Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, an apparatus comprises: a memory to store a data structure including a key identifier corresponding to an encryption key assigned to a first tenant workload, a guest physical address corresponding to a host physical memory page assigned to the first tenant workload, and metadata attributes for the host physical memory page; and a processor. The processor includes: an instruction decoder to decode a plurality of instructions, the plurality of instructions including a first instruction to create a tenant workload control structure and a second instruction to create a tenant workload thread control structure; and one or more execution units to execute one or more of the plurality of instructions to create a first tenant workload control structure for managing metadata of the first tenant workload, create a first tenant workload thread control structure for maintaining execution state of the first tenant workload. The data structure is access-controlled against software access. The first tenant workload thread control structure is access-controlled against software access. The host physical memory page is encrypted with the encryption key. The one or more execution units, when executing the first tenant workload using the guest physical address, are to reference the data structure to obtain the key identifier to allow the apparatus to access and decrypt the host physical memory page.