Note: Infrastructure decisions will shape AI revenue quality. Confidential compute is the first obvious example. As enterprise AI moves from generic workloads to regulated and sovereign workloads, the relevant question becomes less about raw tokens alone and more about which tokens can be processed inside an approved trust boundary. Tokens per watt will remain an important infrastructure metric. We think protected tokens per watt becomes an emerging competitive dynamic, because it captures whether a provider can deliver usable inference capacity for workloads legal, security, and compliance teams will actually approve.

Rightly so, a lot of work on AI infrastructure, ours included, has analyzed it largely as a supply problem. The value of the unit of compute being a systems level, full scale optimized design, and the capex required to assemble all of it still holds relevance in the analysis. But as enterprise and sovereign adoption scale, a second variable keeps showing up in our research that does not appear in any capacity table — permission. The highest-value AI workloads depend on exactly the data that legal, compliance, and security teams are least willing to expose to a multi-tenant cloud or a third-party model provider. Which means capacity can exist, be financed, and be energized, and still sit unusable for the workloads that justify the spend, because nobody inside the customer organization has the authority to approve the data exposure.

This report argues that confidential computing sits at exactly that boundary, and that it functions as a conversion and pricing layer for AI infrastructure rather than another security budget line. To be clear about what this is: an AI infrastructure revenue-quality report, not a cybersecurity report.

The mechanism

Enterprises spent two decades building controls, certifications, and audit language around two states of data: at rest and in transit. AI puts pressure on that model because the value is created in a third state, while the data is in use. During inference and agent execution, prompts, model weights, retrieved context, and agent credentials all sit decrypted in memory, where the cloud operator, hypervisor, or another privileged software layer could in principle reach them. Hardware-enforced trusted execution environments, now present in server CPUs and recent GPU generations, are designed to close that gap. Remote attestation then adds the piece that matters commercially: a signed evidence artifact a compliance team can file, an auditor can check, and a regulator can review. Once that artifact exists, approval behavior can change. Approval behavior is what turns blocked workloads into consumed infrastructure.

For our broader thesis on how enterprise adoption plays out, with the overarching platform/control plane layer, confidential AI is a key component. See our report here:

From Model Wars to Platform Wars

Ben Bajarin

·

May 7

Read full story

Two findings worth sharing

The first is about pricing power. Our research indicates confidential compute instances have commanded premiums on the order of 20 to 30 percent over comparable standard instances in regulated environments, a working estimate we are still tracing to SKU-level pricing. The interesting part is what kind of premium it is. A scarcity premium on GPUs erodes as capacity gets added; that is just supply. A trust premium rests on regulation, audit requirements, and customer risk tolerance, none of which follow semiconductor supply curves down. Generic compute will always face commoditization risk, but verified isolation gives providers a feature customers can pay for.

That is where protected tokens per watt becomes a useful lens. Standard AI infrastructure is judged by how much inference it can deliver per watt, per rack, and per dollar. Regulated AI adds another requirement: how much of that inference can run inside a trust boundary the customer can approve. The customer is not only buying throughput. They are buying usable throughput. That difference is what gives confidential compute a pricing and retention argument even if baseline AI compute becomes more competitive.

The second is what we call the double dollar, and it is the value equation in the full report. The premium is the smaller half of the money, because it applies to workloads that were coming to cloud anyway. The larger opportunity is conversion: regulated workloads that did not run at all, at any price, because nobody could approve the data exposure. In our illustrative base case, the conversion effect contributes roughly twice what the premium does, which means anyone modeling the premium alone is missing most of the lift. The full scenario math, conservative through high, sized per $100 billion of CSP AI compute revenue, is in the subscriber report. And the thesis survives even if the premium compresses, because the conversion and retention effects come from workloads clearing compliance rather than from a SKU markup. An investor does not need to believe in a permanent premium at the top of the observed range. They only need to believe confidential architecture unlocks production workloads that standard infrastructure could not capture.

The insight we would leave readers with is this: not all AI cloud revenue is equal. A dollar cleared by legal, compliance, and security should be more durable in a price war than a dollar of developer experimentation. Confidential mix is one of the few observable markers that lets stakeholders separate generic AI consumption from workloads with permission, auditability, and switching friction attached. The market is still modeling AI infrastructure through capacity. We think it should also be modeling permission. Protected tokens per watt is one way to describe that next layer.

What the full report covers

The subscriber report runs the full diligence framework, including:

• The blocked-workload evidence base — insights from commentary from banking, healthcare, defense, and real estate on which AI workloads are stalled, what asset is at risk, and what unblocks them.

• Exhibit 2: the dollar-lift model — our per-$100B CSP revenue sensitivity framework across conservative, base, and high scenarios, with the full equation and the input the model is most sensitive to.

• Exhibit 3: the beneficiary map — five tiers from silicon to adjacent AI security, graded by directness, materiality today, and exactly what to track for each.

• Sovereign AI as a control problem — why local data centers alone fail the sovereignty test regulators are actually applying, and the regulatory calendar behind the demand.

• Private AI factories as governance infrastructure — the order-book evidence, agent tokenomics, and the attach economics that decide whether OEM AI revenue deserves better than a hardware multiple.

• Where the model changes — company by company: the CSPs, NVIDIA, Dell and HPE, AMD and Intel, and the confidential middleware layer.

• The honest valuation answer — whether any of this moves a stock today, where the lens is most material, and the forward checklist that tells you when the valuation question goes live.

• What to watch — the five verification items that graduate this thesis from working view to conviction.