Private Cloud Compute

What It Is

Private Cloud Compute, or PCC, is Apple’s name for the server-side compute layer that runs Apple Intelligence requests too large or too computationally heavy for processing on the iPhone, iPad, or Mac itself. Apple announced it in June 2024 alongside the first wave of Apple Intelligence features, with the explicit goal of providing the privacy guarantees of on-device computation while still allowing access to larger models. The architecture is built around three pillars: requests are encrypted end-to-end to a specific PCC node, Apple itself cannot decrypt or inspect them, and the entire production software image is published in advance to independent security researchers who can verify what is actually running. Standard cloud AI assumes the operator trusts the cloud provider. PCC assumes the operator does not, and engineers around that constraint. It is the first commercial deployment of confidential-computing principles at consumer scale, and as of WWDC 2026, with Google’s Gemini scheduled to run inside the PCC envelope for the next-generation Siri, it is about to become the most-deployed privacy infrastructure in AI.

How It Actually Works

When an Apple Intelligence request exceeds on-device capacity, the device sends an encrypted payload to a PCC node that holds a hardware attestation matching a software image Apple has published for that release. The node decrypts the request, runs the model, returns the answer, and discards the data; nothing is logged in a way Apple can later inspect. The published image is the receipt. Researchers can compare what is actually serving requests against the published binary, and if the two diverge, the attestation fails and the device refuses to send. The point is not that Apple promises not to look. The point is that Apple has engineered itself out of being able to.

The Cost and Tradeoff

The honest tradeoff is latency, scale, and model freshness. Encrypted attested compute is slower than commodity cloud inference, every PCC node has to be provisioned with a published image so updates ship on a slower cadence, and the model that runs there is constrained to what Apple has audited and published. The model Apple ships through PCC is unlikely to be the latest version Google or Anthropic shipped to their own clouds yesterday. For some workflows that gap matters. For most consumer queries it does not, and most users will never notice the difference, which is the whole point of a privacy substrate that disappears below the app.

How TWO Uses It

The TWO read is that PCC is the first piece of AI infrastructure that solves the privacy question instead of asking the user to trust a policy page. We have linked to it in past digests on agentic commerce and on personal-ai for the same reason: the operator’s question is no longer “is this model good” but “what does it learn about me to be good.” PCC moves that question from a contract to a verifiable architecture. When evaluating where to build a consumer-facing AI feature in 2026, the question we ask is whether the inference path can pass an independent audit at the scale you ship at. If the answer is no, you have either chosen a model where users will eventually mistrust it or a deployment where regulators will eventually catch up. Scott’s working assumption is that the products that survive the next regulatory cycle will be the ones whose privacy claim is structural, not policy-based, and PCC is the first commercial example of what structural looks like.

A Concrete Operator Scenario

You are deciding whether to add an AI assistant to your iOS app. The choice is among calling OpenAI directly from your client, calling Anthropic’s Claude through your own server, or routing through Apple Intelligence and PCC. The first is fastest to ship and weakest on user-data hygiene. The second gives you control of prompts and logs but puts the privacy claim on your shoulders. The third is the slowest to integrate and the only one that can answer the App Review question “does this leave the device, and who reads it” with a verifiable answer. If your app handles health, finance, or relationships, the third path is the one you will not regret. If your app is a stateless utility, the first one is fine. Choosing wrong here is expensive a year later, when a user files a complaint and your screenshots have to explain what your AI saw.

What to Watch Next

Watch two signals over the next six months. First, whether the model running inside PCC is openly the same model running in Apple’s own labs or a smaller variant; the gap is where competitive pressure or capability concession lives. Second, whether independent researchers continue to publish audits of the PCC images or quietly stop. The audit cadence is the proof PCC stays honest. Without it, the architecture is just marketing wearing a research note.