Confidential Computing is becoming a key technology for protecting sensitive workloads in cloud and edge environments. While encryption at rest and in transit is now standard practice, organizations are increasingly focusing on securing data while it’s actively being processed—often referred to as “protecting data in use.” 

AI Factories are complex multi-tenant production environments where organizations train, fine-tune, serve, and continuously improve AI models using highly sensitive data, proprietary model weights, regulated datasets, prompts, embeddings, and enterprise knowledge bases. For AI Factories building sovereign AI services at scale, performance is no longer enough. Customers need to know where their workloads run, who can access the infrastructure, how tenants are isolated, and whether their data and models remain protected while actively being processed.

A recent white paper from the Confidential Computing Consortium (CCC), 3 Degrees of Confidential Computing, highlights this evolution and introduces a maturity model for adoption. The paper emphasizes that Confidential Computing is not a single technology, but a progression: organizations begin with hardware-backed confidential Virtual Machines, then move toward attestation-based enforcement, and ultimately to workload-level identity and verification. Importantly, the value of Confidential Computing increases as integration becomes deeper. 

OpenNebula has been recognized in the paper as an example of an open platform supporting Confidential Virtual Machines (CVMs), which represent the entry point on this journey. OpenNebula Systems recently joined the CСС as a General Member, reinforcing its commitment to open standards, interoperability, and collaboration in the Confidential Computing ecosystem. 

Why the First Step Matters for AI Factories

For most organizations, the practical starting point is Level 1: Confidential Virtual Machines. At this stage, standard workloads are moved into CVMs that use hardware-backed isolation and memory protection technologies such as AMD SEV-SNP, Intel TDX, or Arm CCA. This allows existing applications to gain stronger runtime protection with minimal changes to code or operational workflows. The CCC paper describes Level 1 as “hardware-backed protection with minimal operational change” and notes that it can create a hardware security barrier against privileged host actors and other tenants on shared infrastructure.  

For AI Factories, that is a powerful entry point because it can be turned into a service class: confidential AI instances, confidential inference nodes, confidential fine-tuning environments, or confidential private cloud regions.

Learn how OpenNebula helps organizations build secure, sovereign AI Factories with Confidential Computing capabilities.

Where OpenNebula Fits

OpenNebula helps organizations take the first practical step in this journey by enabling confidential virtualized infrastructure in open, distributed cloud environments.

OpenNebula’s Confidential Computing work demonstrates how confidential workloads can be deployed across KVM hypervisors using hardware-assisted secure virtualization. This recent screencast shows OpenNebula managing confidential and standard VMs side by side, with encrypted memory support verified inside the confidential guests and protected from host-level visibility.  

AI Factory infrastructure rarely lives in a vacuum. It spans data centers, edge sites, sovereign regions, secondary GPU clusters, private cloud environments, and sometimes federated provider networks. A cloud management layer needs to make confidential execution operationally usable across that whole footprint.

OpenNebula also brings this into a broader AI Factory control plane. OpenNebula 7.2 expands confidential computing support with hardware-rooted trust, memory encryption for KVM workloads, and virtual TPM integration, while also strengthening orchestration for sovereign clouds, GPU-accelerated systems, and high-speed networking.  

That combination is important. Confidential Computing cannot sit apart from the rest of the AI infrastructure stack. It has to work with scheduling, tenancy, networking, storage, lifecycle management, Kubernetes, GPU orchestration, and operational governance. The goal is not simply to launch a confidential VM. The goal is to turn confidential infrastructure into a repeatable, manageable, auditable service. As a corporate member of the CCC, OpenNebula Systems will continue collaborating with the open source community to help organizations progress through the next stages of this security journey.

Meet the OpenNebula team at ISC 2026 to discuss Confidential Computing for AI Factories and HPC, and book a demo at our booth.