This work addresses emerging threats to Agentic AI systems handling sensitive data—including context leakage, credential theft, and cross-agent message poisoning—which can bypass conventional defenses when attackers possess high privileges. The paper systematically surveys confidential computing technologies and establishes a unified taxonomy encompassing six major TEE platforms: Intel SGX/TDX, AMD SEV-SNP, ARM TrustZone/CCA, and NVIDIA H100 CC. It introduces an agent-centric threat model and, for the first time, maps security objectives onto a multi-layered agent architecture comprising perception, planning, memory, action, and coordination modules. The analysis identifies six key open challenges, such as compositional remote attestation and GPU-TEE performance scalability. While existing hardware trust primitives enable partial deployment, the study concludes that an end-to-end framework remains absent for building production-grade secure agentic systems.

Agentic AI systems, specifically LLM-driven agents that plan, invoke tools, maintain persistent memory, and delegate tasks to peer agents via protocols such as MCP and A2A, introduce a threat surface that differs materially from standalone model inference. Agents accumulate sensitive context, hold credentials, and operate across pipelines no single party fully controls, enabling prompt injection, context exfiltration, credential theft, and inter-agent message poisoning. Current defenses operate entirely within the software stack and can be silently bypassed by a sufficiently privileged adversary such as a compromised cloud operator. Confidential computing (CC) offers a hardware-rooted alternative: Trusted Execution Environments (TEEs) isolate agent code and data from privileged system software, while remote attestation enables verifiable trust across distributed deployments. This survey synthesizes the design space in four parts: (i) a unified taxonomy of six TEE platforms (Intel SGX, Intel TDX, AMD SEV-SNP, ARM TrustZone, ARM CCA, and NVIDIA H100 CC) covering deployment roles and performance tradeoffs; (ii) an agent-centric threat model spanning perception, planning, memory, action, and coordination layers mapped to nine security goals; (iii) a comparative survey of CC-based defenses distinguishing findings that transfer from single-call inference versus what requires new agentic designs; and (iv) six open challenges including compound attestation for multi-hop agent chains and GPU-TEE performance at LLM scale. While several hardware trust primitives appear mature enough for targeted deployments, no broadly established end-to-end framework yet binds them into a coherent security substrate for production agentic AI.