Air-gapped AI: deploying models where the internet can't reach

Some networks do not connect to the internet. Not because of a misconfiguration — because it is policy. Defence installations, intelligence agencies, critical infrastructure operators, and certain financial trading floors operate air-gapped environments where no packet crosses the boundary. These organisations want AI capabilities too. Air-gapped AI deployment is how they get them.

The challenge is not running a model without internet access. Modern open-weight models are self-contained inference engines that need a GPU and a runtime, not a cloud connection. The challenge is everything else: model delivery, updates, patch management, monitoring, and maintaining operational capability when the feedback loop runs through a physical media transfer instead of an API call.

What air-gapped actually means

An air-gapped network has no electronic connectivity to any external network. Data enters and exits through physical media — encrypted drives, optical discs, or one-way data diodes. Every transfer is logged, reviewed, and approved. There is no “just curl it” option.

This constraint eliminates the entire cloud AI model. No API calls, no streaming inference, no cloud-hosted embeddings, no phoning home for telemetry. But it also eliminates most on-premise AI solutions that assume at least intermittent connectivity for licensing, updates, or control-plane communication.

True air-gapped AI requires a system that can operate indefinitely without any network connectivity. Model weights, runtime dependencies, security patches, policy updates, and monitoring dashboards must all function within the boundary.

Model delivery and updates

The first operational challenge is getting models into the air-gapped environment. A large language model can exceed 100GB. Transferring it across an air gap means writing it to approved media, transporting it physically, verifying its integrity on the other side, and loading it into the inference runtime.

This process must be repeatable and auditable. Every model delivery needs a manifest that specifies the model version, hash, provenance, and any associated configuration. The receiving system must verify the manifest against a known-good signature before loading the model. If the signature does not verify, the model does not load.

Updates follow the same path. Security patches for the runtime, updated model weights, new policy configurations — all of them cross the air gap as signed, verified packages. The cadence is slower than a connected environment, which means the system must be designed to operate safely on older versions. Defence-in-depth is not optional here; it is the operating model.

Inference without telemetry

Connected AI platforms rely on telemetry for monitoring, alerting, and usage analytics. In an air-gapped deployment, telemetry stays local. The appliance must run its own monitoring stack — health checks, resource utilisation, inference latency, error rates — and present it through a local dashboard accessible only within the air-gapped network.

Audit logs accumulate locally and can be exported across the air gap on a schedule for compliance review. The export process must preserve the integrity of the audit trail — which is where cryptographic audit structures like Merkle trees become valuable, because the receiving side can verify completeness without trusting the air-gapped system’s operators.

Policy and governance

Air-gapped AI deployment does not relax governance requirements — it intensifies them. Because the system operates without real-time oversight from an external control plane, the local policy engine must be authoritative. Access controls, model usage policies, content filters, and rate limits must be enforced locally with no dependency on an external policy server.

Policy updates arrive the same way model updates do: as signed packages that cross the air gap through the approved transfer process. The system must validate the policy signature, apply it atomically, and log the transition. Rollback must be possible without connectivity.

Where Operayde fits

Operayde’s appliance architecture was designed with air-gapped AI deployment as a first-class configuration. The appliance runs all inference, RAG, policy enforcement, and audit logging locally. Model and policy updates are delivered as signed packages that can cross an air gap on physical media. The local monitoring stack provides full operational visibility without external connectivity, and Merkle-signed audit trails can be exported and verified independently. The fleet management plane is optional — an air-gapped appliance operates autonomously while maintaining the same security posture as a connected one.