Back to Glossary
VEX

TEE Isolation

trusted execution environmentconfidential computinghardware enclave

TEE isolation is the confinement of an AI agent's runtime within a hardware-enforced secure enclave — such as Intel TDX or AMD SEV-SNP — providing confidentiality that the host system cannot violate.

HOST-LEVEL THREAT MODEL

Cloud provider or a compromised hypervisor may attempt to extract agent context window or key material. TEE isolation defends against memory extraction by executing the agent within a hardware boundary.

PROTOCOL CONTEXT (ARCHITECTURE / PILOT-READY)

ProvnAI's architecture includes TEE support as a deployment option. Attestation tooling exists within the broader stack, and enclave-backed deployment is being explored in pilot and research settings.

ProvnAI Mitigation

TEE provisioning is part of the broader trust architecture. As the deployment stack matures, enclave-backed runtime may become a stronger option for protecting key material and runtime context.