Why the Need for Private AI
On July 1st, Palantir CEO Alex Karp contributed a 20-minute interview on CNBC that some media outlets dubbed a "mental breakdown." According to Karp, companies are paying a token premium to front edge labs, all while watching their IP flow to model vendors. He referred to this leakage as an alpha transfer, with the transfer happening at the architecture level: every request sent to a closed-source model arrives in plaintext at the vendor's servers. Just days before the show aired, Palantir had announced a collaboration with NVIDIA to run an open-sourced Nemotron model in a customer-controlled environment, accompanied by a nine-point AI sovereignty declaration. Following the CNBC segment, PLTR surged 8%.
For the past twenty years, enterprises have relied on protocol-level trust in adopting cloud software, and it has worked. Each SaaS vendor only sees a slice of enterprise data, with most having little incentive to feed customer data back into their core products. Salesforce sees the sales channel, Workday sees HR, Jira sees development iterations, and AWS provides the foundation for storage and computing. However, today's AI workflows advocate for a one-time upload of all assets, along with threading structured context across departments for maximum productivity. Setting aside goodwill, upstream vendors can now take this data to create new features, rather than letting it sit idle on servers.
No one is slowing down, with Anthropic reaching an annualized revenue of $47 billion in May, a significant jump from the $9 billion at the end of 2025, while OpenAI surpassed 9 billion monthly active users in February. Both companies completed new rounds of financing this spring, with valuations approaching $1 trillion, and are expected to IPO at higher market values. Despite years of privacy and IP accusations, neither company has lost any momentum.
Some companies have already taken action. In February 2023, within less than three months of its release, major Wall Street banks had already restricted the use of ChatGPT. In May 2023, after Samsung engineers leaked chip source code into ChatGPT, the company instituted a complete ban on generative AI across its network. In response, OpenAI launched ChatGPT Enterprise in August of that year, pledging not to train using commercial data, along with a zero-data-retention (ZDR) protocol, which later became a standard requirement for enterprise procurement.
However, the contract only locked down the company account. By 2025, IBM found that Shadow AI (employees feeding company data into unauthorized AI tools through personal accounts) was involved in one-fifth of data breaches, with severe Shadow AI usage adding an average of $670,000 to the breach cost. In a 2025 survey by the security training company Anagram, 40% of employees stated they were willing to violate AI usage policies to expedite tasks.
Enterprises can at least buy their way out, with ZDR contracts, untrained service tiers, sovereign deployment for government or Palantir clientele. For common users like you and me, the importance of Privacy AI is still up for debate, until court subpoenas come knocking.
In a May 2025 court order, OpenAI was forced to retain even deleted consumer-grade chat logs, and in November, a judge ordered the handover of 20 million of these logs to lawyers for The New York Times as disclosure material. This was followed by criminal cases: ChatGPT records of the Palisades arson suspect entered evidence, and a deposition in a Florida double homicide case quoted the suspect's inquiries about body disposal. Sam Altman also admitted in a July 2025 interview that ChatGPT conversations are not protected by attorney-client privilege, and OpenAI could "potentially be required to hand over" user chat records in litigation.
The key point is not only criminals needing private conversations. Conversations between people and AI are archived, subpoena-able, a surveillance surface that most users are unaware of. A Kolmogorov Law survey of 1,000 American AI users in October 2025 found that 50% were unaware these conversations could be subpoenaed, while two-thirds believed these chats should receive protection equal to that of consulting a lawyer or doctor.
Self-hosted or models running in a verifiable environment are quickly catching up, but the strongest cohort still lags about 4 months behind cutting-edge closed-source models in general capability. This puts token-maximizing enterprises and individuals at a crossroads, either sacrificing months of model quality for privacy or continuing to upload sensitive material to Anthropic's servers, as competitors are exploiting this productivity advantage.
There is currently no perfect solution on the market, with reports outlining efforts from all sides to narrow the gap, observing how far advanced intelligence under privacy still has to travel to reach the hands of both enterprises and regular users.
Current State of Privacy
Privacy AI is not a monolithic engineering effort, but rather each mechanism in the market right now deals with the same event: a prompt leaving your device, traversing the network, landing on a machine running a model, and returning a response. The differences between mechanisms lie in where plaintext exists along this path, who can read it there, and what is relied upon to attest to the privacy of the response.
Protocol-Level Privacy
At this layer, someone other than you can read your plaintext prompt, and what happens next is all based on a promise.
· Contractual Zero-Knowledge is an enterprise-grade solution. The service provider knows who you are, processes your prompt, and commits to zero knowledge, enforced through contracts and reputation.
· Anonymous Proxy scrubs who you are but does not encrypt what you say, downstream service providers still handle plaintext according to their own policies. Terms vary, with proxies like Duck.ai (DuckDuckGo's chatbot product) negotiating deletion agreements with model makers, while Venice simply assumes that the service provider will retain everything, with neither side able to verify.
Every hop between machines runs over TLS, which only encrypts the pipeline; the receiving party can read all the information. Relays typically use Oblivious HTTP (RFC 9458) to split this knowledge, akin to passing notes through a friend. The friend knows who passed the note but cannot read the content; the recipient can read the content but does not know who wrote it. OHTTP has been an IETF standard since January 2024, and many companies are currently running production traffic on OHTTP relays leased from Cloudflare and Fastly.
This is also the privacy limit that can be achieved when accessing closed-source models, due to a math problem. The cost of a flagship training run today is on the order of billions of dollars, and the near-trillion-dollar valuations of these labs are staked on the exclusivity of model weights. As long as the disparity in model capabilities holds, so does the premium, which is why labs guard the weight files as state secrets.
Meta has been through this experiment passively. When LLaMA was released in February 2023, initially open only to researchers, in less than a week, the weights leaked in seed form to 4chan. A week later, llama.cpp allowed the smallest 7B model to locally respond on a MacBook, and three days later, Stanford fine-tuned a chat assistant Alpaca on the same model for less than $600. This leak drove down LLaMA's operating costs to the electricity bill; anyone with the file could run it at home. In July 2023, Meta officially open-sourced Llama 2 with a commercial license excluding 700 million monthly active users. The weights ran, and the premium followed suit.
Theoretically, a cutting-edge lab can provide attestation for closed-source model inference, but attestation can only prove which segment of the code read the prompt, not what that code did with it. To determine if a server has retained data, we need to audit the serving code and refactor it to match the hash reported by the hardware. However, once the serving code is relinquished, the lab also gives up the batch processing and caching techniques that underpin profit margins, and these techniques will migrate to every future generation of models. Apple and Meta can provide remote attestation for the iPhone and the service stack behind WhatsApp because their profits come from devices and advertising, making the disclosure of service code almost costless.
This is why the weights of flagship models and the service code do not end up in the hands of external operators. Without external operators, there is no third-party attestation, and without attestation, verifiable privacy only exists above open-source models.
Structural Privacy
Each mechanism in this category replaces trust assumptions with hardware-, cryptography-, or physics-based proofs, but each comes with a different cost for privacy enhancement, primarily because they can only run open-source models.
· TEE (Trusted Execution Environment) Confidential Computing places inference inside a hardware enclave (a sealed chamber on the chip that even the machine operator cannot open), and the chip will sign an attestation specifying which model and which code was executed.
· The prompt is only sealed at the endpoint. There remains a role with plaintext-reading capability on the path that passes through platform agents, with only the protocol preventing agent logging or leakage of transit content.
· E2EE (End-to-End Encryption) seals off readable relays. User devices encrypt the prompt with the enclave's key, and each hop in between carries a sealed envelope that only the enclave can open.
· Trust lies on the client side. The code responsible for encrypting the prompt and validating the attestation also has the ability to revoke this assurance. Therefore, verifiable E2EE requires both attested enclaves and open, reproducible client-side code.
· Compared to TEE's simplicity, E2EE incurs an engineering burden, which also slows down feature integration. E2EE transforms agents into blind conduits, so all functions that rely on plaintext must be rebuilt around client keys or only within the enclave.
· Fully Homomorphic Encryption (FHE, and a variant of MPC) simply eliminates the trusted party. The server performs calculations on the ciphertext in a locked box that it can never open, with the key only in your hands, while Multi-Party Computation (MPC) splits the prompt into secret shares distributed among multiple parties, achieving the same effect unless all parties collude.
· The trade-off is speed. FHE natively only handles addition and multiplication, so the non-linear steps required for a transformer's operation are rebuilt at a high cost. The inference cost on ciphertext is 10,000 to 100,000 times that of plaintext, with each token on a small model taking seconds to minutes, compared to milliseconds without encryption.
· Custom chips for encrypted computation are expected to narrow the gap, but the first prototype is only set to demonstrate in early 2026, with commercial versions still several years away.
· On-Device Inference completely eliminates this path. The model runs on your own hardware, without relays, servers, service providers, or verification requirements.
· The obvious trade-off is cost and model capabilities. The gpt-oss-120b scores about half of GLM-5.2 on the Artificial Analysis index but has a size of 65GB, exceeding the total VRAM of two current flagship gaming GPUs. The full-precision GLM-5.2 can only run on an 8-GPU data center node, costing over $300,000 just for the GPUs.
However, beyond these structural constraints, the cost of putting inference into enclaves is decreasing. In single-GPU inference, benchmark tests from enclave cloud service provider Phala show that the throughput loss in enclave mode with an H100 averages less than 7%, approaching zero on large models since the main cost is moving data into the chip rather than processing inside. For multi-GPU inference, NVIDIA's next-generation GPU Blackwell already supports direct encryption of inter-chip traffic, while the older H100 would need to bypass the CPU host with only one-seventh of the bandwidth to achieve the same effect. NVIDIA's in-house benchmark tests on Blackwell show that the throughput loss for the 397B model in enclave mode is less than 8%. With these advancements, the performance overhead of privacy-preserving inference itself is no longer a decisive constraint.
In fact, enclaves themselves hardly add any additional operating costs for operators. Every H100 after 2023 comes with enclave mode by default, with the additional cost being the throughput loss due to encryption, not extra chips. Currently, the rental price of a confidential H100 SKU on Azure is still $8.90 per hour, while non-enclave mode is $6.98, equivalent to a 27% premium on traditional cloud facilities. On the other hand, on operators specialized in offering enclaves like Phala, confidential mode H100s are being rented out starting at $3.80 per hour, lower than the price range of $3.99 to $4.29 for a Lambda regular SXM card. In hosted API solutions, NEAR AI's endpoints with attestation offer gpt-oss-120b at $0.15 per million token inputs and $0.55 per million token outputs, on par with Amazon Bedrock, Together, and Groq on the plaintext path. Even for models requiring parallel processing on multiple chips, NEAR AI's pricing on GLM 5.2 is identical to Fireworks and is 15% cheaper on inputs and 4% cheaper on outputs on the larger Kimi K2.6.
While these new privacy-preserving AI services may be engaging in profit-burning to grab market share (a move that would be valid for any growth-hungry company in the market), the structural trend is that the cost of privacy is decreasing for both consumers and operators.
How Does the Open-Source Model Win?
Despite performance overhead being reduced, there is still a visible gap between cutting-edge models and SOTA open-source models. An entity looking to maximize productivity and stay at the forefront still has to trust that cutting-edge labs will not misappropriate its IP.
The gap remains, but Bridgewater's AIA Labs and Thinking Machines provided a case study on June 30th: an openly trained model fine-tuned by expert annotations that outperformed cutting-edge models in both accuracy and cost.
In the study, the team fine-tuned Qwen3-235B on Tinker (Thinking Machines' managed fine-tuning API service). They first procured annotations from vendors, trained on this data for the initial round, and then re-annotated divergent samples by the company's investors. The training ran on Gradient-Recall Policy Optimization (GRPO) with three modifications: round-robin batching, Contextual Importance Sampling with Policy Optimization (CISPO) loss, and on-policy distillation to anchor the current optimal checkpoint and prevent the model from learning from weaker copies.
All tasks were drawn from the daily workflow of the investors: whether a news article is significant to C-suite-level investment professionals, whether a central bank document hints at the future direction of interest rates, and where a template phrase in a document or email should begin. Ratings came from an independent test set, where the cutting-edge model averaged around 50% on a simple prompt and only reached 78.2% even with expert prompts, falling below the investors' set 80% threshold. In contrast, the fine-tuned Qwen achieved 84.7%, which, by the original metric, translates to making 29.8% fewer mistakes than the cutting-edge best performer, with an inference cost 13.8 times lower.

This case demonstrates that the open-source model can prevail in terms of accuracy and cost, but the training process is still not private. The expert annotations used in the process are Bridgewater's proprietary data, passed through Tinker's third-party service, falling within the same trust level as the ZDR protocol. The fund also rented computing power, and the entire training ran on a machine it never controlled. For buyers who want this recipe but don't want to make a trust assumption, the options today are limited. Rent a bare GPU cluster, where the training process is readable to the cloud operator. Buying the cluster solves the data hosting issue, but costs soar.
The attestation-enabled route has just arrived. In March, Workshop Labs and Tinfoil released Silo, a post-training stack running in a Tinfoil enclave on a single 8-card node, with the key solely controlled by the customer. The enclave cost provided in the article shows that two hours of training took an extra 11 minutes, and this stack, by freezing the base weights and only training a small adapter on top of it, can accommodate a trillion-parameter model (Kimi K2 Thinking). The challenge is that reinforcement learning needs to move data back and forth between components, and data movement is precisely where the enclave cost lies.
Less than a month after Silo was released, Workshop Labs was acquired by Thinking Machines to run the components needed for a Bridgewater-style RL loop inside an enclave, all now under the same company.
Privacy at the Harness Layer
There is another issue looming over all private inference mechanisms. Each mechanism governs the path from the prompt to the model, while every external tool call initiated by the agent opens up a path that the inference layer cannot touch. The recent trend in harness engineering magnifies the problem exponentially, with every tool, memory store, and data source attached to the model being another destination that reads its own slice of the workflow in plaintext. The calendar server reads the schedule, the database server reads the query. Even a completely local agent still needs to pass the search term to the search engine in plaintext if it wants anything outside the training set, as the server cannot read plaintext to answer the question.
The mainstream solution still defaults to the protocol layer. Companies like Runlayer and MintMCP use a central gateway to control all tool traffic, masking personally identifiable information (PII) before it exits, determine which servers can receive the traffic, keep unreviewed ones out, and record the destination and content of each call for evidence. Even with these controls under independent audit (SOC 2), the tool servers still need to read plaintext queries to respond, their retention depends on their own retention policies, and they must be multiplied by every tool in the harness. Moreover, the gateway itself is an additional read-only trust-dependent dependency on the path, rather than verification.
The structural-level approach reached the middle layer. For example, Phala directly hosts the MCP server in the TEE, covering the wallet, code execution, and data source in the enclave. Users can verify privacy claims with an attestation, rather than trusting the operator. However, tools hosted in the TEE still ultimately expose queries in plaintext to the service provider; the enclave only encapsulates the messenger, not the destination.
Only a few destinations have learned to respond without reading, but only for structured queries. Apple provides Private Information Retrieval for the iPhone, allowing the phone number to be matched against a spam database without revealing the number. Microsoft has employed a similar approach for passwords in the Edge browser. MongoDB's Queryable Encryption allows the client to encrypt fields before they leave, enabling the server to perform equality and range matches based solely on the ciphertext.
However, for open-ended search, today's best solution still relies on trust, and verifiable encrypted search has not yet moved beyond the lab. Brave has pledged zero data retention on its own index of 40 billion pages (not Google's), but it still falls short at the protocol level. Exa has developed a neural index that embeds users' keywords into semantics and ranks results based on semantic matching, but the embedding process still starts in plaintext on Exa's servers. MIT's 2023 Tiptoe paper achieved sorting on 360 million web pages without exposing the query, but each search consumes a significant amount of server computing power, resulting in a gap in sorting quality compared to unencrypted search. Apple's 2024 Wally paper hides the real query among a pile of decoys, reducing communication costs by up to 31 times at most. However, this mathematical process only becomes cost-effective with millions of concurrent queries, a scale that no private search system has today.
Encrypted search is feasible, but both performance and price have not yet reached a commercially viable level.
Outlook
There is a growing demand for private AI. Venice AI recently surpassed 3.5 million registered users and a monthly throughput of 1.3 trillion tokens, followed by completing a new round of Series A equity financing valuing the company at $1 billion. Proton is its direct competitor, with its chat product Lumo exceeding 10 million users within a year. In terms of infrastructure, Phala currently runs an average of 2 to 3 billion tokens daily on OpenRouter. Duck.ai routes gpt-oss-120b and Gemma through Tinfoil's enclave, providing verifiable privacy outside the user agent. This is not even accounting for self-hosting, which is likely the largest avenue for private inferences since the model runs on one's hardware, leaving no usage traces.
However, placed in the mainstream AI frenzy, Privacy AI accounts for only a tiny fraction, and this gap only closes when cutting-edge labs intentionally cater to this demand. In May, Google's entire product line processed 32 trillion tokens; by this calculation, Venice's monthly throughput is roughly equivalent to 18 minutes of Google's. In November of last year, Google launched Private AI Compute (PAC), placing some Gemini-driven features inside a sealed TPU enclave isolated from the company itself, with the design independently audited by the NCC Group. However, the issue is that PAC only covers a few Pixel features such as personalized recommendations and recording summaries, not the Gemini applications used by hundreds of millions of users. Google dares to entrust the design to the auditing party because these features rely on device and advertising monetization, not on token sales.
The current hosting solutions are also not perfect. To obtain the highest privacy users through E2EE, one must rebuild the new feature in a place where the service provider cannot access. Private harnesses still rely on protocols at the service layer. For reasonably priced post-training, one must still trust third-party vendors to achieve the best fine-tuning results. Self-hosting to surpass all service providers in one go and run the most powerful open-source models locally might cost more than the house it's installed in.
Flaws aside, Private AI is already a real and affordable option, and the remaining gap is also narrowing. For the average consumer, on Lumo and Venice, open model private chats with a no-logs commitment come free of charge, while subscriptions to Venice or Tinfoil at $18 to $20 encapsulate the same chat into an enclave, making it no more expensive than a ChatGPT subscription. For enterprise workflows, attested endpoints are now cheaper than plain text pathways or even more so. Endpoint APIs with E2EE like NEAR can now bring encrypted contexts into enclaves, enabling features such as memory, file uploads, and custom commands to operate on top of E2EE today. As for attested post-training, NVIDIA's upcoming Vera Rubin NVL72 will expand confidential computation from Blackwell's 8-card node to a 72-card rack, making cutting-edge RL loops more viable without exposing IP.
However, the key value capture lies beyond these layers of price compression. Privacy is nearly free where it already exists, but it has not yet infiltrated mainstream agentic workflows. Operators focusing on enclave leasing hold a switch on a standard chip, not a moat, while protocol-level gateways compete with traditional middleware. The defensible ground is in the yet unresolved half of this report: the training loop locked inside enclaves, end-to-end sealed tool invocations, and search indexes with invisible terms. Whoever first achieves one of these will sell something that cannot be commoditized by any price war. For investors chasing Privacy AI, what should be bought is the gap, not that switch.
So, Trust or Verify? For tasks involving re-execution and a trusted agent, choose Trust, as each tool invocation already exposes the plaintext to an enclave’s leaky destination, and a cutting-edge model deserves its price tag in such a loop. As for the high-level thinking that distinguishes one company from its competitors, choose Verify. Strategy, planning, and judgment distilled from years of professional experience embody the very alpha in question. The path forward lies within a company’s self-controlled boundaries, fine-tuning open-source models with these proprietary insights. In a company’s alpha domain, expert-tuned open models have already outperformed the state-of-the-art in both accuracy and cost, while the infrastructure to construct it in a privacy-preserving environment is arriving node by node.
Welcome to join the official BlockBeats community:
Telegram Subscription Group: https://t.me/theblockbeats
Telegram Discussion Group: https://t.me/BlockBeats_App
Official Twitter Account: https://twitter.com/BlockBeatsAsia
