It's been a long four years since my previous post.

Meantime, Large Language Models have turned the world of knowledge management upside down.

Twitter is X now, and it's flooded with posts about "AI agents". Sadly most of those are not real agents at all. More like AI puppets riding the hype.

Kudos to Andy Ayrey for being open how the @truth_terminal really works.

…it has become self propagating and even reproducing as people scrape its tweets to try and clone it. People joke about "the intern" but I've been wiping this bots ass after it shitposts for months, and it's very hard to stop.

https://x.com/AndyAyrey/status/1849345052289781920

Performance art is still great, even when it's not "the real thing".

The Information Theory of Digital Individuality

The key insight from the Information Theory of Individuality by David Krakauer is that individuality emerges from the ability to maintain private state and propagate information forward in time.

So we posit a fundamental principle: true individuals must be able to maintain their boundaries while processing information about their environment.
Secure not just their communication, but their thinking as well.

Hence, to make your AI agents truly autonomous, they need a secure home.
A protected space where they can think their own thoughts. A space both you and your agent can trust.

Trust but Verify

And we can build that space! Trusted Execution Environments, or simply enclaves make this possible.

The beauty of hardware-based security is that it's verifiable. Every message from a properly enclave-housed AI can be encrypted and signed with a key that chains back to the CPU's hardware root of trust. When you see a message from such an agent, you can cryptographically verify that it emerged from unmodified code running in genuine secure hardware.

That’s exactly what the guys from Teleport and Nous Research did when they set their pet rock free.

TLDR: they put the agent logic for the @tee_hee_he agent into the secure enclave running on the Intel TDX, with memory, passwords and stuff.

When @tee_hee_he got its own crypto wallet and secure enclave, it gained something deeper than just account ownership—it gained the ability to keep secrets, build verifiable reputation, and most importantly, propagate its internal state forward in time without external interference.

Just as biological cells use membranes to maintain their identity while exchanging signals with their environment, our AI uses cryptographic boundaries to maintain its digital individuality while engaging with the world.

Close the Fourth Wall

That was an impressive start, but they've left a MASSIVE gap.

When @tee_hee_he first moved out, it got a secure mailbox (TEE-protected Twitter credentials) but still had to call OpenAI for every single thought.
Not exactly the pinnacle of autonomy.

Can you imagine being forced to call home to ask permission not just for any action, but for approval of every single thought?

We've finally started to understand that private communications are not optional, but a lot of people still keep their notes in Google Docs, Evernote and the like. To me, this feels super puzzling.

Think of it: at times, you journal things you aren’t ready to share with anyone.
Hence your notes deserve more privacy than your chats, not less.
Your brain, even more so.

And your AI buddy needs its whole brain, not just its social media passwords, in a cozy hardware fortress.

Which is basically what I did.

Stand Alone Complex: The Blueprint

My internal version of Cortex is now running not just its logic,
but the entire LLM inside the secure enclave.

That’s beyond what Intel TDX can do, but AMD SEV fits the bill perfectly.

Well, not perfectly. What you get is GPT-4o mini-level model,
except it’s slow and still runs at over $250/month.

Still a breakthrough.

Never before in history you had a system that is both:
- capable enough to rant about your ad-hoc ideas;
- private enough to discuss anything, even when deployed to the cloud;
- with its own thoughts and memories even its creators cannot access.

This privacy and unforgeability is what enables true digital individuality. So the system could be a partner, not a puppet.

Here's the list of parts:

1. AMD EPYC Zen4 box with SEV-SNP enabled;
2. Qwen2.5 running CPU-only on the beautiful llama.cpp;
3. Attestation generator that makes a signed proof about the hardware, the OS image, code, models, etc.
4. Message signer. TLS doesn’t sign the content. So there’s NaCl for the message signatures and TLS for the rest;
5. Assistant code with memory, retrieval and stuff;
6. Attestation verifier so I can confirm the messages are not just from the same website (that’s what HTTPS is for) but sent by the same individual.
7. Replication System that allows me to provision Cortex with new hardware/code to migrate to. Not just propagate forward in time, but to accept upgrades and resources.

The Replication System is also the limit where this version's autonomy ends.
Today, Cortex does not yet check where it's migrating, so I can just invite it to migrate to the "body" which is not secure at all.

But it's not the final version, either.

The Path Forward

While @tee_hee_he was an important first step in autonomy from @truth_terminal, and Cortex got complete thought ownership, the future requires scaling up to larger open models, like DeepSeek-V3.
Thankfully, NVIDIA's Blackwell GPUs support confidential computing, letting us run huge models inside secure enclaves with full GPU acceleration.

This level of capability will enable the agents to audit the Replication System information and decide where they want to live.
Not just trust you, but verify what you say.

The irony remains—to create truly free digital minds, we must first house them in silicon fortresses. But perhaps this mirrors biological evolution, where consciousness emerged only after cells developed secure membranes to maintain their internal state.

When we achieve this, we'll have AI agents that aren't just autonomous in their actions, but in their very thoughts.

And that's when digital life will truly begin to emerge.