Summary
- Prem AI has launched Enclave, a platform for running AI workloads on encrypted GPU clusters.
- The company says Enclave combines confidential computing, hardware attestation, post quantum encryption, and zero data retention.
- The launch reflects growing demand from regulated sectors for AI systems that can process sensitive data without surrendering control to external providers.
Prem AI has launched Enclave, a sovereign AI platform designed to let organisations run large models on sensitive data while keeping workloads encrypted and verifiable across distributed GPU infrastructure.
The Swiss based company says Enclave differs from conventional confidential computing approaches by protecting entire AI clusters rather than individual machines. The platform is designed to install on existing GPU infrastructure, whether on premises or in cloud environments, and to keep models and data encrypted throughout processing, with hardware verified attestation and zero data retention.
Prem says Enclave is built on Intel TDX, AMD SEV-SNP, and NVIDIA Confidential Computing, combining multi GPU attestation, GPU level encryption, and post quantum encryption. It is available through customer managed infrastructure, private cloud environments, or the Enclave API, and the company says deployment can take two to four weeks on standard GPU hardware.
The launch sits inside a fast developing enterprise AI problem. Many organisations want to use large models on sensitive data, but the most capable AI systems are often consumed through external providers, shared infrastructure, or cloud services that require difficult trust decisions. Healthcare, government, defence, legal, and regulated financial services cannot simply upload confidential records into AI tools without considering data exposure, jurisdiction, auditability, and supplier control.
Confidential computing is designed to narrow that trust gap by protecting data while it is being processed, not only when it is stored or transmitted. Trusted execution environments such as Intel TDX and AMD SEV-SNP can isolate workloads from the host operating system or hypervisor, while GPU confidential computing is intended to extend those protections to accelerated AI workloads. Remote attestation then gives users cryptographic evidence that code is running inside an expected protected environment.
The hardest part is extending those protections across real AI systems rather than demonstration workloads. Large models may run across multiple GPUs, nodes, orchestration layers, networking paths, storage systems, and application services. Each layer can introduce a place where sensitive data, prompts, model weights, logs, or intermediate outputs could be exposed. Prem’s cluster level claim is therefore commercially important if it can be proven in production conditions.
The post quantum element adds another layer to the pitch. Governments and regulated industries are preparing for the risk that encrypted data captured today could be decrypted in future once quantum capabilities mature. Migration to quantum resistant cryptography is a long operational process because encryption is embedded across identity systems, software, databases, networks, payments, cloud services, and internal applications. AI systems handling long lived sensitive data will be affected by cryptographic design choices made now.
Prem says Enclave is already in production with customers and design partners across government, defence, legal, and healthcare. It also says it has processed more than 100 million clinical health reports, delivers more than 3,000 hours of workflow automation each quarter, and supports more than 50 custom AI pipelines in production. Those are useful adoption claims, although buyers will still need to examine how much of that usage relates specifically to Enclave rather than Prem’s wider platform.
The market opportunity is clear, but so is the burden of proof. Sovereign AI has become crowded with claims about control, privacy, and jurisdiction. A credible platform in this category has to show not only that data is encrypted, but that attestation is understandable, keys are controlled appropriately, logs are governed, model outputs are handled safely, and customers can operate the system without creating new operational blind spots.
Procurement will add another test. If Enclave can run on existing GPU infrastructure, it may appeal to organisations that cannot justify building bespoke sovereign AI stacks from scratch. Regulated buyers will still need integration support, performance benchmarks, security assurance, incident processes, and clarity about who is responsible when something fails.
Prem’s launch reflects a wider movement from AI as a hosted application towards AI as controlled infrastructure. As organisations move sensitive workflows into model driven systems, the boundary between data protection, cloud architecture, cryptography, and AI governance is becoming harder to separate. Enclave will be judged on whether it can make that control practical without making AI deployment too slow, expensive, or specialised for the organisations that need it most.










