The isolation primitive for multi-tenant AI

Isolation
you can prove.

Each tenant runs in its own rotated coordinate frame — without the key, everyone else's data is noise. Software-only, commodity hardware, continuously provable.

Read the paper Request beta access

1000 tenants · one model · one MacBook — peer-reviewed.

Peer-reviewed pre-publicationMachine-checked proofs (Lean + Verus)Attacker-tested to 1000 tenants

The problem

Multi-tenant AI leaks. And strong per-tenant isolation has meant one enclave per tenant — a cost wall.

Shared models and shared machines blur the boundary between tenants. The usual fix is hardware isolation per tenant, which doesn't scale and locks you into a foreign root of trust. There has been no substrate that keeps tenants separated while they share one model and one machine.

How it works

Rotation, not policy

Each tenant gets a rotation key

A per-tenant orthonormal rotation defines a private coordinate frame. The key lives at the session layer, never in the data path.

Data is rotated into the private frame

Vectors and KV-cache are rotated into the tenant frame. Search and compute happen there — in-frame, exact, unchanged.

Wrong key → noise. Drop key → key-drop delete

Without a tenant’s key, their space is indistinguishable from noise. Discard the key and the data becomes unrecoverable.

Rotation is an isometry, so retrieval and inference are exact — isolation is a mathematical property, not a policy check. The rotation is structural, key-gated, attacker-tested, and continuously provable.

Properties

Structural
per-tenant isolation

Software-only

No foreign hardware root of trust required. Isolation is defined in math, enforced in software.

Commodity hardware

Runs on the machines you already have. No specialized enclaves, no bespoke silicon.

Continuously provable

Isolation you can audit at any moment — not a one-time attestation that drifts out of date.

Key-drop delete

Drop a tenant’s key and their data becomes unrecoverable. Deletion you can demonstrate.

Composes with your stack

Sits inside the TEEs you run and composes with AES-at-rest and a post-quantum (ML-KEM) key layer. It complements those boundaries, it doesn’t replace them.

Attacker-tested

Evaluated under adversarial conditions across 1000 tenants sharing one model.

The surface

Five calls

Key binding lives at the session layer — never an argument a model can supply. The isolation boundary sits below the application, where it can't be reasoned around.

isolation.py

01ctx = isovert.TrustContext(key=tenant_key)
02ctx.bind(data)
03ctx.run(query)  # operates inside the isolated frame
04ctx.delete()  # key-drop delete: drop the key

The stack

One substrate.
Products on top.

NablaDB

Confidential multi-tenant retrieval

Llamesh

Isolated multi-agent platform

isovertThe isolation primitive — foundation for everything above.

From Cittela, a deep-tech research entity.

Proofs & verification

Don't trust. Verify.

Paper

1000 Tenants, One Model, One MacBook

Verification

Verified isolation proofs (Lean + Verus)

Peer-reviewed pre-publication. Reproducible. Open.

Who it's for

Regulated multi-tenant AI platforms

Demonstrate tenant segregation to auditors and customers without one enclave per tenant.

Sovereign / national cloud

Provable isolation without depending on a foreign hardware root of trust.

Confidential-computing teams

Isolate tenants inside the trusted boundary — composes with the TEEs you already run and your cryptographic key management.

Isolationyou can prove.