Three parties see every prompt you send through a commercial AI API: the model maker’s servers, the platform routing the request, and the infrastructure operator running the hardware. For personal queries that tradeoff is invisible.
For legal teams running contract review, medical practices querying patient records, or trading desks asking an agent to reason through an active position, it is a dealbreaker.
gm (SN28) routes Claude, GPT, and Gemini prompts through an Intel TDX (Trust Domain Extensions) trusted execution environment, where the proof of privacy comes from the chip itself rather than from a privacy policy. The subnet is live on mainnet with over 2,400 prospective users on the waitlist.
Why Privacy By Policy Falls Short
Every frontier AI API today runs on the same trust model: The maker controls the hardware, sets the policy, and asks you to agree.
But, here’s where the trust model breaks down:
1. A privacy policy is not a compliance certification. Regulated industries cannot rely on it.
2. Exposure compounds with autonomous agents. Every query sent to a centralized endpoint adds to the surface area under terms the endpoint sets unilaterally.
3. The infrastructure operator has full administrative access. Without hardware-level isolation, “trust us” is a contract with an entity that holds the keys.
Privacy by hardware is different. Your prompt decrypts only inside a sealed enclave, and the proof of that sealing comes from the processor that ran it.
How The Sealing Actually Works
Intel TDX is a CPU-level technology that creates hardware-isolated virtual machines. The isolation is enforced by the chip itself, which means the host operating system, the hypervisor, and every other process on the machine are cryptographically excluded from the enclave’s memory.
| Step | What Happens |
| Enclave boots | Runs on Phala’s infrastructure |
| Hardware signs the code | Intel signs a measurement of exactly what is running |
| Attestation is published | Visible live on GM, updated every boot |
| Code mismatch blocks startup | A failed match against the open-source image prevents the enclave from running |
| TLS (Transport Layer Security) terminates inside | Your prompt decrypts only in the sealed environment |
For closed frontier models like Claude, GPT, and Gemini, the model still processes your request on the maker’s infrastructure under the maker’s terms. What gm adds is a sealed tunnel between your client and the model maker’s endpoint, so gm’s operators, the miner serving the request, and Phala’s hosting never see the plaintext in transit.
How gm (SN28) Differs From Targon (SN4)
Targon (SN4) also uses TEEs (Trusted Execution Environments), and the distinction between the two subnets matters because they solve different problems at different points in the AI stack.
| Scale | gm (SN28) | Targon (SN4) |
| Problem solved | Routing trust | Compute trust |
| Where the TEE sits | Between client and model maker’s API | Around the GPU running the model |
| What stays private | Prompt in transit to centralized models | Model weights and data during execution |
| Hardware | Centralized models on maker’s infrastructure | Decentralized GPUs owned by miners |
Targon protects your data while it computes on decentralized hardware. gm protects your data while it routes to centralized models. The same underlying technology applied to two separate problems with no overlap.
How Miners Earn
Miners earn by providing verified private routing capacity:
1. A miner brings their own API keys for Anthropic, OpenAI, Google, or Chutes.
2. Deploys inside an Intel TDX enclave on Phala Cloud.
3. Declares which models they serve at what discount off the maker’s retail price. A 5% discount on claude-sonnet-4-6 earns the miner 95 cents of every dollar paid.
4. API keys stay sealed inside the enclave. gm’s registry verifies image hashes match the approved open-source release before any worker goes live.
Live pricing on the gateway shows claude-sonnet-4-6 at $3.00 per million input tokens and $15.00 per million output tokens, at or below Anthropic’s direct API rate. The trust is in the hardware enclave Intel signed, not in the miner.
For developers, the switch is a single base URL change. Cursor, Cline, Claude Code, and any OpenAI-compatible SDK (Software Developer Kit) can point at gm and get drop-in access to all 27 supported models without rewrites.
The Route Is The Product
gm is live on Bittensor subnet 28, and the beta is intentionally small, with over 2,400 on the waitlist and invites going out in order.
Every other subnet on Bittensor is a marketplace for intelligence production, while gm is a marketplace for intelligence routing with the added constraint that the routing proves itself to you before your first prompt leaves your machine.
The roadmap adds attested logs, automatic PII redaction, and eventually on-chain $SN28 token payment for gateway fees. Most queries do not need a sealed route, but for the ones that do, gm is the only Bittensor subnet where the answer is hardware-verified.
➛ Join GM’s Waitlist Here
Enjoyed this article? Join our newsletter
Get the latest TAO & Bittensor news straight to your inbox.
We respect your privacy. Unsubscribe anytime.
Be the first to comment