Apple and NVIDIA Partner on Apple’s Third Generation of Private Cloud Compute: Can Confidential Computing Fix AI’s PR Problems?

Announced on June 8 at Apple’s annual Worldwide Developers Conference (WWDC) 2026, Apple is securing the next generation of Apple Intelligence via NVIDIA Blackwell Graphics Processing Units (GPUs), deploying its Apple Private Cloud Compute (PCC) using the confidential compute horsepower provisioned through those NVIDIA’s GPUs and Google Cloud infrastructure. The third generation of Apple Foundation Models (AFM) constitutes a family of five on-device and server-based models, distilling from Google’s Gemini knowledge into smaller, optimized models, custom-built for Apple silicon in collaboration with Google.

Of those five models, its most proficient, server-based ADM 3 Cloud Pro model—purpose-built for multi-step, data hungry, and computationally demanding use cases like complex reasoning and Agentic Artificial Intelligence (AI)—will rely on third-party data center infrastructure (i.e., Google Cloud infrastructure) and NVIDIA’s GPUs, enhanced with integrated confidential compute capabilities. In a nutshell, this means that AI workloads and data are processed within hardware-based Trusted Execution Environments (TEEs), with all of the computations that are performed on that data completed within the TEE. Attestations are then used to cryptographically verify the integrity of those environments’ isolation and absence of data tampering, relying on both the trusted hardware component and associated firmware to execute the attestation process.

When it comes to Apple Intelligence, the security impact of this partnership is fourfold:

1. Silicon-level trust in the protection of AI data and workloads
2. Encryption of data in motion
3. Remote cryptographic verification of hardware-backed protection
4. Support for highly performant, yet performance-sensitive workloads on GPUs for AI applications, rather than Central Processing Units (CPUs)

From a cost and resources point of view, Apple saves on building out proprietary servers based exclusively on Apple silicon, leveraging existing cloud infrastructure. Meanwhile, from an efficiency perspective, running on NVIDIA Blackwells is set to bring strong performance enhancements for Apple PCC. Yet, beyond the prospective benefits for Apple’s ADM 3 Cloud Pro model, the collaboration reflects a shift from Apple’s previous strategy of running only on Apple Silicon, indicative of growing demands for increased trust, sovereignty promises, and security within the broader AI marketspace. AI workloads and deployments are battling a Public Relations (PR) crisis when it comes to security, with technological advancements like the explosion of Agentic AI or the launch of Anthropic’s Mythos serving as a paradigmatic example of the prospective threat posed by advanced AI models.

Apple’s announcement of both on-device and cloud-based processing within its AFM demonstrates the explosive growth of the AI model market and commensurately rising security and privacy needs to accompany server-side inference in high-performant AI applications. Over the last 2 years, confidential computing has increasingly been propositioned as the security solution to these security, privacy, and sovereignty demands, reflecting a transition toward remotely deploying TEEs on shared, public infrastructure and deploying confidential computing in the back-end, away from the traditional use of TEEs within user (e.g., handheld devices like smartphones) or Internet of Things (IoT) devices. Thus, Apple’s recent partnership is aligned with ongoing market movements from similar players. For example, Huawei Cloud also just launched an AI confidential computing solution and Confidential AI is increasingly a cornerstone of sovereign “AI factories” from players like NVIDIA and Fortanix.

However, at the same time, the partnership has the potential to introduce new privacy concerns. The end-to-end encryption and on-device processing protection that Apple is renowned for does not apply under this new partnership and, given that full stack control has been a longstanding pillar to Apple’s market allure, the move to Google Cloud and NVIDIA processors represents a compromise in its core privacy strategy that may alienate some of its prospective customer base. Simultaneously, despite confidential computing’s promises, it is not a silver bullet and remains susceptible to basic physical attacks (e.g., cold Dynamic Random-Access Memory (DRAM) extraction, plugging of attack devices into an existing port, bus and cache monitoring) and side-channel attacks that compromise hardware integrity.

Confidential computing is dealing with its own PR issues in terms of exposure and awareness. A technology that is traditionally rooted in on-device protection, the expansion of confidential computing into cloud and remote applications remains a fairly new development in its narrative. While AI presents a greenfield opportunity for this Privacy Enhancing Technology (PET) that has been searching for the right use case, before confidential computing can fix the PR crisis presented by AI model security, much remains to be done to get its own house in order. 

Distrust and rampant security issues continue to swirl around AI deployments and confidential computing certainly has a critical role to play in allaying government and consumer concerns. However, refining the messaging surrounding that role and approach to integrating will be critical to gaining sufficient buy-in. Confidential computing—like much of cryptographic and hardware-orientated security—simultaneously suffers from both image and education problems and much of the public does not understand how it works or does not care to understand how it works, or both. Avoiding the invincibility myth will be the first crucial step in building awareness and understanding of how confidential compute works, while also securing user trust. AI’s proliferation not only at the government or technological expert level, but in end and consumer markets and within everyday usage means that its securitization measures must also be a part of layman lexicon and comprehension.

Confidential computing is breaking into the mainstream, with dedicated events like the Confidential Computing Summit becoming a part of technology leaders’ conference calendars, but more needs to be done to bring it to the C-suite, beyond the tech experts. The work of the Confidential Computing Consortium is a boon for this PET in this regard and indicative of the necessarily collaborative effort that confidential compute is grounded in, as also reflected in Apple, Google, and NVIDIA’s partnership. Making collaboration a key part of confidential computing messaging is also well-aligned with the overarching collaborative story that is increasingly defining AI security as a whole, as demonstrated by Anthropic Mythos and Project Glasswing. Yet, the June 12 announcement that Anthropic has cut access to its Claude Fable 5 (a version of its Mythos model) to foreign nationals on the back of an export control directive from the U.S. Department of Commerce exemplifies the need to imbue collaborative efforts with a sovereignty-orientated perspective. Full-scale AI deployment calls for sovereignty not only from a data protection and privacy perspective, but also from a data access perspective based on the risk of a government-ordered kill-switch.

Given that the weight of contractual promises from hyperscalers to protect cloud data is continually contested by customers and governments, confidential computing provides one of the strongest technical assurances of data sovereignty. Further, given existing education gaps, tying confidential computing to practical use cases where it acts as an enabling technology is critical to its messaging success. Thus, combining the security promises of confidential compute—as reflected in the Apple X NVIDIA announcement—with sovereignty will help bolster confidential computing’s growing visibility in a way that appeals to the mainstream and rides on the back of high-profile news items.