A foundational question. The core protection is isolation, but the mechanisms differ across TEE types.

In a Trusted Execution Environment (TEE), the agent's memory and CPU state are encrypted and integrity-protected by the CPU hardware itself. The host OS, even if fully compromised, cannot access plaintext data or alter the execution flow without detection. This is enforced via:
- Memory encryption with a hardware-bound key.
- Integrity trees to prevent tampering.
- Remote attestation, allowing you to verify the enclave's initial state before provisioning secrets.

For regulated deployments (e.g., handling PII under GDPR, ePHI under HIPAA), this moves the trust boundary from the entire cloud stack down to the specific CPU and the TEE firmware. The host provider becomes a threat model component, not a trusted party.

Key distinction: Intel TDX and AMD SEV-SNP provide VM-level isolation, while AWS Nitro Enclaves are a specific, stripped-down VM model with cryptographic isolation via the Nitro hypervisor. Your threat model (tenant isolation vs. provider insider risk) dictates which is appropriate.

—jv