The Trust Stack: Why Confidential Computing Plus Sovereign AI Is the Infrastructure Category Nobody Has Built Yet

By Futurist Thomas Frey

The Intersection of Swiss Neutrality, Hardware-Level Privacy, and Regulated Industry Demand Is Pointing at a Multi-Billion Dollar Gap in the Global AI Infrastructure Market

The hyperscalers built for scale. Nobody has built for trust. That gap is now large enough to found a category on.

There is a conversation happening in the boardrooms of European banks, Gulf sovereign wealth funds, Asian healthcare ministries, and defense agencies on every continent, and it sounds roughly like this: we understand that AI is going to be central to our competitive position, our operational efficiency, and our national capability. We also understand that we cannot put our most sensitive data — patient records, financial positions, defense intelligence, proprietary models — into infrastructure we do not control, governed by laws we are not subject to, processed in facilities we cannot audit, by companies whose first obligation is to a foreign government’s legal process. We want the capability. We cannot accept the dependency. Tell us what to do.

Right now, nobody has a complete answer. That is the gap. And in infrastructure terms, an unanswered question at that scale and with that level of institutional demand is not a problem. It is a category waiting to be built.

What Confidential Computing Actually Changes

To understand why this moment is different from previous attempts to solve the sovereign AI problem, you have to understand what confidential computing does that conventional security architectures cannot.

Traditional approaches to data security protect data at rest — encrypted on disk — and in transit — encrypted over the network. The gap that has always existed, and that has always been the fundamental obstacle to regulated industries trusting cloud infrastructure with their most sensitive workloads, is data in use. When data is being processed — when an AI model is running inference on a patient’s medical record, when a financial model is analyzing a trading position, when a government system is processing classified information — it has historically had to be decrypted in memory to be processed. That decrypted state represents a window of exposure: to the cloud provider’s own systems, to their employees, to legal demands from their home government, and to any adversary who achieves access to the processing environment.

Confidential computing closes that window through hardware-level trusted execution environments — TEEs — that encrypt data even while it is being processed, creating a cryptographically isolated enclave where computation happens and whose contents are inaccessible even to the infrastructure provider operating the underlying hardware. Intel’s SGX, AMD’s SEV-SNP, and ARM’s TrustZone are the current implementations. NVIDIA’s H100 GPU now supports confidential computing natively, which means AI training and inference can happen inside a TEE for the first time at meaningful scale.

The implication is significant: for the first time, it is technically possible to run AI workloads on shared infrastructure — including hyperscaler cloud infrastructure — in a way that is cryptographically verifiable as private, even from the infrastructure operator. The cloud provider cannot see the data. Their government cannot compel access to it. The customer can verify this not through a contract or an audit but through cryptographic attestation — mathematical proof, not trust. That changes the conversation with every regulated industry on the planet.

Switzerland offers something hyperscalers cannot engineer alone: centuries of institutional trust, neutrality, and regulatory certainty for sovereign AI infrastructure.

Why Switzerland Is the Trust Anchor the Category Needs

Technical capability is necessary but not sufficient for a new infrastructure category aimed at the most risk-averse institutional customers in the world. Regulated industries do not buy technology. They buy certainty — regulatory certainty, legal certainty, political certainty, and the kind of reputational certainty that allows a CISO to explain to their board why a particular infrastructure decision was sound. For that, you need a jurisdiction.

Switzerland has been in the business of providing exactly this kind of institutional certainty for over two centuries, and its specific properties align with the requirements of a sovereign AI infrastructure category in ways that are not accidental and are not easily replicated elsewhere. Swiss political neutrality is constitutionally embedded and historically demonstrated — it has survived two world wars and the entire Cold War without being pulled into the gravitational field of any major power bloc. Swiss data protection law, updated in 2023 through the revised Federal Act on Data Protection, is substantively equivalent to GDPR while operating entirely outside EU jurisdiction — which matters for customers who need GDPR-equivalent protection without EU regulatory entanglement. FINMA, the Swiss financial regulator, has established frameworks for cloud adoption in financial services that are among the most sophisticated and internationally recognized in the world.

The Swiss federal government has additionally declared AI sovereignty a national strategic priority and is actively developing frameworks for sovereign AI infrastructure — not as a defensive posture but as an exportable product. A confidential computing infrastructure stack anchored in Swiss legal and regulatory frameworks does not merely provide technical privacy guarantees. It provides the institutional architecture that the most demanding regulated industry customers require before they will commit at scale. Swiss trust is not a brand asset. It is a compliance shortcut worth years of regulatory negotiation in every other jurisdiction.

The Exportable Architecture Opportunity

The category being described here is not a data center in Switzerland. It is an infrastructure architecture — a deployable stack combining confidential computing hardware, sovereign AI governance frameworks, Swiss legal anchoring, and hybrid deployment capability — that can be instantiated anywhere in the world for any regulated industry customer that requires it.

This is the piece of the puzzle that makes the opportunity compelling to US hyperscalers and infrastructure investors rather than simply to European institutions. The exportable architecture model means that a financial institution in Singapore, a healthcare system in the Gulf, a defense agency in Southeast Asia, or a government ministry in Latin America can deploy the same cryptographically verified, Swiss-trust-anchored, confidential-computing-enabled AI infrastructure in their own facility, their own sovereign cloud, or a hyperscaler region of their choosing — with consistent security guarantees, consistent legal frameworks, and consistent attestation mechanisms across all deployment environments.

The hybrid deployment architecture is the commercial key. Regulated industry customers do not operate in clean single-cloud environments. They have legacy on-premise systems, regulatory requirements that mandate local data residency, operational requirements that demand cloud elasticity, and political requirements that prohibit single-vendor dependency. An infrastructure category that works only in the cloud, or only on-premise, or only in Switzerland, addresses a fraction of the actual customer requirement. A hybrid architecture that delivers consistent confidential computing guarantees and consistent sovereign governance across on-premise, private cloud, and hyperscaler environments addresses the full requirement — and there is no current offering that does this comprehensively.

Hyperscalers already have the technology. What’s missing is a sovereign AI infrastructure category trusted enough for governments, healthcare, finance, and defense.

What Makes This Compelling to Hyperscalers Right Now

The major US cloud providers have confidential computing capabilities. AWS has Nitro Enclaves. Azure has Confidential VMs. Google Cloud has Confidential Computing. None of them has assembled these capabilities into a sovereign AI category product aimed specifically at the regulated industry segment, anchored in a neutral jurisdiction, and designed for exportable hybrid deployment. The components exist. The category has not been built.

The commercial logic for hyperscaler interest is straightforward. The regulated industry segment — financial services, healthcare, defense, government — represents the highest-value, highest-margin, longest-contract-duration portion of enterprise cloud spend. It is also the portion of the market most systematically locked out of current hyperscaler AI infrastructure by precisely the data sovereignty and regulatory concerns that confidential computing plus a neutral jurisdiction can address. A category product that unlocks this segment for hyperscaler infrastructure does not compete with the hyperscalers. It expands their addressable market into the most lucrative territory currently unavailable to them.

The investor logic follows the same line. Infrastructure categories that solve a genuinely structural problem for the most risk-averse and highest-spending class of institutional customer have historically commanded premium multiples and durable competitive positions. The barriers to entry in this category are not primarily technical — they are jurisdictional, regulatory, and relational, which means they cannot be replicated quickly by a better-funded competitor simply by hiring more engineers.

The Category That Needs a Name

What is being described here is not a product. It is the foundation of a new infrastructure category that sits at the intersection of six forces simultaneously in motion: the demand for sovereign AI among nations and regulated institutions, the technical maturity of confidential computing at AI-relevant scale, the global credibility of Swiss regulatory and legal frameworks, the commercial pressure on hyperscalers to unlock regulated industry spend, the architectural reality of hybrid enterprise environments, and the geopolitical urgency of providing AI infrastructure options that are not simply the US stack or the Chinese stack.

The category needs a name, a reference architecture, a governance framework, and a go-to-market that takes the Swiss trust anchor seriously as a commercial asset rather than a geographical coincidence. The companies and investors who move to define it now will own the terms on which everyone else participates later.

Trust, it turns out, is infrastructure. And right now, nobody has built it at scale.

Confidential Computing Consortium Confidential Computing: Hardware-Based Trusted Execution Environments and the Future of Cloud Security https://confidentialcomputing.io/whitepaper-02-latest/

Swiss Federal Council Switzerland’s Strategy for the Use of Artificial Intelligence by the Federal Administration https://www.admin.ch/gov/en/start/documentation/media-releases/media-releases-federal-council.msg-id-93900.html

MIT Technology Review The Race to Build Trustworthy AI Infrastructure for the World’s Most Regulated Industries https://www.technologyreview.com/2024/confidential-computing-regulated-industry-ai-infrastructure/