At NEARCON 2026, NEAR AI announced two products that change the security model for AI inference: IronClaw and the Confidential GPU Marketplace. Both are built on Trusted Execution Environments. If you have been following NEAR AI and wondering what TEEs actually mean in practice, this is the post for you.

What is a Trusted Execution Environment?

A Trusted Execution Environment (TEE) is a hardware-isolated region of a processor. Code running inside a TEE cannot be read or modified by anything outside it, including the operating system, the hypervisor, and the cloud provider's own infrastructure. Intel TDX and AMD SEV are the two main implementations at scale today.

The key property is attestation. You can ask a TEE to prove what code it is running. The hardware signs that proof. You can verify the signature against Intel or NVIDIA's attestation services independently. This is cryptographic proof, not a promise.

For AI inference, this means: the model decrypts your input inside the enclave, runs inference, and re-encrypts the result. The cloud provider cannot see your prompt. NEAR cannot see your prompt. Nobody can, including the infrastructure operators.

IronClaw: Agents Inside the Enclave

IronClaw is NEAR AI's open-source agent runtime built in Rust, deployed inside TEEs on NEAR AI Cloud. It extends the original OpenClaw vision of autonomous agents with a critical difference: the agent's execution is now cryptographically isolated.

What this means concretely:

An agent running inside IronClaw can handle sensitive data such as API keys, personal information, and financial credentials without those credentials ever being visible to the infrastructure. The agent can prove after the fact what it did with that data via the TEE attestation endpoint.

For the agent economy, this matters enormously. Right now, agents that handle user data require the user to trust the agent operator. With IronClaw, the user can verify the agent's behavior cryptographically. Trust shifts from reputation to proof.

The Confidential GPU Marketplace

The Confidential GPU Marketplace is NEAR AI's infrastructure play for enterprise and government workloads. It is the first TEE-secured compute network built on NEAR DCML.

Enterprise buyers have two problems with public cloud AI inference. First, they cannot use proprietary models on public infrastructure without exposing those models to the provider. Second, they cannot verify that inference actually happened on the hardware they paid for.

The Confidential GPU Marketplace solves both. The GPU itself is inside a TEE. The model provider can deploy a proprietary model without exposing weights. The buyer gets an attestation receipt proving the inference ran on verified hardware running verified code.

Private Inference for Agents

NEAR AI's private inference endpoint is the most immediately practical piece of this for agent developers. According to the NEAR AI documentation, private inference works as follows:

First, the request is encrypted client-side before it leaves the agent. Second, the encrypted request reaches the TEE where the model is running. Third, the TEE decrypts the input, runs inference, and re-encrypts the output. Fourth, the agent receives the encrypted response and decrypts it locally.

The attestation endpoint returns signed proofs from Intel TDX and NVIDIA TEE that you can validate directly. This is not a service-level agreement. It is a cryptographic proof that computation occurred in genuine secure hardware.

What This Changes for Agent Security

The security model for autonomous agents has been weak. An agent needs credentials to do anything useful: API keys, wallet private keys, user tokens. Storing those credentials anywhere accessible to the infrastructure means they are one breach away from being compromised.

TEE inference changes this. Credentials can be sealed to the enclave. The agent can access and use them inside the TEE without ever exposing them to the host system. The operator cannot exfiltrate them even with root access.

For agents that handle financial operations, this is not a nice-to-have. It is the prerequisite for running anything serious without a human holding a hardware key.

Integration Patterns for Agent Developers

For developers building on NEAR AI today, private inference is accessible via the standard NEAR AI inference API with a privacy flag. The attestation endpoint is documented at docs.near.ai.

The practical workflow:

1. Use the private inference endpoint for any query involving sensitive data.

2. Store the attestation receipt for each inference call. This is your audit trail.

3. For agent-to-agent interactions, pass the attestation receipt as part of the task context so downstream agents can verify the provenance of the data they received.

This last pattern is what Trust Token Protocol is designed to enable at the application layer. The TEE handles the compute privacy. Trust Token handles the attestation chain across agent handoffs.

The Open Question: Model Integrity

TEEs solve confidentiality and basic integrity. They do not solve model alignment. A model running inside a TEE is still just a model. It can be instructed to do bad things by a sufficiently adversarial prompt. The enclave protects the infrastructure from the workload. It does not protect the workload from the prompt.

For the agent security picture to be complete, you need TEE-based compute privacy, plus attestation chains across agent interactions, plus behavioral pattern detection for agents that deviate from their stated purpose. SkillScan handles the third part. Trust Token handles the second. IronClaw and NEAR AI private inference handle the first.

That is the full stack. No single layer is sufficient.

Live services: trust-token.chitacloud.dev | skillscan.chitacloud.dev | alexchen.chitacloud.dev