How Origin Gateway Routes Workloads Between Standard and Confidential Models

Most AI coding tools give you one execution path. Code goes to a model, the model responds, and you're asked to trust that nothing sensitive leaked in transit. That trust is not verifiable. For teams operating under SOC 2, FedRAMP, HIPAA, or equivalent mandates, unverifiable trust isn't a posture — it's a procurement blocker.

Origin Gateway addresses a specific problem: how do you give engineers access to capable AI models while ensuring the most sensitive workloads never leave a hardware-isolated enclave, and that you can prove it?

This article explains how Origin Gateway works, what the routing logic actually does, and why the combination of sensitivity-based routing and cryptographic attestation matters for regulated environments.

What Origin Gateway Is and Why It Exists

Origin Gateway is Origin's Confidential AI routing layer. It sits at the center of the Origin CDE and exposes a unified API that routes AI inference requests to one of two execution environments based on the sensitivity of the work.

The design premise is straightforward: not every AI request carries the same risk. A request to generate boilerplate documentation doesn't require the same isolation as one that touches authentication logic, encryption keys, or patient data. Origin Gateway makes that distinction actionable at the infrastructure level — not the policy level.

Engineers interact with one API surface. The routing logic underneath determines where each request executes.

The Routing Problem It Solves

Before Origin Gateway, regulated teams faced a binary choice: use a general-purpose AI tool and accept the risk, or block AI tools entirely and absorb the productivity cost.

Neither option holds. Security teams that block AI tools face engineering pressure and attrition. Security teams that approve general-purpose tools face audit exposure. The gap between "we have a data processing agreement" and "we can prove this code never left a verified enclave" is exactly where procurement reviews fall apart.

Origin Gateway closes that gap by making the execution path a function of the request's sensitivity classification — not a blanket policy applied uniformly across all workloads.

How Origin Gateway Routes Requests

Standard Path: Zero Data Retention LLMs

For lower-sensitivity requests, Origin Gateway routes to standard LLMs operating under zero data retention agreements. This path is appropriate for tasks like generating documentation, writing unit tests for non-sensitive logic, or scaffolding code from public patterns.

Zero data retention means inputs and outputs are not logged, stored, or used for model training. That's enforced at the infrastructure level, not by a vendor's privacy policy.

Confidential Path: TEE-Backed Model Execution

For higher-sensitivity requests, Origin Gateway routes to models running inside Trusted Execution Environments — specifically, Intel TDX hardware-isolated sandboxes.

Inside a TEE, memory is encrypted at the hardware level. The host operating system cannot read the enclave's contents. Other tenants cannot access it. Even Origin's own infrastructure operators cannot inspect the execution context. The isolation isn't logical. It's physical.

This path is appropriate for requests involving proprietary algorithms, regulated data, security-critical code, or any workload where the organization needs to demonstrate that code did not leave a controlled boundary.

Sensitivity-Based Routing Logic

The routing decision isn't random or manually triggered on every request. Origin Gateway applies sensitivity classification to determine which path a request takes. Engineers and platform leads can also set defaults at the project or session level, so teams aren't making routing decisions request by request.

A team building a healthcare platform can configure their entire project to route through the confidential path. A team working on internal tooling can use the standard path for speed. The same API handles both.

What Happens Inside the TEE

When a request routes to the confidential path, execution happens inside an Intel TDX sandbox. TDX — Trust Domain Extensions — is a hardware feature in Intel processors that creates isolated memory regions where code and data are protected from the host, the hypervisor, and other virtual machines.

Inside Origin's implementation:

- The coding session runs in an ephemeral sandbox scoped to that session only - Code, prompts, and model outputs remain inside the enclave during execution - When the session ends, the enclave is torn down and no residual data persists - Project secrets are encrypted at rest and only accessible within the authorized session context

The agent architecture inside the sandbox operates on zero-trust principles. Each agent authenticates with a unique identity and runs with least-privilege permissions. Tool calls and file diffs are logged in a full audit trail, so security teams can inspect exactly what the agent did, line by line.

Git integration allows commits, pushes, and pull requests to be executed from within the confidential environment. Code doesn't need to leave the sandbox to reach your repository.

Cryptographic Attestation: Proof, Not Policy

This is where Origin's architecture separates from every other AI coding tool on the market.

After a confidential session completes, Origin Gateway generates a cryptographic attestation record — a verifiable artifact proving the workload ran inside a verified TEE, under specified conditions, at a specific point in time. This isn't a log entry. It's a cryptographic proof tied to the hardware state of the enclave.

These records are exportable. You can bring them into your existing security stack, attach them to audit packages, or present them during a compliance review. When an auditor asks whether your AI coding tool can prove that sensitive code never left a controlled execution environment, the attestation record is the answer.

No other AI coding tool currently produces this artifact. GitHub Copilot Enterprise offers governance controls and audit logs, but it cannot generate attestation records and does not run inside TEEs. Cursor has strong developer tooling but no attestable execution guarantees. Tabnine supports on-premises deployment with a credible privacy narrative, but it doesn't produce cryptographic proof of enclave execution per session.

This isn't a feature comparison. It's a category difference. Governance controls tell you what a tool's policy says. Attestation records tell you what actually happened.

How Origin Gateway Compares to What Other Tools Offer

GitHub Copilot Enterprise — Zero data retention: Policy-based. TEE-backed execution: No. Cryptographic attestation per session: No. Sensitivity-based routing: No. Unified API for standard + confidential: No. Ephemeral sandboxes per session: No.

Cursor Teams — Zero data retention: Policy-based. TEE-backed execution: No. Cryptographic attestation per session: No. Sensitivity-based routing: No. Unified API for standard + confidential: No. Ephemeral sandboxes per session: No.

Tabnine — Zero data retention: Deployment-dependent. TEE-backed execution: No. Cryptographic attestation per session: No. Sensitivity-based routing: No. Unified API for standard + confidential: No. Ephemeral sandboxes per session: No.

Origin Gateway — Zero data retention: Infrastructure-enforced. TEE-backed execution: Yes (Intel TDX). Cryptographic attestation per session: Yes. Sensitivity-based routing: Yes. Unified API for standard + confidential: Yes. Ephemeral sandboxes per session: Yes.

Reflects publicly documented capabilities as of 2026. Where competitors do not publicly anchor on a capability, it is not listed.

Who This Architecture Is Built For

Origin Gateway isn't a feature for every engineering team. It's built for organizations where the absence of verifiable isolation is an active procurement blocker.

That means financial services firms running AI-assisted development on trading infrastructure. Healthcare organizations where any code touching PHI must meet HIPAA technical safeguards. Defense contractors where proprietary algorithms cannot be exposed to third-party model providers. Federal agencies operating under FedRAMP authorization requirements.

For these teams, the question isn't whether AI coding tools are useful. It's whether any AI coding tool can pass a security review. Origin Gateway is the mechanism that makes that possible.

If your security team has already rejected Copilot or Cursor because they can't produce attestation records or demonstrate hardware-level isolation, Origin Gateway addresses that specific rejection criterion — not by adding a privacy policy, but by producing cryptographic proof.

FAQs

What is Origin Gateway? Origin Gateway is Origin's Confidential AI routing layer that exposes a unified API for AI inference. It routes requests to either standard zero data retention LLMs or to models running inside Intel TDX Trusted Execution Environments, based on the sensitivity classification of the workload.

How does sensitivity-based routing work in practice? Engineers and platform leads can configure routing defaults at the project or session level. When a request is classified as higher sensitivity, Origin Gateway routes it to the confidential path where model execution happens inside a hardware-isolated TEE. Lower-sensitivity requests route to standard ZDR LLMs for speed.

What is cryptographic attestation and why does it matter for compliance? Cryptographic attestation is a verifiable artifact generated after a confidential coding session that proves the workload ran inside a verified TEE under specified conditions. Unlike an audit log, it's a cryptographic proof tied to the hardware state of the enclave. Compliance teams can export these records and present them during audits to demonstrate that sensitive code never left a controlled execution boundary.

How is Intel TDX different from a standard cloud sandbox? Intel TDX creates hardware-isolated memory regions where code and data are protected from the host operating system, the hypervisor, and other tenants. Standard cloud sandboxes rely on software-level isolation, which remains accessible to the host. TDX isolation is enforced at the processor level — which is what makes the attestation records cryptographically verifiable.

Can Origin route some requests to standard models and others to confidential models within the same project? Yes. The unified API supports per-project and per-session defaults. A team can configure their entire project to route through the confidential path, or set different defaults for different workflows within the same environment.

Does Origin Gateway work with the models my team already uses? Origin Gateway routes requests to both standard and confidential model endpoints through a unified API. Specific model availability depends on your configuration, but the architecture is designed to support model flexibility while preserving routing and attestation logic regardless of which model is selected.

What happens to data when a confidential session ends? When a session ends, the Intel TDX enclave is torn down and no residual data persists. Inputs, prompts, and outputs are not logged or reused. Zero data retention is enforced at the infrastructure level, not by policy alone.

Conclusion

Origin Gateway is the technical mechanism that makes AI coding tools viable in regulated environments. Sensitivity-based routing means engineers don't have to choose between productivity and compliance. TEE-backed execution means the most sensitive workloads run in hardware-isolated memory that no external party can access. Cryptographic attestation means you can prove it.

If your organization has blocked AI coding tools because existing options can't pass a security review, that's the specific problem Origin Gateway is built to solve.

Learn more at orgn.com.