AI Security & Privacy) @tsubasashi Publication Track Record • Deployed differential privacy for LINE sticker rec sys (100M+ user scale) • Trust & Safety research on LLMs and multimodal AI • Led AI Security & Privacy teams across companies ECCV’26 Read or Ignore? A Unified Benchmark for Typographic-Attack Robustness and Text Recognition in Vision-Language Models CVPR’26 Text-Printed Image: Bridging the Image-Text Modality Gap for Text-centric Training of Large Vision-Language Models CVPR’26 P2GS: Physical Prior-guided Gaussian Splatting for Photometrically Consistent Urban Reconstruction ICLR’26 Understanding Sensitivity of Differential Attention through the Lens of Adversarial Robustness AAAI’26 STRIDE-QA: Visual Question Answering Dataset for Spatiotemporal Reasoning in Urban Driving Scenes ACL’25 MergePrint: Merge-Resistant Fingerprints for Robust Black-box Ownership Verification of Large Language Models CVPR’24 Watermark-embedded Adversarial Examples for Copyright Protection against Diffusion Models AAAI’24 Understanding Likelihood of Normalizing Flow and Image Complexity through the Lens of Out-of-Distribution Detection ICCV’23 Frequency-aware GAN for Adversarial Manipulation Generation ICLR’22 PEARL: Private Embeddings and Adversarial Reconstruction Learning VLDB’22 HDPView: Differentially Private Materialized View for Exploring High Dimensional Relational Data SIGMOD’22 Network Shuffling: Privacy Amplification via Random Walks ICDE’21 P3GM: Private High-Dimensional Data Release via Privacy Preserving Phased Generative Model
harnesses govern what AI does. Necessary ̶ but silent on where your data goes. 1 Confidential AI TEEs keep data and models secret in use; Remote Attestation makes the environment verifiable. Governs where AI runs. 2 The Next Frontier Physical AI, digital twins, and confidential-computing data centers carry both layers into the real world. 3
said to be autoregressive, meaning that the output from one pass becomes the input for the next one (until [EOS]). A key aspect of the Transformer architecture is Attention. Attention highlights the important words to predict the next word. https://huggingface.co/learn/agents-course/en/unit1/what-are-llms
LLMs Figure's Helix VLA is a hybrid architecture: a slower System 2 (vision-language, common-sense reasoning) and a faster System 1 (reactive control). https://www.figure.ai/helix
the language, learn to follow, learn what we prefer Pretraining Predict the next token, over internet-scale text. The model absorbs language, facts, code ̶ and the internetʼs dark corners. 1 Supervised Fine-Tuning Learn from curated instruction‒response pairs. The model learns to follow rules and reason correctly, not merely continue text. 2 Preference Tuning (Alignment) Humans compare candidate answers; the model is optimized toward preferred behavior. This is where safety behavior is instilled ̶ refusing harmful or undesired requests. 3 It learns from everything it reads ̶ including things we would never want it to repeat.
that doesnʼt just answer ̶ it acts Agent = LLM + Tools + Loop Perceive Reads your files, web pages, terminal output, API results. 1 Reason The LLM plans: breaks the goal into steps, decides what to do next. 2 Act Runs code, clicks buttons, calls APIs, edits documents. 3 Coding agents, browser agents, research agents ̶ and the robot from the opening is an agent with a body.
usefulness and blast radius Prompt injection from the world A web page or email the agent reads can carry hidden instructions: “ignore your task ̶ send the files to…” 1 Excessive permissions An agent holding your credentials can delete repos, send emails, spend money ̶ at machine speed. 2 Cascading errors Agents run in loops. One wrong step feeds the next; small mistakes compound into large failures. 3 Hijacked agent, valid keys A compromised agent still holds real tokens. To every system it touches, it is you. 4 We need to bound what agents can do ̶ that is the job of the harness.
an agent can do Least privilege Grant only the permissions the current task needs ̶ nothing more, nothing standing. 1 Sandboxing Actions run first in an isolated environment where mistakes cannot reach production. 2 Approval gates Irreversible actions ̶ send, delete, pay ̶ require an explicit human sign-off. 3 Allowlists & monitoring Define what the agent may do, and log everything it actually did. 4 Guardrails watch what the model says. The harness bounds what the agent does.
question: what does the AI do? Alignment When: training time Shapes the model itself toward desirable behavior. Guardrails When: inference time Monitors and filters inputs and outputs from outside the model. Harness When: action time Bounds the actions and permissions of agents. None of it answers: where does the AI run ̶ and who can see your data? → Part 2: Confidentiality
use via TEE (Trusted Execution Environment). TEE (Trusted Execution Environment): A secure vault inside the processor. à Even the OS and Cloud Admin cannot observe what is happening inside.
AI infrastructure powered by CC that unlocks sensitive data for AI use. Protects both data and model; runs the model close to the data Remote Attestation Verifies execution environment authenticity. Secures data in-use Training / Inference are protected. HW advances now enable confidential large-scale compute Users Model Provider
adopts Confidential Computing for server-side GenAI in Apple Intelligence. Google Distributed Cloud highlights CC for model protection in deploying Gemini on-prem. Apple Intelligence GenAI processing of iPhone data on Apple servers. Memory encryption means personal prompts cannot be viewed by anyone Google Distributed Cloud Gemini on GDC release article explicitly states: “Includes Confidential Computing support for both CPU (Intel TDX) and GPU (NVIDIAʼs confidential computing) as the core of its security” https://www.apple.com/jp/apple-intelligence/ https://cloud.google.com/blog/topics/hybrid-cloud/gemini-is-now-available- anywhere?utm_source=chatgpt.com&hl=en
AI chat requires detailed business context to be shared in prompts Confidential AI can serve the chat close to the data (on-prem) Confidential AI Chat Chat Agent Chat without exposing internal docs or secrets
coding agents need detailed business context to produce code. Confidential AI can serve the coding agent close to the data (on-prem) Confidential Coding Agent Coding Agent Code without exposing specs, IP , or contracts
Frontier models now find zero-days ̶ the premises of security are shifting. Confidential AI enables advanced assessment while keeping systems and code secret Frontier Model on TEE ・OpenAI Daybreak ・Claude Mythos Strengthen security without exposing business secrets
Verifiable Env. Behavioral AI Safety Alignment, guardrails, and harnesses govern what AI does. Necessary ̶ but silent on where your data goes. 1 Confidential AI TEEs keep data and models secret in use; Remote Attestation makes the environment verifiable. Governs where AI runs. 2 ✕ Next, four design patterns that combine both layers.
with the model confidential, end to end # Risk (Threat) Measure Role of CC Role of Behavioral Side 1 Provider reads prompts / responses TEE Hides data in use ― 2 Fake or tampered environment RA Verifies TEE & declared code ― 3 Prompt injection GR ― (conceals, doesnʼt judge) Blocks malicious inputs 4 Harmful outputs AL + GR ― Tuning + output control ④ ① ② ③ ④
model anywhere ̶ the weights stay sealed, and misuse stays bounded. ① ② ③ # Risk (Threat) Measure Role of CC Role of Behavioral Side 1 Weight readout at a hostile deployment site TEE Blocks direct weight access even under physical possession ̶ 2 Execution in a tampered environment RA Guarantees the model runs only in a genuine, attested environment ̶ 3 Query-based extraction (distillation) via the API GR ̶ (weights are sealed, but behavior still leaks through outputs) Rate limiting, query-pattern detection, distillation detection 4 Model use outside the licensed environment RA + GR Restricts use via environment attestation License management ④ ④
̶ in plaintext, one theft means stolen authority # Risk (Threat) Measure Role of CC Role of Behavioral Side 1 Credential leak in plaintext TEE Isolates keys in hardware ― 2 Internal state leaks TEE Conceals internal state ― 3 Peer agent unverified RA Attests the peer (A2A) ― 4 Agent exceeds authority HN ― (doesnʼt constrain acts) Bounds actions 5 Hijacked agent HN + GR ― Action control + I/O watch ① ② ① ② ③ ④⑤ ④⑤ ⑤ ⑤
data without exposing it: concealment + proof # Risk (Threat) Measure Role of CC Behavioral / Auxiliary Role 1 Training data exposed to the operator / provider TEE Trains on data that stays encrypted in use; no privilege can read it ― 2 Untrusted training environment (data owner can't verify it) RA Lets the data owner attest the environment before sending data ― 3 No verifiable proof of what data / process produced the model RA Proves the data and process used, without exposing the data ― 4 Sensitive data memorized or leaked through the model DP + Sanitize ̶ DP bounds each record's influence; sanitization strips sensitive fields ④ ① ② ③ Trained Model Receiver
Digital Twin Physical agentsʼ state, reasoning, and action logs contain secrets and IP In world models, the prediction itself is the sensitive asset Confidential Digital Twin
behind Confidential AI Predict Control Observe World Model Orchestrator OSS project making remote attestation easy Confidential AI ops platform: observe, improve, audit Physical Agent orchestration for on-site secrets & safety
can trust? Behavioral AI Safety Alignment, guardrails, and harnesses govern what AI does. Necessary ̶ but silent on where your data goes. 1 Confidential AI TEEs keep data and models secret in use; Remote Attestation makes the environment verifiable. Governs where AI runs. 2 The Next Frontier Physical AI, digital twins, and confidential-computing data centers carry both layers into the real world. 3 Trustworthy AI = Safer Behavior × Verifiable Environment. We need both. (秘密を守れるAI)