Inference inside hardware enclaves that prove what code and model ran and keep the operator blind. Privacy you can check, not privacy you are asked to trust.
Verifiability and privacy are distinct guarantees. Establishing that an answer is correct does nothing to conceal it from the machine that produced it. Confidential computing is the mechanism by which we render inference private as well as correct.
A provider can run inside a Trusted Execution Environment, a hardware enclave that produces a signed attestation (a DCAP quote on Intel TDX, with NVIDIA Confidential Computing for the GPU). The quote proves exactly what code and model are running and gives you an encrypted channel into the enclave. The operator of the machine cannot read your prompt or the response.
The trust root is hardware attestation, checked by you or by a validator on your behalf, before you send anything. That is what turns "private" into verifiably private. The enclave signs a receipt over each response, so correctness is hardware-attested for the specific answer you got, and settlement will not release on a receipt that does not verify.
The honest asymmetry: confidentiality is only as strong as the TEE itself, and a working enclave break on the host serving your request would defeat privacy. But under a compromised minority of enclaves the network's correctness still holds, because it rests on the audit and the honest validator majority. It is privacy that degrades, not correctness.
We work on shrinking the trusted base, cross-attesting the request hot path (the gateway cross-attests the router at startup), and on the endgame: zero-knowledge inference (zkML) would give cryptographic correctness without a TEE, the best of both, once it is practical at language-model scale.