Confidential Execution and Secret Boundary Control

Why

Most sensitive exposure occurs in memory during inference and mediation. Encryption at rest/in transit does not protect: decrypted prompts

• retrieved context
• tool payloads
• API credentials For high-sensitivity workloads, “plaintext in RAM” is the threat surface.

What

• A data-in-use protection control that: isolates inference/tool mediation in confidential execution environments (where required)
• gates secrets on remote attestation
• enforces “plaintext lifetime limits” and redaction guarantees for telemetry

How

• Tiering: Define autonomy tiers and data classifications; require confidential execution for high tiers.
• Attest to release: secrets and high-sensitivity context are released only after remote attestation passes.
• Key discipline: envelope encryption for payloads; per-run derived keys; strict scope and TTL.
• Telemetry hygiene: redact/transform sensitive payloads before logging; store hashes/pointers, not plaintext.

Evidence

• attestation artifacts + measurement IDs linked to run IDs
• secret access logs correlated to attestation success
• coverage metrics: % runs in confidential mode for required tiers
• redaction validation results (spot checks / automated scanners)

Failure modes

• “confidential compute enabled” but not enforced for high tiers
• secrets available outside attested boundary
• logging plaintext prompts/tool payloads “for debugging”
• using long-lived credentials inside agent runtime

NIST AI RMF alignment

C02 maps to GOVERN and MANAGE. See the framework paper for the specific subcontrol mappings.

ISO/IEC alignment

C02 maps to ISO/IEC 27001 and ISO/IEC 27017. Typical evidence: see the Evidence section above.

Related controls

See the full control catalog for boundary and tier mappings. Cross-links to neighbouring controls follow the layer grouping shown in the sidebar.