By James Aspinwall, co-written by Alfred Pennyworth (my trusted AI) — March 7, 2026, 13:15
Protopia AI solves the problem nobody else has cracked cleanly: protecting data during AI inference without hardware isolation and without performance trade-offs. WorkingAgents solves the adjacent problem: governing what AI agents are allowed to do with the data they access. One ensures the infrastructure operator never sees your prompts. The other ensures the agent never exceeds its authority. For enterprises running autonomous agents on shared GPU infrastructure, both are non-negotiable.
What Protopia AI Does
Protopia’s Stained Glass Transform (SGT) is a patented, software-only approach to confidential inference. It replaces raw data with stochastic, model-specific representations before computation — the model processes randomized data that preserves utility while making the original input unrecoverable by anyone except the data owner.
The critical insight: encryption protects data at rest and in transit, but at the moment of inference, data must be decrypted for the model to process it. That plaintext window — visible in logs, memory, and observability tools — is where data leaks. SGT eliminates the plaintext window entirely.
Core capabilities:
- Stained Glass Transform (SGT) — post-training data transformation that redacts everything non-essential and replaces it with curated noise. Models process the transformed data with near-identical accuracy.
- Roundtrip Protection — prompts are transformed before leaving the client, inference runs on transformed data, outputs decrypt only on the client’s side. No plaintext exposure across the entire lifecycle.
- Stained Glass Engine (SGE) — compute optimization alongside privacy transformation
- Zero hardware requirements — software-only, no TEEs, no confidential computing GPUs, no specialized hardware. Drops into existing AI stacks.
- NVIDIA NIM compatible — integrates directly with NVIDIA NIM microservices and AI Factory reference designs
- Multi-tenant inference — sensitive workloads from different data owners run concurrently on shared GPUs. No dedicated hardware per tenant.
Real-world deployments: Q2 Banking (fraud detection), UC San Diego (secure AI agents), Missile Defense Agency SHIELD program (January 2026). Available on AWS Marketplace and Amazon SageMaker. Partners with Lambda for GPU cloud inference.
The economics are compelling: instead of isolating each tenant on dedicated GPUs (20-25% utilization), Protopia enables shared multi-tenant inference (75%+ utilization). Same security. Fraction of the cost.
What WorkingAgents Does
WorkingAgents is the governance and control layer between AI agents and enterprise systems. Three gateways, one control plane:
- Unified LLM Routing — control which models agents use and how they access them
- Agentic Workflow Control — define, supervise, and enforce how agents take actions
- Enterprise MCP and A2A Tools Access — connect agents to internal tools with least-privilege permissions
Per-user access control with AES-256-CTR encrypted permission keys, audit trails on every action, 86+ MCP tools, per-user SQLite databases. Agents inherit the user’s permissions. One identity, one set of rules, full accountability.
The Security Stack They Complete Together
Enterprise AI security has three layers, and most products only address one or two:
| Layer | Question | Solution |
|---|---|---|
| Network | Can this device reach this service? | Tailscale, VPNs, firewalls |
| Inference | Can the infrastructure operator see my data? | Protopia AI |
| Application | Can this agent perform this action? | WorkingAgents |
Protopia protects the data from the infrastructure. WorkingAgents protects the enterprise from the agent. Without Protopia, a properly governed agent sends plaintext prompts to a shared GPU — exposed to the infrastructure operator. Without WorkingAgents, a privacy-protected inference pipeline has no governance over which agents can invoke it, what data they can include, or what they do with the results.
Synergy Areas
1. Private LLM Routing
WorkingAgents routes agent requests to LLM providers. Each request contains a prompt — potentially with sensitive enterprise data (customer names, financial figures, medical records, proprietary research). Protopia protects those prompts:
- Agent constructs a prompt containing sensitive data from WorkingAgents’ NIS CRM
- WorkingAgents checks the agent’s permissions — is this agent allowed to access this data and this model?
- If authorized, the prompt passes through Protopia SGT before leaving the client environment
- The LLM provider receives a stochastic representation — usable for inference, unrecoverable as plaintext
- Response returns, decrypted only on the client side
- WorkingAgents logs the action, schedules any follow-up tasks, notifies relevant parties
WorkingAgents decides whether the agent can make the call. Protopia ensures the call doesn’t leak the data. The LLM provider never sees the original prompt. The infrastructure operator never sees the response. The agent only acts within its permission boundary.
2. Secure Multi-Tenant Agent Operations
WorkingAgents provides per-user database isolation. Protopia provides multi-tenant inference without data leakage. Together, they enable true multi-tenant agentic AI:
- Tenant A’s agent processes financial data → WorkingAgents ensures it only accesses Tenant A’s database → prompts to the shared LLM are SGT-transformed → Tenant B’s agent running inference on the same GPU cannot recover Tenant A’s data
- Tenant B’s agent processes healthcare data → same shared infrastructure → same GPU → mathematically isolated at the data level (Protopia) and governed at the application level (WorkingAgents)
The enterprise doesn’t need dedicated GPUs per tenant. Protopia handles data isolation at the inference layer. WorkingAgents handles permission isolation at the application layer. Shared infrastructure. Isolated operations. Dramatically lower cost.
3. Confidential Agentic AI
UC San Diego already deploys Protopia for “secure AI agents.” WorkingAgents provides the governance framework those agents need:
- Agent registration — WorkingAgents defines what each agent can do (which tools, which data, which models)
- Prompt construction — WorkingAgents assembles the prompt with data from authorized sources only
- Inference privacy — Protopia SGT transforms the prompt before it reaches any shared infrastructure
- Action governance — WorkingAgents validates the model’s response before the agent acts on it
- Audit trail — WorkingAgents logs the complete chain: what data was accessed, what model was queried, what action was taken
Protopia ensures the inference is confidential. WorkingAgents ensures the agent is accountable. Together: confidential AND governed agentic AI.
4. The Economics of Secure Agent Fleets
Running agent fleets on dedicated GPUs is prohibitively expensive. An enterprise with 50 agents across 10 departments, each requiring isolated inference, would need 10+ dedicated GPU instances at 20% utilization each.
With Protopia + WorkingAgents:
- All 50 agents share a pool of GPU instances → Protopia ensures each agent’s prompts are private on shared hardware → 75%+ GPU utilization instead of 20%
- WorkingAgents governs which agents access which models, enforces rate limits, tracks costs per user → GPU spend is attributable and controllable
- When an agent exceeds its compute budget → WorkingAgents blocks further requests, creates a task for review, notifies the team lead via Pushover
The savings are multiplicative: Protopia reduces GPU count by 3-4x through safe multi-tenancy. WorkingAgents reduces waste by governing consumption. An enterprise that needed 50 dedicated GPU instances now runs on 10-15 shared instances with better security than dedicated hardware provided.
5. Private RAG with Agent Governance
Protopia already demonstrates “end-to-end private RAG” with partner Cyborg. WorkingAgents adds the governance layer:
- Document ingestion — WorkingAgents’ per-user database stores the document embeddings. Access is permission-controlled.
- Retrieval — Agent queries the RAG pipeline → WorkingAgents checks: does this agent have permission to access this document set?
- Augmentation — Retrieved context is assembled into a prompt → Protopia SGT transforms the complete prompt (query + context) before inference
- Generation — LLM generates a response on transformed data → response returns encrypted to the client
- Action — WorkingAgents evaluates the response, executes any follow-up actions (create task, send notification, update CRM), logs the entire chain
Private RAG without Protopia: the infrastructure operator sees your documents and queries in plaintext. Private RAG without WorkingAgents: any agent can query any document with no permission checks. Both together: genuinely private, genuinely governed RAG.
6. Beyond Confidential Computing
Protopia explicitly positions against hardware-based confidential computing (TEEs, secure enclaves): “if the hardware is compromised — which is always possible — all the information in each data record is exposed.” SGT redacts the data before compute, minimizing exposure even if hardware is compromised.
WorkingAgents takes the same defense-in-depth philosophy at the application layer. Our access control doesn’t rely on a single enforcement point. Permissions are checked at every API boundary. Audit trails are written independently. Even if one layer is compromised, the others continue to enforce.
Protopia + WorkingAgents represents a security model that doesn’t trust any single component:
- Don’t trust the hardware → Protopia redacts data before it reaches the GPU
- Don’t trust the infrastructure operator → SGT ensures they see only noise
- Don’t trust the agent → WorkingAgents enforces permissions on every action
- Don’t trust the network → encrypt in transit (standard TLS)
- Don’t trust the storage → WorkingAgents encrypts per-user databases at rest
No single point of compromise exposes everything. Each layer independently limits the blast radius.
The Partnership Opportunity
For Protopia: WorkingAgents provides the agent governance layer their secure inference platform needs. Protopia protects the data during inference — but doesn’t govern which agents can trigger inference, what data they can include in prompts, or what they do with results. WorkingAgents closes that loop. Every Protopia customer deploying agentic AI needs agent governance. Every multi-tenant deployment needs per-user permission control.
For WorkingAgents: Protopia solves our most significant security gap. WorkingAgents governs agent behavior, but when an agent sends a prompt to an LLM provider, that prompt is plaintext at the model host. Protopia eliminates that exposure — no code changes to our serving stack, no hardware requirements, near-zero performance overhead. Our LLM routing becomes genuinely private with one integration.
For the joint customer: AI agents that are governed (WorkingAgents) sending prompts that are private (Protopia) to models on shared infrastructure (cost-efficient). The CISO signs off because data never appears in plaintext outside the client. The CTO signs off because GPU utilization is 75% instead of 20%. The compliance team signs off because every action is audited from agent intent to inference execution.
Concrete Next Steps
- SGT integration in LLM routing — add Protopia SGT as a transform step in WorkingAgents’ LLM routing pipeline. Prompts are SGT-transformed before leaving the client. Estimate: 3-5 days, primarily Protopia SDK integration.
- Multi-tenant PoC — two WorkingAgents tenants sharing a single LLM endpoint, each with per-user permissions and SGT-transformed prompts. Verify data isolation with neither tenant able to recover the other’s data.
- Private RAG demo — end-to-end: document ingestion into WorkingAgents’ per-user database → permission-checked retrieval → SGT-transformed prompt → inference on shared GPU → governed agent action. Complete audit trail.
- GTC 2026 meeting — Protopia is at GTC (NVIDIA NIM partner). Schedule a technical discussion about the integration path and joint go-to-market for regulated industries.
Protopia eliminates the last plaintext window in AI — inference. WorkingAgents eliminates the last ungoverned actor in AI — the agent. Together, they answer the two questions every enterprise CISO asks before approving agentic AI: “Can anyone see our data during inference?” (No — Protopia.) “Can the agent do something it shouldn’t?” (No — WorkingAgents.) Software-only. No hardware dependencies. No performance trade-offs. No trust assumptions.