That effort runs through the Confidential Computing Consortium, the Linux Foundation community where competing companies collaborate on shared infrastructure problems. The consortium is not trying to become a registry of trusted agents, Bursell added, but rather a place where companies can develop frameworks, best practices, and, equally important, antipatterns.
Identity drew some of the strongest interest at this week’s event. Pawan Khandavilli, senior product manager at Microsoft, pointed to agent payment initiatives from Visa, Mastercard, and Google, the FIDO Alliance’s emerging agent work, SPIFFE workload identities, and RFC 8693 token exchange. The pieces already exist, Khandavilli argued, but “the vocabulary is fragmented.” The challenge now is connecting those identity systems to hardware-backed attestation rather than relying solely on software trust.
The attack surface below the attestation
Hardware-isolated environments are only as secure as the shared substrates beneath them. Zvonko Kaiser, principal systems engineer at NVIDIA, argued that attestation protects the trusted execution environment itself but does not eliminate risks in the shared substrates underneath. The processor cache sits below every isolation boundary, and a 2026 technique called TDXRay demonstrated how information could be observed across virtual machine boundaries. No layer above the cache, Kaiser argued, can completely hide what the cache itself sees.
