SAN FRANCISCO – Apple used the Confidential Computing Summit ito provide its most detailed public explanation yet of Private Cloud Compute (PCC), the cloud infrastructure that powers Apple Intelligence workloads requiring more compute than can be handled directly on an iPhone, iPad, or Mac. During a keynote presentation, Ivan Krstić, Apple’s Vice President of Security Engineering and Architecture, outlined a new framework for evaluating cloud AI security and described how Apple recently extended PCC beyond Apple-owned infrastructure into Google Cloud while maintaining what the company describes as its highest privacy and security standards.
Krstić argued that conventional cloud AI systems offer limited visibility into how user data is processed, retained, or accessed. To address this challenge, Apple developed a four-level security framework for cloud AI systems. Level 0 represents traditional cloud AI deployments that rely largely on policy-based protections. Level 1 introduces auditable, hermetic inference environments with measured boot chains and tamper-resistant logging. Level 2 adds verifiable transparency, anonymous authentication, and non-targetability to prevent operators from targeting specific users. Level 3, which Apple calls “Frontier Security and Privacy,” introduces defenses against sophisticated side-channel attacks and hardware supply-chain compromises while minimizing trust in cloud providers and infrastructure operators.
Private Cloud Compute first launched in 2024 as a cloud extension of Apple Intelligence running on Apple-designed servers built around Apple silicon. The architecture was designed around stateless inference, encrypted user state management, verifiable software transparency, and the elimination of privileged runtime access. According to Apple, every PCC server presents cryptographic attestations to user devices, allowing software measurements to be verified against a public transparency log. Apple also publishes PCC software and research tools so external security researchers can inspect and validate the platform.
Apple’s latest expansion moves portions of PCC into Google Cloud to support increasingly demanding AI workloads, including advanced reasoning and agentic tool-use capabilities. The deployment combines Google Cloud infrastructure, Intel Trusted Domain Extensions (TDX), NVIDIA Confidential Computing technologies, and Google’s Titan root-of-trust architecture. Krstić emphasized that Apple refused to lower its security requirements during the migration and instead worked with Google to create a fully attested environment covering both guest and host systems. Apple said the infrastructure uses multiple independent hardware roots of trust and cryptographically verifiable hardware inventories to reduce supply-chain risks while maintaining end-to-end transparency.
• Apple introduced a four-level cloud AI security framework ranging from traditional cloud deployments (Level 0) to “Frontier Security and Privacy” (Level 3)
• PCC uses stateless AI inference designed to prevent long-term retention of user prompts and data
• Apple devices verify PCC software using cryptographic attestations tied to public transparency logs
• Anonymous authentication and third-party privacy relays prevent Apple from linking individual users to specific inference requests
• PCC on Google Cloud uses Intel TDX confidential VMs, NVIDIA confidential computing technology, and Google’s Titan security architecture
• Apple maintains that confidential computing alone is insufficient and must be combined with transparency, non-targetability, and supply-chain protections
• Security researchers will receive access to PCC binaries, documentation, research tooling, and live research systems through Apple’s security research programs
Krstić said: “At Apple, we believe privacy is a fundamental human right. We believe that the immense promise of AI will be fulfilled only if we build systems that are worthy of our users’ highest trust.”
Integration Context: Apple’s PCC expansion does not transfer trust to Google Cloud. Apple retains control of the software, attestation, and transparency mechanisms that govern the service. User devices verify that PCC workloads are running Apple-approved software before processing requests, allowing Apple to extend AI inference onto third-party infrastructure while maintaining its existing security and privacy model.
🌐 Analysis
Apple is positioning Private Cloud Compute as more than a privacy feature for Apple Intelligence. The company is attempting to establish a security architecture for cloud AI inference that combines confidential computing, transparency logging, anonymous authentication, hardware attestation, and supply-chain verification into a single framework. The introduction of formal security levels mirrors the maturity models that emerged in cybersecurity and cloud infrastructure over the past two decades.
The expansion of PCC into Google Cloud is also notable because it signals a pragmatic shift in Apple’s AI infrastructure strategy. While PCC originally relied exclusively on Apple silicon in Apple-operated data centers, Apple’s next-generation AI workloads increasingly require large-scale accelerator infrastructure. By integrating Google Cloud, Intel TDX, NVIDIA GPUs, and Google’s Titan architecture while preserving Apple-controlled software attestation and transparency mechanisms, Apple is creating a multi-vendor confidential AI environment that could influence future designs for privacy-sensitive AI services across the industry.
