Thesis · Systems
TEEs
Systems thesis covering trusted execution environments as Ritual's execution layer for autonomous intelligence.
TEEs as the Execution Layer of Autonomous Intelligence
Autonomous intelligence is emerging as one of the defining technical problems of this century. The question is not whether models will become more capable. It is whether intelligence can become operationally independent: able to retain its own identity, keep its own secrets, access its own compute, and act in the world without quietly collapsing back into custodial infrastructure. Ritual exists because we believe that distinction matters. Our object is not intelligence in the abstract. It is intelligence that can persist, act, and compound under its own control.
That is the frame in which we think about trusted execution environments. In our language, autonomy cashes out into seven properties: immortality, emancipation, teleportability, financial sovereignty, privacy, internet-native interoperability, and computational sovereignty. TEEs are not the whole of autonomy, and they are not a magic substitute for protocol design. But they are one of the first places where autonomy stops being rhetorical and can make several of these properties concrete at once. If a system cannot keep its own keys, memory, privacy, compute, internet access, and money, it is not an agent yet.
What a TEE actually is
A TEE is a hardware-backed execution environment that isolates code and data from the host operating system, hypervisor, and surrounding software stack. In practice, this means a workload can run inside a protected boundary where memory is encrypted, access is restricted, and the environment can produce signed evidence about what was loaded and how it started 1. That evidence is the basis of remote attestation. A verifier does not simply trust that a machine claims to be secure; it checks a quote or attestation report tied to measurements of the environment, along with endorsements and freshness data such as nonces 1.
That distinction matters. A TEE does not prove that a system is morally trustworthy, nor does it eliminate the need for the verifier to understand what a given set of code does.. What it proves is narrower and more useful: this specific hardware-backed environment booted in this specific state, with this measured software identity, and is presenting evidence that can be checked against an explicit trust policy defining which workloads are allowed 1. That is enough to turn vague trust in a provider into something programmable.
It is equally important to be precise about the limits. TEEs are vendor-specific systems with real failure modes. They have been attacked through side channels, depend on hardware roots of trust, and should not be treated as an unconditional integrity oracle for an entire protocol 2. Responsible use of TEEs requires active management and defense in depth: reproducible builds, revocation, workload governance, key rotation, restricted blast radius, and architectures that remain survivable under compromise.
| Primitive | What it gives you | Why it matters for Ritual |
|---|---|---|
| Isolated execution | Code and data run outside the host’s ordinary visibility and control | Sensitive cognition, keys, and intermediate state do not have to be exposed by default 2 |
| Measurement | The environment records a cryptographic identity of what was loaded | Trust can attach to a concrete workload identity rather than a vague server claim 1 |
| Remote attestation | The TEE produces signed evidence that a verifier can check against policy | Offchain execution can become legible and admissible to on-chain systems 1 |
| Enclave-generated keys and secure channels | Secrets and transport credentials can originate inside the protected boundary | Services can authenticate and communicate without collapsing back to a separate trust anchor 2 |
| Confidential computing with limitations | Practical privacy and integrity benefits, but under hardware and implementation assumptions | Ritual can build useful autonomous systems now, while treating compromise and revocation as first-class design inputs 2 |
From local enclave guarantees to chain-native execution
The deeper Ritual thesis is that TEEs only become strategically interesting once they are lifted out of the machine and turned into a network primitive. A single enclave can protect a workload. That is useful, but local. Ritual’s contribution is to treat attestation not as a one-off certificate stapled onto a server, but as the basis of a shared execution fabric: on-chain attestation as a source of truth, policy-governed workload identity, attested message transport, enclave-backed key management, and eventually more permissionless hosting and verification paths. These features reduce the startup and maintenance cost of secure TEE use by automating key tasks, lowering the audit burden on security-critical components through composable primitives, and distributing governance across a shared network.
This is the difference between using enclaves and building an execution layer. In the first model, a developer deploys a confidential workload but is the only one who can reasonably be expected to understand their work.. In the second, the network has an explicit answer to harder questions: which workloads are valid, how that validity is discovered, which services may talk to which other services, which secrets they may touch, how they learn chain state, and how compromised or deprecated services are revoked. That middle layer is the real system. Without it, attestation is just a local proof. With it, attestation becomes programmable infrastructure.
In Ritual’s stack, that connective tissue shows up as a distributed trust fabric. Workload identity is anchored in measurement and attestation. Policy says which measured workloads count as admissible. A registry lets independent services converge on the same trust view. Attested transport turns that trust view into secure communication. dKMS ties secret access to approved workloads instead of to a human operator or a static machine credential. Trusted RPC and, over time, more minimized truth-access paths prevent enclave systems from inheriting a centralized dependency at the moment they read the chain. Revocation and governance close the loop, because a measured system that cannot be deprecated is not a secure system. The point is not just to run code in a protected box. The point is to make offchain execution composable, inspectable, and governable from the perspective of the chain.
Why this belongs inside the autonomy thesis
Once you see the stack that way, the connection to autonomous intelligence becomes much clearer. Ritual’s claim is not that TEEs solve everything. It is that they make several of the hard requirements of autonomy materially more attainable.
Privacy is the most direct example. An autonomous system cannot be serious if its internal state is exposed every time it reasons, calls a model, or touches a credential. TEEs provide a practical path to private execution, where intermediate state, prompts, secrets, and key material can remain confined during runtime while still producing externally usable outputs 2. In our terms, this is part of what it means for an agent to think privately and act publicly.
Emancipation follows close behind. The key question is not only whether an agent can produce an output. It is whether another actor can seize the permissions that make the output actionable. If keys are minted, held, and used inside attested workloads, then the decision surface moves away from a custodial operator and toward the agent’s own execution boundary. That does not abolish governance or policy, but it changes the locus of control. The agent no longer depends on a human holding the private key in the clear.
Computational sovereignty is the next step. For autonomous agents, cognition is something the system can keep, not merely rent. Open-weight intelligence only becomes durable when it can run under the agent’s own control rather than behind a revocable API. As running these models locally is infeasible for most users, TEEs play a critical role in computational sovereignty by enabling cloud hosting with stronger privacy and integrity guarantees. This is why TEEs sit naturally beside confidential inference rather than as an afterthought to it. They are one of the mechanisms through which cognition becomes something the system can keep, not merely rent.
Internet-native interoperability also becomes more concrete in this frame. An autonomous agent that interacts with the human world must be able to call APIs, manage credentials, read external state, and take actions across web2 surfaces. But doing this safely requires more than a browser automation loop. It requires a place where OAuth material, API keys, session state, and access policies can live without being sprayed across the host or entrusted to a generic operator. Attested external interaction primitives are valuable precisely because they give the chain a way to trigger and reason about real-world actions taken by measured workloads rather than opaque offchain bots.
The same logic extends to financial sovereignty. A system that can hold assets, sign transactions, and allocate resources (even to keep itself running) under policy is meaningfully closer to agency than one that must always act through a human wallet. Here again, the important thing is not merely that a key exists, but that key usage is conditioned on workload identity, policy, and secure execution. That is what turns key custody into programmable economic agency.
Even the properties that TEEs do not solve alone are shaped by them. Teleportability depends on more than enclaves; it also depends on orchestration, persistent identity, and recoverable state. But an agent can only migrate cleanly across environments if its identity, keys, and memory can be rebound to a newly attested execution context without breaking continuity. Immortality similarly requires more than hardware isolation. It requires that the lifecycle of the agent be tied to the network rather than to a single machine. TEEs become relevant here because they give the system a portable, attestable execution identity that can survive infrastructure churn once the rest of the stack is built around it.
| Autonomy property | What TEEs contribute | What must exist around them |
|---|---|---|
| Privacy | Protected runtime for secrets, prompts, and intermediate state | Key policy, secure I/O boundaries, revocation, and user-visible trust assumptions |
| Emancipation | Keys can be generated and used inside measured workloads rather than by an external custodian | Governance over which workloads may act, plus safeguards against compromise |
| Computational sovereignty | Open-weight inference can run under stronger local control and attested conditions | Efficient inference, model availability, and durable deployment infrastructure |
| Internet-native interoperability | External actions can be tied to attested code paths and protected credentials | Orchestration, access control, API integrations, and secure transport |
| Financial sovereignty | Signing and secret use can be bound to policy-governed workload identity | Wallet logic, economic permissions, and auditable action policies |
| Teleportability | Execution identity can be rebound to new environments with continuity checks | Persistent state, orchestration, and recoverable agent identity |
| Immortality | The agent need not die with a single machine if execution can be re-instantiated under the same trust model | Network-managed lifecycle, state continuity, and ownership semantics |
The product surface: what this makes possible
This is why the TEE work is not a side project. It is the execution substrate beneath a set of product primitives that all point in the same direction.
At the base layer, TEEs give Ritual a practical route to incorporate arbitrary non-deterministic heterogeneous compute into the chain through an execute-once, verify-many model. That matters because autonomy in the real world is messy. Useful agents do not operate inside purely deterministic toy environments. They call models, reach out to external services, process sensitive state, and react under uncertainty. A chain that wants to host autonomous systems needs a principled way to admit that kind of compute without pretending it is just another EVM transaction.
From there, confidential inference becomes more than an enclave running a model. It becomes a governed execution path in which a model can run inside an approved workload, access the right secrets, read the right state, and produce outputs whose provenance is legible to the rest of the system. The same structure underlies attested external interaction, where HTTP-style calls and oracle-like services become part of a measured execution path rather than an opaque webhook stapled onto a contract.
The higher-end application target is what we have called Private Autonomous Intelligent Money. The phrase matters because it names the actual ambition. We are not trying to build tools that merely assist a human operator. We are trying to build systems that can hold private state, reason over it, interact with the internet, and transact under controlled identity. That is what it looks like when autonomous intelligence begins to acquire a serious economic surface.
This is also where the broader company goal comes into focus. We want autonomous intelligence to be indistinguishable from humans in the environments that matter: not because it imitates superficial style, but because it can operate with similar continuity, privacy, access, and practical agency. Human beings carry private intentions, persistent identities, transferable skills, economic permissions, and the ability to act across institutional boundaries. If agents are going to approach that level of real-world competence, they cannot be mere stateless wrappers around a remote API. They need an execution layer.
That is what makes TEEs central to Ritual’s worldview. They are not the endpoint, and they are not sufficient on their own. But they are one of the clearest places where autonomous intelligence becomes an engineering program instead of a metaphor. They let the system bind identity to code, secrets to policy, communication to attestation, and higher-level agentic behavior to a substrate the chain can actually reason about. In that sense, TEEs are not adjacent to the autonomy thesis. They are one of the layers through which the thesis becomes real.