MICKAI
Article · 4 July 2026

Attestation-Gated Keys Are Clever. They Still Do Not Own the Building

Attestation-gated key release proves the state of a machine. It does not change whose machine it is, and that gap is structural.

Attestation-Gated Keys Are Clever. They Still Do Not Own the Building
Author
Micky Irons
Published
4 July 2026
Follow Micky Irons
LinkedInX
confidential computingattestationAI securitysovereign AIconfidential GPU

Confidential computing had a very good 2026. NVIDIA shipped confidential GPUs across Hopper, Blackwell, and now Rubin, with encrypted VRAM and a hardware root of trust that actually holds up under inspection. Intel TDX and AMD SEV-SNP matured into production trust domains. NVIDIA's Remote Attestation Service (NRAS) turned attestation from a research demo into an operational gate: your key only gets released once the platform proves, cryptographically, that it is running the firmware and measurements you expected. If it lies, the key stays locked. That is a real control, and we want to say so plainly before we say anything else.

We are Mickai, a Sovereign Intelligence Operating System that regulated organisations own and run inside their own walls. We have every commercial reason to wave confidential computing away. We are not going to, because pretending a serious control is not serious is how you lose the trust of the one audience that matters here: the security architect who has already read the whitepapers.

What attestation-gated key release actually buys you

The mechanism is elegant. A workload boots inside an encrypted enclave (a TDX trust domain, an SEV-SNP guest, a confidential GPU context). The hardware measures the firmware, the guest image, and the accelerator state, and signs those measurements with a key rooted in the silicon vendor's certificate chain. Your key-release service, NRAS or your own verifier, checks that quote against a known-good policy. Only on a pass does the decryption key reach the enclave. Memory, including VRAM, is encrypted at rest and in use, so a memory-dump attack from outside the enclave yields ciphertext.

For most cloud-AI threat models this genuinely raises the floor. A curious co-tenant cannot read your model weights out of shared memory. A compromised hypervisor cannot silently swap your image without breaking the measurement. A patched-but-untrusted driver stack fails the attestation and never sees the key. If your concern is a noisy-neighbour breach or a run-of-the-mill infrastructure compromise, confidential computing meaningfully shrinks the attack surface. We build attestation into Mickai for exactly these reasons, so this is not grudging respect. It is the same primitive, used well.

Where it stops: the host trust boundary

Here is the honest limit, and it is structural, not a bug. Attestation proves the state of a machine. It does not change whose machine it is.

When a confidential VM attests in a hyperscaler region, the verifier you are ultimately trusting is the cloud provider's and the silicon vendor's. The root of trust is the provider's platform, provisioned by the provider's supply chain, patched on the provider's schedule, and physically resident in the provider's building. Attestation gives you a strong statement of the form "this is the firmware and image you asked for." It cannot give you a statement of the form "no one with lawful or physical access to this datacentre can ever compel, coerce, or reconfigure the trust anchor." Those are different guarantees, and only one of them is cryptographic.

This is the point the marketing tends to blur. Confidential computing narrows the technical insider-threat surface. It does not dissolve the jurisdictional and operational trust you are placing in the party that owns the hardware. As Micky Irons, our founder and CEO, has put it: the sharpest risk in AI infrastructure is not a stranger on the internet, it is a privileged insider at the hyperscaler, and no key-release policy running on that hyperscaler's own root of trust can fully attest away the entity that controls the root.

Classical marble scene, Hestia, gold rim light on void black

Three gaps attestation-gated keys leave open

Be specific, because architects deserve specifics.

The host trust boundary. Your attestation is only as sovereign as the verifier and the key-release authority. If both sit inside the provider you are trying to constrain, you have improved the control without relocating the trust anchor. You are still asking the landlord to certify the safe.

Provider jurisdiction. Encrypted VRAM does not answer a lawful-access request, a change of terms, a regional outage, or a government order served on the operator. Data-residency and sovereignty regimes care about who can be compelled, and a confidential VM in someone else's estate remains subject to their governing law and their operator obligations.

Operational access. Firmware updates, attestation-policy definitions, certificate revocation, and break-glass procedures are all operated by the platform owner. The measured-boot chain is trustworthy precisely because the owner curates the known-good values. That curation is a standing operational dependency on the very party the sovereignty question is about.

None of these is a reason to abandon confidential computing. They are the reasons attestation is a component of sovereignty, not a substitute for it.

What owned attestation completes

Mickai's position is not "confidential computing is wrong." It is "confidential computing finishes the job only when you own the root." When the organisation owns and runs the SIOS inside its own walls, air-gapped where the workload demands it, the verifier, the key-release authority, and the physical trust anchor all sit on the organisation's side of the boundary. The same attestation primitives now attest a machine you provision, in your building, under your jurisdiction. Every action Mickai takes carries a cryptographically-signed audit record, so attestation is not a one-time boot gate but a continuous, owned ledger of what the system did.

That is the difference between renting a very good safe in someone else's vault and owning the vault. The lock can be identical. The building is not.

Our patent estate reflects this design directly: 104 filed UK patent applications spanning roughly 2,340 claims across 13 families, with named inventor Mickarle Wagstaff-Irons, building toward examination and grant, cover owned attestation, signed-audit provenance, and sovereign key custody as an integrated system rather than a bolt-on to rented infrastructure.

Classical marble scene, Hestia, gold rim light on void black

The honest market picture

We will not tell you that regulation bars you from the cloud. It mostly does not. DORA, the FCA and PRA regimes, the EBA guidelines, the NHS DSP Toolkit, and GDPR all permit cloud with the right controls, and confidential computing is one of those controls done well. The genuine no-cloud bar is workload-level: classified material at SECRET and above, ITAR-controlled data, isolated OT and SCADA environments, and cases where a data-protection impact assessment comes back negative.

For everyone else the driver is preference, not prohibition: control over the trust anchor, cost predictability, and the elimination of data-exfiltration paths you cannot fully audit. That preference addresses a register-backed sovereign market of roughly 16,092 UK and EU institutions (7,933 regulated core plus 8,159 large-private adjacency), against an enterprise-AI-platform software TAM that Verdantix sizes from USD 13bn in 2024 to USD 50.3bn by 2030, about £11.7bn to £39.7bn. Confidential computing and owned sovereignty are not competitors for that market. They are the same escalator, one step apart.

The takeaway

Attestation-gated keys are clever, and we mean that as a compliment. They prove the state of a machine and keep your key locked when the state is wrong. What they cannot do is change whose machine it is. If your threat model tops out at co-tenants and infrastructure compromise, confidential computing may be enough. If it includes the operator, the jurisdiction, and the privileged insider with lawful access to the building, you need the root of trust on your side of the wall. That is what owning the attestation completes, and it is what Mickai is built to be.

Frequently asked questions

Does confidential computing make cloud AI as secure as on-premise?

For a narrow threat model, close. Encrypted VRAM and attestation-gated key release defeat co-tenant memory reads and untrusted-hypervisor tampering. What they do not defeat is trust in the operator who owns the root of trust and the verifier. On-premise, or an owned SIOS, moves that root to your side of the boundary. The cryptography can be identical; the ownership is not.

Is NRAS or vendor attestation enough for a sovereignty requirement?

Attestation is necessary but not sufficient. If the verifier and key-release authority live inside the provider you are trying to constrain, you have strengthened the control without relocating the trust anchor. Sovereignty requires that the attestation root, the key custody, and the physical hardware all sit under your jurisdiction and control.

Are regulated firms legally barred from using the cloud?

Almost never at the firm level. DORA, FCA and PRA rules, EBA guidelines, the NHS DSP Toolkit, and GDPR all permit cloud with appropriate controls. Genuine no-cloud bars are workload-specific: classified data, ITAR, isolated OT and SCADA, or a negative data-protection impact assessment. Most demand for sovereignty is preference, not prohibition.

How does Mickai use attestation differently?

We use the same hardware attestation primitives, but the organisation owns and runs the SIOS inside its own walls, so the verifier, the key-release authority, and the physical trust anchor all sit on the customer's side. Attestation becomes continuous and owned, backed by a cryptographically-signed audit record on every action, rather than a boot-time gate operated by a third party. See our related writing on the insider-threat-at-the-hyperscaler problem and on sovereign key custody for how the pieces fit together.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/confidential-computing-attestation-gated-keys-the-cloud-answer-and-its-remaining-gap. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
4 Jul 2026
Alex Karp Is Right: You Are Paying For Tokens You Cannot Audit
Alex Karp said hosted-AI vendors capture your data and bill you for unproductive tokens that create no value. He is right. We built Mickai so regulated organisations own the substrate instead of renting it, with a signed audit record on every action.
4 Jul 2026
The EU Just Pushed High-Risk AI to December 2027. Here Is What We Are Building Instead of Waiting
The Digital Omnibus provisional agreement moves the EU AI Act high-risk deadlines from August 2026 to December 2027. Most coverage frames the delay as relief. We frame it as the window to own your compliance stack outright, so you are compliant on day one in 2027 instead of retrofitting logging, oversight and traceability under a live deadline.
4 Jul 2026
Article 50 Lands in August: Machine-Detectable AI Provenance, and Why We Sign It At Source
Article 50 makes synthetic content machine-detectable from 2 August 2026, and the draft Code of Practice names C2PA as the route. We bind Content Credentials to the cryptographically-signed audit record Mickai writes on every action, so provenance is produced at source inside your own walls, not bolted onto a cloud API afterward.
4 Jul 2026
Under Oath, They Said They Could Not Say No. That Sentence Is the Whole Market
Microsoft France told the French Senate under oath that it cannot guarantee European data will never reach US authorities under the CLOUD Act, even inside a French sovereign region. We think that single sentence defines the market. Sovereign cloud is a real engineering improvement, but while the parent is US-domiciled the legal gap stays open. The only structure where the answer to a foreign subpoena is genuinely no is one you own and run inside your own walls.