A client sent through a security questionnaire ahead of a contract renewal. One clause asked whether any third-party processor handling the firm’s data uses encryption at rest and in transit. He ticked the box, because every AI tool in the stack does. Then he read the next clause, which asked whether prompts and responses are exposed in plaintext during inference. He did not know. He went to the AI vendor’s documentation. Encryption at rest was explained in detail. Encryption in transit was explained in detail. Encryption in use was not mentioned, because in that product it does not exist.
That gap is the reason a clause that read as complete five years ago for a CRM is no longer the same promise for an AI service today. Encryption operates across three states, and AI workloads sit differently from any other software you procure on the third.
What is AI encryption?
Encryption operates across three states for any AI service. At rest is data sitting on a disk or in a backup. In transit is data moving across a network between your laptop and a vendor’s server. In use is data being actively processed, which for AI means a model running on it. The first two are mature engineering. The third is where AI workloads break the assumptions every other software contract was written under.
The mechanics are simple. When you send a prompt to a hosted AI service, the prompt travels over TLS 1.3, the standard in-transit protocol. The vendor’s edge server decrypts the prompt, logs it, and forwards it to a GPU inference server in plaintext, because the model has to read the words to generate a response. The response is logged, encrypted again, and returned to you. From the edge to the log, your data is plaintext on the vendor’s systems. That window is structural, not a configuration mistake.
Why does it matter for your business?
UK regulators treat encryption as the baseline of data protection, and the AI workload pattern leaves a hole in the middle of that baseline. Article 32 of UK GDPR requires appropriate technical measures including encryption. NHS DSPT requires customer-managed keys. The FCA expects financial services firms to control the encryption of regulated data. Cyber insurance underwriters now ask about AI tool encryption at renewal. The clauses you tick are read against this floor.
The practical consequence for an owner-managed firm is that the security questionnaires from your clients have grown a new section. A legal practice sending case material into a generative AI tool, a healthcare consultancy sending de-identified patient information, a financial firm sending portfolio data, a recruiter sending CVs, all of these are exposing that data to a vendor’s plaintext logs. This is the documented behaviour of the tool, sitting behind a clause that reads as if the data were protected throughout.
The third reason it matters is that it shapes which products you can defensibly use. For high-classification data, the answer is often a different tier of the same product. Microsoft’s standard ChatGPT API and Azure OpenAI Service can serve the same underlying model, but Azure offers confidential computing as an enterprise option that the standard API does not. The variable that matters is the encryption posture of the contract, not the model behind it.
Where will you actually meet it?
You will meet it in vendor security pages first. A page that lists “AES-256 encryption at rest” and “TLS 1.3 in transit” in detail, then says nothing about inference processing, is the standard pattern in 2026. The omission is rarely deceptive. The vendor is honestly describing what it does. Encryption in use is a separate technical capability that consumer and standard commercial AI APIs do not yet offer by default.
You will meet it in your own client questionnaires next. A growing share of mid-market and enterprise procurement forms ask explicitly whether prompts and responses are exposed in plaintext during inference, whether the customer can manage the encryption key, and whether the vendor publishes a cryptographic attestation report. If you cannot answer those questions for the AI tools you use, the box is unticked and the contract stalls.
Then you will meet it in the cloud-provider product pages, where the answer lives. AWS Nitro Enclaves, Azure Confidential Computing, and Google Cloud Confidential VMs are all production-ready in 2026. NVIDIA H100 and H200 GPUs support confidential computing, which is the layer that matters for large model inference. The cost is roughly a 20 to 30 percent compute premium. Apple’s Private Cloud Compute, announced in June 2024, is the cleanest verifiable example: Apple publishes the architecture, third-party researchers can audit it, and a cryptographic attestation lets a customer check the enclave has not been tampered with. Few commercial AI providers publish anything equivalent, which means the security claim cannot be independently checked.
When to ask about it, when to ignore it
Ask about it when the data going into the prompt would matter if it leaked. Client identifiers, health information, financial details, legal case material, employee records, internal commercial documents, anything covered by a confidentiality agreement or a regulatory regime. For these, encryption posture is part of the procurement decision, and the questions you send the vendor need to be specific enough that they cannot be answered with marketing copy.
Five questions earn their place on the form. Is data encrypted at rest with AES-256, and can we manage the keys ourselves. Is TLS 1.3 enforced on every connection. During inference, are prompts and responses exposed in plaintext or protected by confidential computing. Can you provide a cryptographic attestation report or third-party security audit. What is the retention period for prompt and response logs, and where do they sit. A vendor who can answer these directly is in a different operational class from one who replies with “enterprise-grade security”.
Hold the question lightly when the prompt content would not matter if it were public. A general writing assistant drafting a press release, a meeting summariser running over a recording you would happily publish, a code completion tool reading a non-confidential repository. The encryption-in-use gap exists in those services too, but the practical exposure is low. Spending procurement effort on closing it is a misallocation. The discriminator is the data classification of what you are about to put into the prompt.
For Article 32 risk assessments, NHS DSPT submissions, FCA outsourcing notifications, EU AI Act Article 15 compliance, or any specific legal question, route through the NCSC, the ICO, your sector regulator, and a qualified cyber consultancy. This piece is the question framing, not the legal answer.
Related concepts
Confidential computing is the production-ready technology that closes the encryption-in-use gap. Code and data run inside a hardware-isolated execution environment on the CPU or GPU, where neither the operating system, the hypervisor, nor an administrator with root access can read the contents. Intel calls its version Software Guard Extensions, AMD calls it Secure Encrypted Virtualisation, and ARM calls it Confidential Computing Architecture. For AI workloads in 2026, this is the answer.
Hardware security modules, HSMs, are tamper-resistant devices that store cryptographic keys and perform encryption operations without ever exposing the key in plaintext. When you see BYOK in a contract, the key is being held in an HSM the vendor staff cannot extract from.
Attestation is the cryptographic proof that a piece of code is running inside a confidential enclave and has not been modified. The enclave generates a signed report, and a customer or auditor can verify it independently. Apple Private Cloud Compute publishes attestation reports for its inference servers, which is why it works as the reference example.
Homomorphic encryption and secure multi-party computation are research-frontier techniques that allow computation on encrypted data without decryption at all. They appear in vendor literature and procurement documents. For mainstream AI workloads in 2026, confidential computing is the practical path; the other two are worth knowing as terms, not deploying as solutions.
The Storm-0558 incident in July 2023, when a nation-state actor obtained a Microsoft consumer signing key and used it to forge access tokens for several US government Outlook accounts, is the standing reminder that key custody is not theoretical. The cryptography held; the key did not. Every encryption claim in your AI vendor stack rests on the same assumption, that the key is held somewhere your data is not. Worth checking before you tick the box.
