LIVE · TAO
TAO$— SUBNETS72 VALIDATORS256
TheThe TAO Daily
Home / SUBNETS / How gm (SN28) Protects AI…
SUBNETS

How gm (SN28) Protects AI Prompts With Hardware-Based Privacy

How gm (SN28) Protects AI Prompts With Hardware-Based Privacy
Read Time:4 Minute, 0 Second

Three parties see every prompt you send through a commercial AI API: the model maker’s servers, the platform routing the request, and the infrastructure operator running the hardware. For personal queries that tradeoff is invisible.

For legal teams running contract review, medical practices querying patient records, or trading desks asking an agent to reason through an active position, it is a dealbreaker. 

How GM Router Works

gm (SN28) routes Claude, GPT, and Gemini prompts through an Intel TDX (Trust Domain Extensions) trusted execution environment, where the proof of privacy comes from the chip itself rather than from a privacy policy. The subnet is live on mainnet with over 2,400 prospective users on the waitlist.

Why Privacy By Policy Falls Short

Every frontier AI API today runs on the same trust model: The maker controls the hardware, sets the policy, and asks you to agree.

But, here’s where the trust model breaks down:

1. A privacy policy is not a compliance certification. Regulated industries cannot rely on it.

2. Exposure compounds with autonomous agents. Every query sent to a centralized endpoint adds to the surface area under terms the endpoint sets unilaterally.

3. The infrastructure operator has full administrative access. Without hardware-level isolation, “trust us” is a contract with an entity that holds the keys.

Privacy by hardware is different. Your prompt decrypts only inside a sealed enclave, and the proof of that sealing comes from the processor that ran it.

How The Sealing Actually Works

Intel TDX is a CPU-level technology that creates hardware-isolated virtual machines. The isolation is enforced by the chip itself, which means the host operating system, the hypervisor, and every other process on the machine are cryptographically excluded from the enclave’s memory.

StepWhat Happens
Enclave bootsRuns on Phala’s infrastructure
Hardware signs the codeIntel signs a measurement of exactly what is running
Attestation is publishedVisible live on GM, updated every boot
Code mismatch blocks startupA failed match against the open-source image prevents the enclave from running
TLS (Transport Layer Security) terminates insideYour prompt decrypts only in the sealed environment

For closed frontier models like Claude, GPT, and Gemini, the model still processes your request on the maker’s infrastructure under the maker’s terms. What gm adds is a sealed tunnel between your client and the model maker’s endpoint, so gm’s operators, the miner serving the request, and Phala’s hosting never see the plaintext in transit.

How gm (SN28) Differs From Targon (SN4)

Targon (SN4) also uses TEEs (Trusted Execution Environments), and the distinction between the two subnets matters because they solve different problems at different points in the AI stack.

Scalegm (SN28)Targon (SN4)
Problem solvedRouting trustCompute trust
Where the TEE sitsBetween client and model maker’s APIAround the GPU running the model
What stays privatePrompt in transit to centralized modelsModel weights and data during execution
HardwareCentralized models on maker’s infrastructureDecentralized GPUs owned by miners

Targon protects your data while it computes on decentralized hardware. gm protects your data while it routes to centralized models. The same underlying technology applied to two separate problems with no overlap.

How Miners Earn

Miners earn by providing verified private routing capacity:

1. A miner brings their own API keys for Anthropic, OpenAI, Google, or Chutes.

2. Deploys inside an Intel TDX enclave on Phala Cloud.

3. Declares which models they serve at what discount off the maker’s retail price. A 5% discount on claude-sonnet-4-6 earns the miner 95 cents of every dollar paid.

4. API keys stay sealed inside the enclave. gm’s registry verifies image hashes match the approved open-source release before any worker goes live.

Live pricing on the gateway shows claude-sonnet-4-6 at $3.00 per million input tokens and $15.00 per million output tokens, at or below Anthropic’s direct API rate. The trust is in the hardware enclave Intel signed, not in the miner.

For developers, the switch is a single base URL change. Cursor, Cline, Claude Code, and any OpenAI-compatible SDK (Software Developer Kit) can point at gm and get drop-in access to all 27 supported models without rewrites.

The Route Is The Product

gm is live on Bittensor subnet 28, and the beta is intentionally small, with over 2,400 on the waitlist and invites going out in order.

Every other subnet on Bittensor is a marketplace for intelligence production, while gm is a marketplace for intelligence routing with the added constraint that the routing proves itself to you before your first prompt leaves your machine.

GM’s Roadmap

The roadmap adds attested logs, automatic PII redaction, and eventually on-chain $SN28 token payment for gateway fees. Most queries do not need a sealed route, but for the ones that do, gm is the only Bittensor subnet where the answer is hardware-verified.

➛ Join GM’s Waitlist Here

Enjoyed this article? Join our newsletter

Get the latest TAO & Bittensor news straight to your inbox.

We respect your privacy. Unsubscribe anytime.

Ige A

Be the first to comment

Leave a Reply

Your email address will not be published.


*