Product Assurance and Security (IPAS), Intel Corporation.
Accelerating secure collaboration: Confidential Space with H100 GPU support
To power secure multi-party AI and machine learning, Confidential Space support for NVIDIA Hopper GPUs is now generally available. This can help multiple parties pool their data for training and inference within a Confidential Space environment, using the power of Hopper GPUs, while ensuring that their individual data remains protected from other participants and from Google Cloud.
Confidential Space unlocks use cases like federated learning on sensitive datasets, and building joint models without centralizing data.
“Confidential GPU support in Google Cloud Confidential Space removes one of the biggest barriers to adopting secure AI: the tradeoff between protecting sensitive workloads and achieving production-grade performance,” said Adi Hirschtein, VP Product, Duality. “For Duality customers in healthcare, financial services, and government, this enables federated learning, confidential AI, and encrypted RAG workflows to run on sensitive data at scale while keeping data and models protected throughout processing.”
Next steps
Confidential Computing is becoming an essential layer of cloud computing in the AI era. Explore our expanding portfolio of Confidential VMs, accelerated hardware, and open-source tools to see how you can enable secure collaboration and private AI innovation within your organization.
To learn more, join us at the Confidential Computing Summit on June 23 and 24, 2026.