Pattern Labs and Anthropic Publish Whitepaper on Confidential AI Inference Systems

Yesterday, Anthropic published our joint whitepaper detailing design principles and security considerations for confidential inference systems. This whitepaper follows a research collaboration between Pattern Labs and Anthropic regarding the design and security implications of such a system.

Confidential inference is a way to run AI models while keeping sensitive information private, by relying on hardware-based confidential computing technologies. Confidential computing is also an emerging security mechanism for securing AI model weights.

When you use an AI service, there are typically three parties involved:

• The model owner - the company that built the AI model, and would like to keep the model architecture and weights confidential
• The data owner / user - who would like to use the AI model with their sensitive data
• The (cloud) service provider - which hosts the AI model as a service, and would like to assure the other two parties that their confidential data is kept inaccessible, even while performing the AI model computation, even from the service provider itself

Confidential computing technologies enable this by running the model in hardware-based Trusted Execution Environments (TEEs) - that is, secure enclaves that isolate computations from the rest of the system, including the operating system and cloud administrators. TEEs provide cryptographic attestation to verify code integrity, allowing parties to confirm the computation workload keeps the confidential data safe, and does not copy, duplicate or leak it outside. Inside the TEE, AI inference operates on unencrypted data and model weights while remaining completely invisible to the outside world, enabling cloud AI services where no party needs to trust another with their confidential information.

Besides user data privacy, confidential computing is a promising technology that can be used as part of a security system for securing AI model weights, particularly in the case of AI models with dangerous capabilities. This is detailed in RAND’s report "Securing AI Model Weights: Preventing Theft and Misuse of Frontier Models”, co-authored by Pattern Labs CEO, Dan Lahav.

This report defines five security levels for protecting advanced AI models; the two highest security levels (SL4 and SL5) are designed to protect against highly sophisticated threat actors, including nation-states, and are recommended for models with dangerous capabilities where weight theft poses significant risks. For models requiring SL4 or SL5 protection, the report strongly recommends using confidential computing technologies when available.

Our newly published whitepaper on confidential inference systems goes further beyond the brief directions given in RAND’s report, and details the design principles involved with implementing the inference service of an AI model with weights protected by confidential computing technologies.

As AI systems become more capable and handle increasingly sensitive tasks, the security mechanisms protecting them must evolve accordingly. This research represents a critical step toward a future where powerful AI models can be deployed with cryptographic security guarantees, protecting both the intellectual property of model creators and the privacy of end users.

We're proud to contribute this foundational work to the AI security community and look forward to continued collaboration with Anthropic and other frontier labs as we collectively build more secure AI systems.

Read the full report: Confidential Inference Systems: Design principles and security risks