[2605.03213] When Agents Handle Secrets: A Survey of Confidential Computing for Agentic AI

Computer Science > Cryptography and Security arXiv:2605.03213 (cs) [Submitted on 4 May 2026 (v1), last revised 7 May 2026 (this version, v2)] Title:When Agents Handle Secrets: A Survey of Confidential Computing for Agentic AI Authors:Javad Forough, Marios Kogias, Hamed Haddadi View a PDF of the paper titled When Agents Handle Secrets: A Survey of Confidential Computing for Agentic AI, by Javad Forough and 2 other authors View PDF HTML (experimental) Abstract:Agentic AI systems, specifically LLM-driven agents that plan, invoke tools, maintain persistent memory, and delegate tasks to peer agents via protocols such as MCP and A2A, introduce a threat surface that differs materially from standalone model inference. Agents accumulate sensitive context, hold credentials, and operate across pipelines no single party fully controls, enabling prompt injection, context exfiltration, credential theft, and inter-agent message poisoning. Current defenses operate entirely within the software stack and can be silently bypassed by a sufficiently privileged adversary such as a compromised cloud operator. Confidential computing (CC) offers a hardware-rooted alternative: Trusted Execution Environments (TEEs) isolate agent code and data from privileged system software, while remote attestation enables verifiable trust across distributed deployments. This survey synthesizes the design space in four parts: (i) a unified taxonomy of six TEE platforms (Intel SGX, Intel TDX, AMD SEV-SNP, ARM TrustZ...