Patent-pending solution gives AI model builders and security-conscious enterprises cryptographic, owner-controlled key custody, protecting model weights from even the infrastructure provider
Corvex, Inc., an engineering-led AI infrastructure platform, today announced the early availability of Corvex Secure Model Weights, a patent-pending solution that enables AI model builders and enterprises to deploy inference workloads on third-party GPU infrastructure without exposing their model weights, which can be their most valuable intellectual property.
The Problem with the Current Trust Model
Frontier AI models often represent years of research and hundreds of millions of dollars in compute investment. The risk extends well beyond frontier labs. Any organization fine-tuning models on proprietary data – patient records, financial datasets, defense workloads, trade secrets – is embedding sensitive IP directly into model weights. Traditional cloud security models focus on data at rest and in transit, which leaves data at runtime exposed, creating a critical vulnerability.
Corvex Secure Model Weights addresses this risk. In standard virtualized environments, model weights are decrypted in CPUs and transferred as plaintext into VRAM, leaving them exposed to hypervisor-level introspection or DMA-based attacks by the host. Our architecture closes this gap by leveraging Hardware-based Trusted Execution Environments (TEEs). By utilizing NVIDIA’s Confidential Computing instructions, Corvex ensures that model weights remain cryptographically isolated and are only decrypted within the GPU’s secure silicon boundary, which renders them invisible even to the infrastructure provider.
“Deploying AI should never require a trade-off between compute power and IP sovereignty,” said Seth Demsey, co-founder and co-CEO of Corvex. “The industry has long tolerated a ‘cleartext gap’ where weights are exposed during inference, leaving the host with a structural window into your trade secrets. We are closing that window. By enforcing end-to-end encryption that terminates only inside the GPU’s trusted execution environment, we ensure that the host is never in possession of the keys to the kingdom. Protection is no longer a policy choice; it’s a certainty.”
Three Layers of Hardware-Rooted Security
Corvex Secure Model Weights combines three integrated technologies to enforce protection at the silicon level:
- Trusted Execution Environments. NVIDIA Hopper and Blackwell GPUs running in Confidential Computing mode provide hardware-encrypted GPU memory that the host cannot access at runtime. Intel Trust Domain Extensions (Intel TDX) provide CPU-level isolation on each node.
- Remote Attestation. Before any decryption key is released, the model builder cryptographically verifies that the host hardware and software stack match expected configurations. A compromised or misconfigured host fails attestation and never receives keys.
- Post-Quantum Key Exchange. Corvex uses ML-KEM (Kyber-768), a post-quantum key encapsulation mechanism, to protect the key handoff between the model builder’s infrastructure and the trusted execution environment. The keys for the handoff are ephemeral, and the private key never exists outside the GPU’s protected VRAM. Model weights that take years to develop and may remain valuable for decades are protected against future cryptographic threats.
The result: model weights exist in cleartext only inside hardware-protected GPU memory during active inference. They are never present in system RAM and never accessible to the host kernel or hypervisor.
Open Source Foundation, Auditable by Design
Unlike closed-source commercial alternatives, Corvex Secure Model Weights is built on and contributes to the open source community. The solution uses the Confidential Containers (CoCo) project under the Cloud Native Computing Foundation as its orchestration layer, providing vendor-neutral, community-audited security that customers can independently verify.
“Model builders and security-conscious enterprises are now able to choose infrastructure partners based on verifiable security, not just price and availability,” said Jay Crystal, Co-CEO and Co-Founder of Corvex. “An open source foundation and owner-controlled key custody are what make that security auditable and trustworthy. We built Secure Model Weights so that the model builder never has to take our word for it. The math and the hardware speak for themselves.”
Who It Serves
Frontier AI model builders can now deploy at production scale on third-party infrastructure without operator trust assumptions, eliminating the risk of model weight exfiltration while maintaining sovereign key control.
Regulated enterprises, federal customers, and model builders who focus on these customer segments – including those working with healthcare data, financial datasets, defense workloads, and trade-secret-embedded fine-tuned models – can deploy on external infrastructure that previously often required on-premises isolation. Secure Model Weights provides the hardware-enforced, cryptographically verifiable protection required for these sensitive datasets.