The rapid rise of generative AI is fundamentally changing how businesses handle their most sensitive data. According to Gartner, 79% of business leaders see AI as critical to their business strategy, yet 54% say security and privacy concerns remain their biggest obstacle to adoption.

Every prompt sent to a generative AI model can contain strategic information, confidential customer data, or trade secrets. At a time when the average cost of a data breach has reached $4.45 million per incident, the question is no longer simply, “Where are we hosting our models?” but rather, “Who can access our inference data?”

AWS recently introduced a major architectural innovation with Mantle, Amazon Bedrock’s next-generation inference engine, built around a radical principle: Zero Operator Access (ZOA). This approach technically eliminates any possibility for AWS operators, or anyone else, to access customer data. Let’s take a closer look at how this architecture is redefining security standards for GenAI workloads.

The unique security challenges of GenAI in the cloud

A broader attack surface

Unlike traditional cloud workloads, GenAI inference creates entirely new data exposure risks. Every interaction with a model involves:

• User prompts: which may contain sensitive, proprietary, or personal information
• Generated completions: which may expose confidential information or business strategy
• Fine-tuned model weights: which represent significant intellectual property investments
• Usage metadata: which can reveal strategic usage patterns

An IBM study found that 65% of organizations see data leakage as the number one risk associated with GenAI adoption. For Quebec and Canadian SMBs, that risk is even more serious, since a single breach can erase years of competitive advantage.

The limits of traditional security approaches

Traditional cloud security models are based on the principle of least privilege: each operator is granted access only to the systems strictly required for their role, with full logging and regular audits. While this is a strong model, it still has one fundamental limitation: there is always a technical path to customer data, even if access is tightly controlled.

For GenAI workloads handling highly sensitive information such as medical records, financial strategies, or proprietary research data, even that residual risk may be too high.

Zero Operator Access: Understanding the Mantle architecture

The core principle

Anthony Liguori, AWS VP and Distinguished Engineer responsible for Mantle, explains it this way: “We built Mantle by intentionally removing any technical means for AWS operators to access customer data. Systems and services are managed only through automation and secure APIs that protect customer data.”

In practical terms, that means:

No interactive access: SSH, AWS Systems Manager Session Manager, and serial consoles are simply not installed in Mantle. There is no mechanism that would allow an AWS operator to connect to the underlying compute systems.

Cryptographically signed deployments: All inference software updates must be signed and verified before deployment. Only approved code can run on Mantle.

End-to-end encryption: When a customer calls a Mantle endpoint, such as bedrock-mantle.[region].api.aws, data is encrypted via TLS from the customer environment all the way to the Mantle service operating under ZOA.

The underlying technologies

AWS Nitro System: the foundation

Mantle is built on the proven AWS Nitro System model, which introduced hardware-level isolation between the hypervisor and customer instances. According to AWS documentation, Nitro uses specialized hardware and software to protect data from outside access.

This architecture is built on three pillars:

1. Nitro Cards: offload networking, storage, and management functions to dedicated hardware
2. Nitro Security Chip: verifies firmware integrity and blocks unauthorized modification
3. Nitro Hypervisor: a minimal hypervisor that cannot access instance memory

EC2 Instance Attestation: cryptographic verification

Mantle uses the recently launched EC2 instance attestation capability to create a hardened, constrained, and immutable compute environment. Mantle services responsible for:

• Managing model weights
• Running inference on customer prompts

are backed by attestation measurements signed cryptographically by the Nitro Trusted Platform Module, or NitroTPM.

How does it work?

The NitroTPM generates cryptographic attestation measurements that prove:

• Exactly what code is running
• That no unauthorized changes have been made
• That the configuration matches exactly what was approved

These attestations are verified before any customer data is processed, creating a cryptographic chain of trust from machine boot all the way through model execution.

The secure data flow

Here is what happens when a company uses Mantle for GenAI inference:

1. Client request: The prompt is sent via TLS to the Bedrock endpoint
2. Secure routing: The request travels through AWS infrastructure with end-to-end encryption
3. Attestation: Mantle verifies its runtime environment cryptographically
4. Isolated inference: The model processes the prompt inside a ZOA environment
5. Encrypted return: The completion is sent back to the client over TLS

The key point is this: at no point in the process can an operator, whether from AWS, the customer side, or the model provider, access the data.

Practical implications for businesses

Stronger regulatory compliance

For organizations subject to strict regulations such as HIPAA, SOC 2, ISO 27001, or GDPR, Zero Operator Access makes compliance far easier to demonstrate. The technical impossibility of operator access:

• Eliminates entire categories of risk from security assessments
• Simplifies audits by reducing the attack surface
• Strengthens legal positioning in the event of a third-party security incident

A Ponemon Institute study found that 52% of organizations cite compliance requirements as a limiting factor in moving sensitive workloads to the cloud. Mantle addresses that concern directly.

Data sovereignty: beyond location

Data sovereignty is not only about where data is stored, but also about who can access it. As we explored in our article on cloud sovereignty, the real question is not “AWS versus local providers,” but rather, “Who technically controls access to my data?”

With Mantle, even if your data passes through AWS infrastructure, the ZOA design ensures that no operator can view it, effectively creating technical sovereignty that goes beyond geography.

Performance and security: no trade-off

Unlike some confidential computing approaches that can introduce a 20% to 30% performance overhead, Mantle maintains inference performance while strengthening security. AWS reports that Mantle delivers latency comparable to traditional inference systems while removing operator access paths.

Implementation best practices

1. End-to-end architecture

To fully benefit from Mantle’s ZOA model:

Encryption at rest: Use AWS KMS with customer-managed keys (CMKs) for your source data

VPC endpoints: Route Bedrock traffic through private VPC endpoints rather than the public internet

Encryption in transit: Apply TLS 1.3 to all communications

Logging: Enable CloudTrail for full API auditability

2. Secure fine-tuning strategy

When fine-tuning models on Mantle:

• Use S3 buckets with SSE-KMS encryption
• Apply restrictive bucket policies
• Limit access through tightly scoped IAM conditions
• Version your datasets for traceability

3. Governance and ongoing compliance

Implement a governance framework that includes:

Regular assessments: Quarterly reviews of your security posture

Attestation testing: Periodic verification of cryptographic signatures

Access audits: Analysis of CloudTrail logs to detect anomalies

Team training: Ongoing education on ZOA best practices

Considerations for Quebec and Canadian SMBs

Cost versus benefit

Mantle architecture does not add any extra cost compared with standard Amazon Bedrock deployments. For SMBs, that means:

• No hardware investment: no need for proprietary HSM infrastructure
• No additional operational burden: AWS handles the security complexity
• Immediate scalability: ZOA benefits apply regardless of workload size

A Montreal-based SMB handling 100,000 inference requests per month gets the same level of protection as a multinational processing millions.

Competitive differentiation

In sectors such as:

• Financial services: analyzing sensitive customer data
• Healthcare: processing medical records
• Professional services: handling confidential client information

The ability to demonstrate a Zero Operator Access architecture can become a decisive advantage in RFPs or contract negotiations.

Beyond Mantle: the evolution of cloud security

AWS has announced that the confidential computing capabilities used in Mantle, such as NitroTPM attestation, are now available to all EC2 customers. This opens the door to:

Custom ZOA workloads: companies can design their own services with similar guarantees

Secure multi-tenancy: SaaS providers can cryptographically isolate each tenant’s data

Confidential edge computing: extending the ZOA model to edge and hybrid environments

Anthony Liguori has made it clear that AWS does not plan to stop there. The company intends to keep investing in stronger protections for customer data while offering more transparency into how those protections are delivered.

Conclusion

Mantle’s Zero Operator Access architecture marks a major step forward in securing GenAI workloads. By technically removing any possibility of operator access to customer data, AWS is addressing one of the most fundamental concerns slowing the adoption of generative AI in sensitive industries.

For Quebec and Canadian organizations looking to harness the power of GenAI while maintaining the highest standards of security and compliance, this approach offers a proven and accessible framework. Zero Operator Access is not just an incremental improvement. It is a new security model built on the idea that the best way to prevent unauthorized access is to make that access technically impossible.

That said, getting the full benefit of these capabilities still requires deep expertise in cloud architecture, security, and compliance. From configuring VPC endpoints to implementing granular IAM policies and integrating with existing governance systems, every architectural decision shapes your final security posture.

At Unicorne, we help businesses design and implement secure cloud architectures that take advantage of the latest AWS innovations. Whether you are evaluating Amazon Bedrock for your first GenAI use cases or looking to move sensitive workloads into a Zero Operator Access architecture, our expertise helps you navigate complex technical decisions while preserving the agility needed to innovate.

Need expert guidance to secure your GenAI workloads? Contact Unicorne for a consultation on your cloud architecture and learn how to implement the right security best practices for your environment.

Useful resources

Gartner, “Gartner Survey Finds 79% of Corporate Strategists See AI and Analytics as Critical to Their Success Over the Next Two Years” (2023)

IBM Security, “Cost of a Data Breach Report 2023”

IBM Institute for Business Value, “The CEO’s Guide to Generative AI: Security” (2023)

Liguori, Anthony. “Exploring the zero operator access design of Mantle”, AWS Machine Learning Blog, 23 décembre 2025. Disponible sur : https://aws.amazon.com/blogs/machine-learning/exploring-the-zero-operator-access-design-of-mantle/

AWS Documentation, “Security Design of the AWS Nitro System”. Disponible sur : https://docs.aws.amazon.com/whitepapers/latest/security-design-of-aws-nitro-system/no-aws-operator-access.html

AWS, “AWS Announces EC2 Instance Attestation”, septembre 2025. Disponible sur : https://aws.amazon.com/about-aws/whats-new/2025/09/aws-announces-ec2-instance-attestation/

Ponemon Institute, “The State of Cloud Security Report” (2023)

AWS Documentation, “Amazon Bedrock – Mantle”. Disponible sur : https://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-mantle.html