Table of Contents
Three parties see every prompt you send through a commercial AI API: the model maker's servers, the platform routing the request, and the infrastructure operator running the hardware. For most personal queries that's a tradeoff you'll accept without thinking twice. For a legal team running contract review, a medical practice querying patient records, or a trading desk asking an agent to reason through an active position, it's a dealbreaker.
Good Morning, registered onchain as gm on Bittensor Subnet 28, is a private AI gateway where miners route your prompts to Claude, GPT, and Gemini through an Intel TDX trusted execution environment. A TEE is a sealed compute zone inside the processor itself: the host machine's operating system, the cloud provider running the hardware, and gm's own operators all receive encrypted bytes they can't read. The attestation proving the enclave is real comes from Intel's silicon, signed by the chip, not from a privacy policy. With 2,418 users on the waitlist and a live testnet running, gm is the first subnet on Bittensor built around the routing problem rather than the compute problem.
The mechanics of how the sealing works, the precise distinction from Targon's TEE approach on Subnet 4, and what the miner incentive structure looks like in practice are all below.
"Trust Us" Is a Contract With an Entity That Controls the Infrastructure
Every frontier AI API you use today runs on the same model: the maker handles the hardware, sets the policy, and asks you to agree before you start. Anthropic promises not to train on API calls. OpenAI publishes a data privacy page. The cloud provider hosting the endpoint promises isolation between tenants.
For regulated industries, a privacy policy is not a compliance certification. For autonomous agents handling financial or personal data at scale, the exposure compounds with every query sent to a centralized endpoint under terms the endpoint sets unilaterally.
What the industry calls "privacy by policy" is a bet on an entity whose interests don't always align with yours. Privacy by hardware is different: your prompt decrypts only inside a sealed enclave, and the proof of that sealing comes from the processor that ran it.
AI can work with sensitive customer data without actually seeing it.
— Good Morning (@say_gm_) June 26, 2026
In this chat, GM’s privacy mechanism lets the assistant answer correctly and reference private info, while the underlying email addresses remain hidden from the model.
Privacy + utility 👇 pic.twitter.com/Y8e7mcMc6b
The Chip Signs the Proof, So You Don't Have to Trust the Platform
Intel TDX (Trust Domain Extensions) is a CPU-level technology that creates hardware-isolated virtual machines. Unlike a software sandbox, TDX isolation is enforced by the chip: the host operating system, the hypervisor, and every other process on the machine are cryptographically excluded from the enclave's memory. Even with full administrative access to the host, a cloud provider can't read what's inside the enclave.
When gm's gateway boots inside a TDX enclave on Phala's infrastructure, Intel's hardware signs a measurement of exactly what code is running. That signature is the attestation, visible live on saygm.com. If the code running doesn't match the open-source image pinned in gm's repository, attestation fails and the enclave won't start. Your TLS session terminates inside the attested environment, and your prompt decrypts only there.
For closed frontier models like Claude, GPT, and Gemini, the model still processes your request on the maker's own infrastructure under the maker's terms. What gm adds is a sealed tunnel between your client and the model maker's endpoint. gm's operators, the miner serving your request, and Phala's hosting infrastructure never see the plaintext on the way through. The proof isn't gm's word. It's Intel's chip signature, updated on every boot.
Routing Trust and Compute Trust Are Two Different Problems
Targon (Subnet 4) also uses TEEs, and the distinction between the two subnets is worth stating precisely.
Targon's problem is decentralized compute trust: when you send an AI workload to hardware owned by strangers, how do you prove your model weights and training data stayed private during execution? The Targon Virtual Machine seals your data inside an enclave while it runs on a miner's GPU, so the hardware operator can't extract your proprietary weights. TEE is the trust layer for compute on hardware you don't control, running models you do control.
gm's problem is routing trust: when your prompt travels from your client to a model maker's API, how do you seal the route so no intermediary reads it in transit? You're not running the model. Anthropic is. gm's TEE sits between you and the model maker's endpoint, sealing the gateway so the route itself stays private.
Targon protects your data while it computes on decentralized hardware. gm protects your data while it routes to centralized models. The same underlying technology, applied to two separate points in the AI infrastructure stack, solves two problems that share no overlap.
Miners Earn the Spread, Their API Keys Stay Sealed
On the supply side, gm operates as a Bittensor subnet where miners earn by providing verified private routing capacity. A miner brings their own API keys for Anthropic, OpenAI, Google, or Chutes, deploys inside an Intel TDX enclave on Phala Cloud, and declares which models they serve at what discount off the maker's retail price. A miner offering claude-sonnet-4-6 at a 5% discount earns 95 cents of every dollar paid for that model's tokens. The live pricing page shows claude-sonnet-4-6 at $3.00 per million input tokens and $15.00 per million output tokens, at or below Anthropic's direct API rate.
For buyers, the structure matters: the miner's API keys stay sealed inside the enclave, and gm's registry verifies the image hashes match the approved open-source release before any worker goes live. The trust isn't in the miner. It's in the hardware enclave Intel signed.
For developers integrating today, the switch is a single base URL change. Cursor, Cline, Claude Code, and any OpenAI-compatible SDK point at the gm gateway and get drop-in access to all 27 supported models without code rewrites.
Private by Hardware, Not by Policy
gm is live on Bittensor mainnet at netuid 28, with the testnet at netuid 482. The beta is intentionally small: 2,418 on the waitlist with invites going out in order at saygm.com.
Every other subnet on Bittensor is a marketplace for intelligence production. gm is a marketplace for intelligence routing, with the added constraint that the routing proves itself to you before your first prompt leaves your machine. The roadmap adds attested logs, automatic PII redaction, and eventually on-chain alpha token payment for gateway fees, tying subnet activity directly to demand.
You already use Claude or GPT. The question is whether the route your prompts travel to get there needs to be sealed. For most queries it doesn't. For the queries that matter, gm is the only Bittensor subnet where the answer to that question is hardware-verified.
Disclaimer: This article is for informational purposes only and does not constitute financial, investment, or trading advice. The information provided should not be interpreted as an endorsement of any digital asset, security, or investment strategy. Readers should conduct their own research and consult with a licensed financial professional before making any investment decisions. The publisher and its contributors are not responsible for any losses that may arise from reliance on the information presented.
%3A%20Your%20Private%20Gateway%20to%20Frontier%20Models%20on%20Bittensor){kind=link}