Back to Blogs

India’s Next Digital Public Infrastructure Layer Is Trusted Computation

July 16, 2026 5 min. Read

By BG Mahesh, CEO at Sahamati, and Kiran Gopinath, Chief Innovation Officer at Sahamati and Head, Sahamati Labs

India’s Digital Public Infrastructure has solved the same trust problem three times already. The next challenge is different, and the most ambitious yet.

Aadhaar, UPI and the Account Aggregator framework look like three different systems, but they solve one problem. Each answers a single question- can I trust the party on the other side? Aadhaar proves who someone is. UPI ensures a stranger’s payment will arrive. Account Aggregator moves financial data on the citizen’s consent. In each case, trust is settled at the door. You confirm who you are dealing with, let them in, and rely on an accountable party to answer for what follows.

That model has carried India further than any country in the world. It now meets a problem it was built to make possible rather than to solve.

The party on the other side is increasingly an AI agent. It takes the data, reasons over it and acts, in milliseconds, across many sources at once, faster than a human can follow each step. An accountable institution still stands behind that agent, but responsibility and execution are no longer the same thing. Vouching for the institution tells you who is answerable. It no longer tells you how your data is handled once the work begins.

Each of India’s earlier layers settled trust the same way, at the point of access. Identity, payment authorisation, and in the Account Aggregator framework the consent artefact itself are all decisions made at the door, before anything proceeds. Consent is the most refined version of that idea, a precise, revocable, purpose-bound key to the gate. It governs who may receive the data, and for what.

But it stops at the threshold.

What happens after consent?

Consent settles who may receive the data. It says little about what is done with it next: who can see it as it is processed, and whether only the work you agreed to actually takes place. While a regulated bank sat on the other side, those questions could be answered after the fact, by audit. At the scale of an agent making millions of decisions an hour, across cloud infrastructure the data’s owner does not control, the answers need to come from somewhere sturdier than a review after the event.

This is the problem trusted computation solves. 

Sensitive data is already protected while it is stored and while it moves. Trusted computation extends that protection to the one place it has been missing, while the data is in use. The party doing the work can act on the data while it stays sealed from view, and can prove afterward that only the agreed work took place.

Confidential computing is today’s most mature form of this. It runs workloads inside hardware-protected environments that keep the data sealed even from the operator, the cloud provider and the engineers who built the system. Through cryptographic attestation, a participant can verify exactly which software is about to run before handing over anything sensitive. The guarantee grows from “the data stayed private” to “only the agreed processing took place, and here is the proof.” Trust moves from an institution’s word to mathematical demonstration.

That shift does real work. The institution behind an agent carries the liability for what the agent does, yet the agent runs faster than the institution can watch. Trusted computation lets it hold that responsibility honestly. It can bound what the agent is permitted to do, and prove afterward what it did. The accountability stays with the institution, and the means to honour it now exists.

This is the direction regulation is already taking. In June 2026 the Reserve Bank of India published draft guidance on model risk management that places accountability for the outcomes of every model squarely on the regulated entity and its board, whether the model is built in-house or bought in, and asks for human oversight and the ability to pause or shut a model down. The accountability is clear. The open question is how an institution discharges it when a model acts continuously, at machine speed, across infrastructure it does not control. A kill switch can stop a system. On its own, it cannot prove what the system did while it ran. Trusted computation supplies that missing piece. It lets an institution bound in advance what an agent may do, and show afterward what it did, so that the responsibility the regulator assigns has something technical to rest on.

It also lets the ecosystem grow with confidence. While every recipient was a licensed bank, accountability had somewhere firm to rest. As the ecosystem opens to platforms, specialised providers and AI-native applications, the party behind a computation may be smaller, newer, further away. Where responsibility is harder to anchor in the party, it can be anchored in the way the data is handled, in what the software is permitted to do and what it can be shown to have done. This is what allows India to widen participation without widening exposure.

And it gives India’s data-protection law something to stand on. The Digital Personal Data Protection Act asks that personal data be used only for the consented purpose, and that exposure stay to the minimum necessary. Today, those duties rest on promises and audits. 

Trusted computation gives them teeth. Data processed in a verified environment can be bound to the agreed purpose and kept invisible even to the party processing it, so that purpose limitation and minimisation hold in practice as well as on paper.

All of this stays true to the philosophy that made India’s DPI work. India never standardised applications. It standardised trust. 

Identity standards enabled countless services without dictating them. UPI enabled payment innovation without prescribing payment products. Account Aggregator enabled consented data sharing without determining how institutions use the data. 

Trusted computation follows the same pattern. It prescribes no AI model, no business logic, no application design. It is a shared guarantee, a floor that lets data be put to work while it stays sealed and lets the handling be verified, on which others build.

It is one part of trustworthy AI, and it leaves room for the rest. Whether a model is fair, unbiased or wise remains the work of governance and regulation. Trusted computation answers a narrower, load-bearing question. Were approved software and approved data brought together in an environment that protected both? As machines become economic actors in their own right, that assurance becomes foundational.

This is already moving from argument to practice. A recent Sahamati Labs paper on A Framework for AI Agents in the Account Aggregator ecosystem rests on exactly this premise. With accountable entities behind an agent, and the agent working continuously at machine speed, the surest protection lives in the way the data is handled, where what the agent did can be constrained in runtime and proven as well as reviewed.

Over the coming decade, we believe trusted computation will become as fundamental to India’s DPI as identity, payments and consent are today. Not as a fashionable technology, but because intelligent systems earn trust at national scale when we can trust both who holds the data and how it is handled while it is used.

For fifteen years, India taught the world how to build trust between parties. 

The next chapter extends that work to the data itself. As agents act on our information, the ground they stand on is the assurance that only the agreed work is done, and that this can be shown. That is the layer India can build next.

***

BG Mahesh is the Chief Executive Officer at Sahamati, the Self Regulatory Organisation (SRO) for India’s Account Aggregator ecosystem. Kiran Gopinath is Chief Innovation Officer at Sahamati and heads Sahamati Labs, where his work focuses on the intersection between Open Finance, confidential computing and agentic AI.

Share this post