How to Tell Whether Your AI Tool Actually Keeps Your Data Confidential

The three states of your data, the enclave that protects the one that matters, and a 5-step gut-check you can run today.

So a few weeks ago I watched someone in a workshop paste a full customer list — names, emails, deal sizes — into a chatbot to "clean it up real quick." Nobody flinched. And I get it. The box is right there; it's friendly, and it answers fast. It feels like talking to a coworker.

Here's the thing nobody tells you: that chatbot isn't a coworker who can keep a secret, and "private mode" doesn't mean what you think it means. I spent years assuming the little settings toggle was the whole story. It isn't. There's a category of technology — confidential AI — that's becoming the difference between trusting a vendor with your data and proving it was never exposed. Today I'll teach you the distinction and give you a five-step gut-check you can run on any AI tool before you paste into it again.

If that sounds abstract, you're already carrying the biggest example in your pocket. When Apple shipped Apple Intelligence, the heavier requests don't run on your phone — they go to Apple's Private Cloud Compute, servers built so your data is processed inside sealed hardware that even Apple can't read, with a public way for researchers to verify the claim rather than take it on faith. At WWDC 2026 Apple extended it onto Google Cloud with Intel and NVIDIA — the biggest real-world deployment of confidential computing yet, shipped to hundreds of millions of pockets. That's the bar, and this lesson is about asking whether every other AI tool you use clears it.

// The Takeaway: Your data lives in three states — in transit (moving over the network), at rest (sitting on a disk), and in use (decrypted in memory while the model processes it). The first two have been encrypted for years. The third — in use — is the gap, and it's the one that matters when you hand a prompt to AI. "Confidential AI" closes that gap with hardware that locks your data in a sealed enclave even the cloud provider can't read. Opting out of training is a useful privacy setting, but it's not the same thing. Tell them apart and you'll stop confusing "they promised not to look" with "they can't look."

Run the five-step audit below on your main AI tool today. Fifteen minutes. Works on any plan. Just your settings page and a vendor policy.

Think about how the web grew up. In 1999, nobody asked where their data went when they typed it into a website. By 2005, normal people looked for the little padlock in the address bar before entering their credit card details. The padlock didn't make a site trustworthy — it gave you a way to verify the connection was sealed. Confidential AI is that padlock moment for the AI era, and we're early: this kind of shift tends to arrive slower than the hype, then become the default faster than anyone expects.

Encryption in transit (the padlock) and encryption at rest (your disk) are solved problems. The hard part is the middle: to run your prompt, the model has to decrypt your data into memory and compute on it. In that moment, the data sits there in plain form — and historically, anyone with deep enough access to the machine (the OS, the hypervisor, a cloud provider's admin) could in principle read it.

Confidential computing fixes this with two hardware features. First, a trusted execution environment — a TEE, or "enclave" — a sealed region of the chip where data stays encrypted in memory and is only decrypted inside the processor itself, walled off from the OS, the hypervisor, and even the cloud provider's root admins. Second, remote attestation — the hardware generates a signed cryptographic report proving it's a genuine enclave running exactly the code you expect. That report is your receipt: the part you can't fake, and the part a regular chatbot doesn't give you.

Every major chipmaker and cloud now offers a version: Intel SGX, AMD SEV, AWS Nitro Enclaves, Google Confidential VMs, and Azure's confidential GPU VMs on NVIDIA H100S, where prompts and completions stay encrypted even between CPU and GPU.

Confidential AI isn't a cure-all, though. It closes the in-use gap, but it adds cost and complexity, it's still maturing for the very largest models, and it does nothing about an authorized user pasting data they shouldn't. It protects the data — not the judgment behind the paste.

This trips up almost everyone, so let's be precise. When you flip "don't use my chats for training" off in ChatGPT or Claude, you're telling the vendor not to reuse your data later. Good. Do it. But that's a policy setting governed by the terms of service — it says nothing about whether your data was decrypted in plain memory on a machine you don't control while the model ran. Those are two different protections. One is a promise about the future; the other is a property of the hardware right now. A consumer chatbot gives you the first. Confidential AI gives you the second.

Do this on whatever AI tool you use most. It takes about fifteen minutes.

The tools quietly adding AI — your CRM, your note-taker, your meeting transcriber — deserve the same five questions. An AI feature inside an app you already trust isn't automatically as protected as the app's core data. Run step 2 on each: does the AI add-on inherit the app's protections, or did you route your meeting transcripts through a third-party model under different terms? Check before you assume.

None of these are endorsements — I'm pointing to the category, not picking your vendor. The lowest-lift way to experience what verifiable confidentiality is like is a confidential AI chat service you can open in a browser. NEAR AI runs inference inside trusted execution environments and lets you check the attestation yourself, so no one — not the cloud, not the model provider, not NEAR — can see your prompt. Privatemode AI offers an encrypted chat app and an OpenAI-compatible API with runtime encryption, and Tinfoil runs models in secure enclaves with client-side verification you can inspect. For the whole field rather than any one name, the vendor-neutral Confidential Computing Consortium keeps a public member directory. Try one with a Yellow-tier task, ask for its attestation, and the receipt test will click faster than any explanation here can.

Two things are forcing the issue. Gartner named confidential computing one of its Top 10 Strategic Technology Trends for 2026 and projects that by 2029, more than 75% of operations processed in untrusted infrastructure will be secured in use. And in United States v. Heppner, a federal judge held that documents a defendant created with a public AI tool weren't protected by attorney-client privilege or the work-product doctrine — standard AI privacy policies, the court found, leave no reasonable expectation of confidentiality. So your settings and tool choices aren't a backstop. They're the front line.

Tomorrow in AI Advantage, I'll give you the five-minute version of step 5: the exact clicks to lock down your privacy settings in Claude, ChatGPT, and the other tools you already use. Today you learned to see the gap. Tomorrow you close it.