Super Protocol | Confidential Computing for AI Agents and Apps

AI Fine-Tuning

Fine-tune models on sensitive data without exposing it to the infrastructure provider or the other participants.

Introduction

Fine-tuning is how a general-purpose model becomes useful for a specific business. You train it on your data — customer records, domain knowledge, operational history — and the result is a model that knows your world. The problem is that fine-tuning concentrates your most valuable assets in one place: proprietary data, a base model, and the resulting fine-tuned model that combines both. Depending on who else is involved, some or all of those assets are exposed.

Scenarios

Every fine-tuning deployment involves some combination of the following parties:

Your organization — owns the data, the base model, or both
Other participants — other teams internally, or external organizations contributing data or models
The infrastructure provider — runs the servers underneath

Depending on the scenario, different parties are exposed.

Internal fine-tuning

You fine-tune a model on your own data. You own the base model, the training data, and the resulting fine-tuned model. The only question is who runs the servers.

If you run them yourself, there is no trust problem. But the moment you move to cloud — for GPU availability, for scale, for cost — the infrastructure provider can see all three: your training data, your base model, and your fine-tuned model. That last one is the most sensitive, because it's new IP built from the combination of the first two.

Cloud vulnerabilities:

The infrastructure provider can see your training data
The infrastructure provider can see your base model
The infrastructure provider can see your fine-tuned model

On-prem vulnerabilities:

No vulnerabilities

Internal cross-department fine-tuning

Team A owns the base model. Team B owns data that would make the model better. The business case is clear — but neither team wants to hand their assets to the other. Team B doesn't want Team A browsing their raw data. Team A doesn't want Team B extracting their model. And both want the infrastructure provider excluded.

Even on-prem, the infrastructure problem goes away but the internal exposure stays. Without a way to enforce boundaries between teams, the options are the same as always: overexpose or don't do it.

Cloud vulnerabilities:

The infrastructure provider can see everything
Team A can see Team B's data
Team B can see Team A's model

On-prem vulnerabilities:

Team A can see Team B's data
Team B can see Team A's model

Multi-party fine-tuning

Multiple organizations contribute data, models, or both. A pharmaceutical company and a hospital train a diagnostic model together. A consortium of banks fine-tunes a fraud detection model on pooled transaction data. Nobody wants to expose their assets to anyone else — and nobody trusts whoever runs the servers.

This is the scenario with the most exposure. Every participant is vulnerable to every other participant, and all of them are vulnerable to the infrastructure provider. On someone else's cloud, the provider sees everything. On one participant's own servers, that participant becomes the infrastructure provider — and everyone else has to trust them.

Cloud vulnerabilities:

The infrastructure provider can see everything
Each participant's data or models are exposed to every other participant

On-prem vulnerabilities:

Whoever runs the servers sees everything
The other participants have to trust them with their assets

How SWARM solves this

All three scenarios share the same requirement: sensitive assets must come together for training without being exposed — to the infrastructure provider, or to the other participants. Super SWARM is a confidential compute fabric that runs across on-prem, public cloud, and managed infrastructure under a single hardware-attested trust domain.

The training code — the application that takes data and a base model and produces a fine-tuned model — is deployed into a confidential environment inside SWARM. Any participant can verify what code was deployed and how it's configured before contributing their assets.
Each party uploads their assets — data, models, or both — into the confidential environment.
The workload trains on the combined assets inside hardware-isolated execution. No participant and no infrastructure provider can access another party's contributions.
Only the agreed-upon output leaves the environment — the fine-tuned model, or a specified derivative. Raw training data and base models stay inside.
Any party can verify after the fact that the training ran as configured — what code executed, in what environment, and that confidentiality was maintained throughout.

The mechanism is the same whether fine-tuning happens within one team, across departments, or across organizations. The number of parties grows. The security guarantee does not change.

Introduction

Scenarios

Every fine-tuning deployment involves some combination of the following parties:

Your organization — owns the data, the base model, or both
Other participants — other teams internally, or external organizations contributing data or models
The infrastructure provider — runs the servers underneath

Depending on the scenario, different parties are exposed.

Internal fine-tuning

You fine-tune a model on your own data. You own the base model, the training data, and the resulting fine-tuned model. The only question is who runs the servers.

Cloud vulnerabilities:

The infrastructure provider can see your training data
The infrastructure provider can see your base model
The infrastructure provider can see your fine-tuned model

On-prem vulnerabilities:

No vulnerabilities

Internal cross-department fine-tuning

Even on-prem, the infrastructure problem goes away but the internal exposure stays. Without a way to enforce boundaries between teams, the options are the same as always: overexpose or don't do it.

Cloud vulnerabilities:

The infrastructure provider can see everything
Team A can see Team B's data
Team B can see Team A's model

On-prem vulnerabilities:

Team A can see Team B's data
Team B can see Team A's model

Multi-party fine-tuning

Cloud vulnerabilities:

The infrastructure provider can see everything
Each participant's data or models are exposed to every other participant

On-prem vulnerabilities:

Whoever runs the servers sees everything
The other participants have to trust them with their assets

How SWARM solves this

The training code — the application that takes data and a base model and produces a fine-tuned model — is deployed into a confidential environment inside SWARM. Any participant can verify what code was deployed and how it's configured before contributing their assets.
Each party uploads their assets — data, models, or both — into the confidential environment.
The workload trains on the combined assets inside hardware-isolated execution. No participant and no infrastructure provider can access another party's contributions.
Only the agreed-upon output leaves the environment — the fine-tuned model, or a specified derivative. Raw training data and base models stay inside.
Any party can verify after the fact that the training ran as configured — what code executed, in what environment, and that confidentiality was maintained throughout.

The mechanism is the same whether fine-tuning happens within one team, across departments, or across organizations. The number of parties grows. The security guarantee does not change.