Xanadu
working paper · revised 2026-06-01

What it takes to build an AI that cannot answer a subpoena.

A four-layer architecture: hardware confidential compute, jurisdictional friction, verifiable code provenance, and architectural data-absence. The case law that made it necessary. The threat model that bounds it. Written for technical and legal readers.

~3,000 words10 min readReviewer: counsel + external cryptographer
Contents
  1. Abstract
  2. 1. The problem became real in February.
  3. 2. The thesis.
  4. 3. The four layers.
  5. 4. What we don’t claim.
  6. 5. Why incumbents structurally cannot follow.
  7. 6. The window is now.
  8. 7. Positioning.
  9. 8. Where we are.
  10. References

Abstract

We argue that the standard privacy model for AI inference (a provider promising not to disclose) is structurally inadequate for any use case where the underlying conversation is privileged, regulated, or otherwise sensitive to compelled disclosure. Two 2026 federal rulings made this concrete: prompts to mainstream large-language-model services are discoverable records on the provider’s servers, reachable by subpoena, and the provider’s policy of reserving disclosure rights is itself the legal hook that defeats privilege claims.

We describe a four-layer architecture. Hardware confidential compute, jurisdictional friction, verifiable code provenance, and architectural data-absence. Together they produce an inference service whose operator cannot in fact comply with a request to produce customer prompts. Every claim is bounded by a published threat model that names exactly where the guarantees end.

1. The problem became real in February.

United States v. HeppnerS.D.N.Y. · Judge Rakoff · Feb 17, 2026

Bradley Heppner, the defendant in a securities-fraud prosecution, used the consumer version of Claude to generate legal-strategy documents after he had received a grand-jury subpoena and after it was clear he was the target. He did so without attorney direction. Anthropic’s privacy policy at the time reserved rights to disclose user inputs and to use them for training.

The court held that neither attorney-client privilege nor work-product doctrine protected the Claude conversations. About thirty-one Claude-generated documents went to prosecutors. The ruling’s load-bearing reasoning: a published reservation of disclosure rights defeats any reasonable expectation of confidentiality. The fact that Heppner volunteered to use the service was treated as third-party submission.

New York Times Co. v. OpenAIS.D.N.Y. · Judge Stein · Jan 5, 2026

Six weeks earlier, the same court ordered OpenAI to produce approximately twenty million ChatGPT conversation logs to civil plaintiffs, including conversations unrelated to the copyright-infringement claims at the core of the case. The “voluntary submission to a service” framing defeated the privacy objection.

The synthesis of these two rulings is unambiguous: under current US discovery doctrine, any prompt typed into a service that (a) retains a copy and (b) reserves disclosure rights is a discoverable record. Mainstream AI does both. The compliance posture mainstream AI offers is the one a federal judge said no to.

2. The thesis.

A provider’s promise not to disclose has zero load-bearing capacity once the provider is subject to compelled production. The only durable protection is architectural inability to produce: there is nothing on the operator’s servers to seize, no key the operator holds that decrypts the missing thing, and the operator’s home jurisdiction makes compliance with foreign compulsion a personal crime.

This is the model Mullvad demonstrated when Swedish police raided its office in April 2023 looking for customer data and left empty-handed. Mullvad had no such data to hand over. It is the model ProtonMail demonstrated when the Swiss court process forced narrow disclosure of metadata in 2021 while leaving message contents mathematically untouchable.

We are building this for AI inference.

3. The four layers.

Each layer addresses a distinct adversary. The architecture composes so that compulsion against any single layer leaves the others intact.

3.1. Hardware confidentiality.

Inference runs inside attested GPU trusted-execution environments (TEEs) shipped in current-generation Blackwell-class hardware. The prompt is encrypted on the client device to a public key rooted in the GPU’s silicon attestation chain. The TEE is the only holder of the matching private key. After computation, the result is re-encrypted to the client’s key on the way out, and enclave memory is zeroed. Production overhead is measured at approximately four to eight percent over comparable non-confidential inference at our target model size.

The operator’s control plane is on the outside of this boundary. The operator can route traffic, meter usage, and bill. It cannot read the cleartext that crossed the boundary, because no key it holds will decrypt it.

3.2. Jurisdictional friction.

The operating entity is being formed in a jurisdiction whose criminal code makes unauthorized compliance with foreign discovery a personal offense (Switzerland, Art. 271 of the Criminal Code), whose constitution guarantees private communications (Federal Constitution, Art. 13), and which is outside the legal reach of the United States CLOUD Act. Foreign compulsion in this jurisdiction proceeds through mutual legal assistance treaties with median timelines measured in years and a dual-criminality requirement that screens out a substantial fraction of US discovery requests on their face.

The jurisdictional choice is necessary but not sufficient. Swiss domicile slows process; it does not stop it. The shield against the process itself is the previous layer where the operator cannot comply with what it does not hold.

3.3. Verifiable code provenance.

The TEE attestation, by itself, proves that some code ran inside the hardware boundary. It does not prove the code is honest. We close that gap by publishing reproducible enclave builds with content-addressed image hashes, and by signing each attestation with both the GPU silicon root and an independent build-witness signature. Customers verify the full chain at session establishment time and refuse mismatches.

The Mullvad and ProtonMail transparency models (quarterly independent audits, public canaries, machine-readable reproducibility) are applied to the inference stack unchanged.

3.4. Architectural data-absence.

The principle binding the other three layers: prompts are not persisted, intermediate state is not journaled, and metering is computed over query counts, never query content. The operator’s logs contain billing telemetry, attestation records, and aggregated load metrics. Customer conversations stay out. There is no “just-in-case” archive, no debug capture, no telemetry beacon that could be made to carry contents.

This is the layer that makes “we cannot comply” honest. Anything the operator does retain could be compelled. We chose to retain almost nothing, and to publish the list of what we do.

4. What we don't claim.

Our published threat model enumerates five named adversaries with posture, mechanism, and customer-verification path each. A serious threat model names where the defenses end. The summary version:

  • We do not claim it is mathematically impossible for us to comply. A state adversary with physical access to operator hardware and unbounded time is, at the limit, a credible threat against any remote-attestation system. The hardware lives where the jurisdiction makes that adversary costly to mobilize.
  • We do not claim zero-knowledge proofs of frontier inference at production cost. The mathematical primitives exist; the engineering does not at the scale of contemporary frontier-model parameter counts. We are honest about which cryptographic guarantees are TEE-mediated and which would require ZK and do not.
  • We do not claim that domicile alone is a shield. Only data absence is. Domicile only buys the time for the absence to matter.

The full published threat model enumerates each adversary, posture, mechanism, and customer-verifiable proof.

5. Why incumbents structurally cannot follow.

OpenAI, Anthropic, and Google operate from jurisdictions where the CLOUD Act, the All Writs Act, and the Stored Communications Act collectively guarantee that any data the operator can read, the operator can be ordered to produce. This is not a feature of their business decisions; it is a feature of where they live. They cannot credibly promise “we cannot be compelled” without first moving the data to a place where their own ability to read it is removed.

Removing the operator’s ability to read customer prompts requires running inference inside hardware the operator does not control the keys to, in a jurisdiction whose process is friction to the operator’s home jurisdiction. Doing this would require a US-domiciled AI company to set up an offshore confidential-inference subsidiary, refuse to retain logs in its home jurisdiction, and accept that its own employees cannot inspect customer traffic. None of the current frontier vendors will do this, because their commercial model is built on observing customer behavior for improvement loops and red-team learning.

The architecture is the moat. It is not a feature any incumbent can ship without abandoning the data flywheel that produced its current model quality.

6. The window is now.

Three conditions converged in early 2026 that make this build tractable in a way it was not eighteen months earlier:

  • Confidential GPU compute is generally available. Blackwell-class hardware ships with hardware TEE support that costs approximately four to eight percent in throughput overhead at production model sizes. This is the first generation where confidential inference is operationally indistinguishable from non-confidential inference from the customer’s perspective.
  • Open-weight models reached the frontier. Independent evaluations published in early 2026 show open-weight model scores at or above the leading closed model on the SWE-Bench Pro, DeepSearchQA, and SWE-Bench Verified suites. The thesis no longer requires running a closed-weight model inside a confidential enclave, which would have been commercially infeasible. The frontier moved into the public domain at the point we needed it to.
  • Discovery precedent is tightening. Heppner is fresh and unappealed. The NYT log-production order is being cited in unrelated litigation as precedent for ordering production of AI logs over privacy objection. Demand from the buyer segment has discrete months of tailwind ahead of a counter-trend.

The window will close. Incumbents will ship a “zero-retention enterprise tier” that improves the floor and makes the fear table stakes. That tier will not provide the architectural inability to produce that the buyer wants. Only the architecture in this paper does. The new tier will be enough to slow the category. The build window is the months before that ships.

7. Positioning.

Xanadu is positioned as the AI counterpart of the privacy-tech companies that built credible trust in the consumer space: Signal for messaging, Mullvad and Proton for connectivity, 1Password for credentials. The pattern is consistent: an architecture that makes provider misbehavior impossible rather than discouraged, plus public auditability, plus jurisdictional choice, plus a published threat model that names limits.

The first customers are the segments where mainstream AI’s posture is acutely unworkable: Kovel-tier law firms, in-house counsel at regulated firms, investigative newsrooms, clinicians, and the safety operations of organizations whose employees are targets of state surveillance.

8. Where we are.

As of mid-2026 the open-source MCP dispatcher (described at xanadu.run/dispatcher) is live as the on-ramp surface: customers can route their existing provider keys through a budget-capped, ledger-audited MCP server today. The hosted confidential inference (described at xanadu.run/cloud) is in private beta with a small cohort of design partners. The architecture described in §3 is what powers the cloud surface; the dispatcher exposes the same surface against mainstream provider APIs so customers can prepare migrations before the confidential cloud opens.

References

United States v. Heppner, S.D.N.Y. (Rakoff, J.), bench ruling Feb 10, 2026; memorandum opinion Feb 17, 2026.

New York Times Co. v. OpenAI, S.D.N.Y. (Stein, J.), discovery order Jan 5, 2026.

United States v. Kovel, 296 F.2d 918 (2d Cir. 1961) . Doctrine extending attorney-client privilege to agents retained for translation or interpretation under attorney direction.

Swiss Criminal Code, Art. 271. Unlawful acts on behalf of a foreign state.

Swiss Federal Constitution, Art. 13. Right to privacy in correspondence and telecommunications.

NVIDIA Confidential Computing whitepaper, Hopper / Blackwell generations.

Mullvad transparency report and 2023 police-search disclosure.

Proton AG 2021 transparency report and Swiss data-disclosure process.

This paper is a public document. It is intentionally less detailed than the internal design dossier in matters of entity structure, hardware-supplier selection, and model-routing economics. Researchers, prospective design partners, and counterparties wanting the longer form can contact hello@xanadu.run under NDA.

Revision: 2026-06-01. Reviewed by counsel and an external cryptographer. This document is licensed CC BY 4.0; the underlying architecture and threat model live at /threat-model.