Enterprise AI
Air-Gapped AI Explained: How Classified & SCIF Environments Run AI Offline in 2026
Air-gapped AI runs language models on networks with no path to the internet, so classified, SCIF, and CMMC-regulated work can use AI without any data ever leaving the boundary. Here is what that actually requires in 2026.
Air-gapped AI is artificial intelligence that runs on a network with no routable path to the internet, so the model, its data, and its outputs all stay inside one isolated boundary. It is the strictest form of private AI and the standard for classified, SCIF, and CMMC-regulated work where any data egress is a security incident.
The phrase "air-gapped AI" gets used loosely, and that looseness is exactly where regulated organizations get into trouble. A tool that runs on your own servers but still checks a license server, fetches model updates, or sends usage telemetry is on-premise — it is not air-gapped. The strict definition, the one that matters in a classified enclave, is that there is no routable network path between the AI environment and any internet-connected system at any time. Data crosses the boundary only through a deliberate, audited channel such as an encrypted USB drive or a one-way data diode. As The New Stack notes, that manual friction is the point: each transfer becomes a checkpoint where a security team can verify exactly what moved.
What is air-gapped AI?
Air-gapped AI is the most isolated point on the private-AI spectrum. The entire stack — the model weights, the inference engine, the retrieval and orchestration layers, and the management tools — runs inside a physically isolated network with no connection to the outside world. Because nothing can call out, an air-gapped system cannot use a hosted cloud model; it must run open-weight models that have been carried in and stored locally. This is a hard architectural property, not a setting. The defining test is simple: if any path out exists, even an occasional one for updates, the system is private or on-premise, but it is not air-gapped.
Why must classified AI be air-gapped?
Classified information cannot touch systems that are reachable from the public internet, so any AI applied to it has to live inside the same isolated boundary as the data. Sending classified text to an external model API is a spillage event regardless of the provider's assurances. Air-gapping also removes the network path that state-sponsored adversaries traverse — a real and current threat, with the ISOO's 2026 guidance on using AI with classified national security information and CUI (ISOO Notice 2026-01) underscoring how seriously agencies now treat the question. For intelligence-community systems, the risk framework comes from ICD 503 layered on the NIST SP 800-37 Risk Management Framework, and any Secret, Top Secret, or TS/SCI AI application has to earn an Authority to Operate (ATO) inside that boundary. For this tier of work, an air gap is not a security upgrade — it is the only lawful way to use a model on the material.
The isolation spectrum: on-prem, private cloud, and true air gap
"Private" is a spectrum of increasing isolation, and air-gapped sits at the far end. Naming the steps precisely matters, because a deployment that meets one tier's requirements will fail another's audit.
| Deployment | Internet path? | What it really means | Typical fit |
|---|---|---|---|
| Sovereign / private cloud | Yes (contractually isolated) | A single-tenant or region-locked cloud the provider isolates for you | Data-residency rules, lower-sensitivity CUI |
| On-premise | Usually (for updates / telemetry) | Models run on your own hardware behind your firewall | Confidential enterprise data, FedRAMP-adjacent |
| On-prem, egress-blocked | Tightly restricted | On-prem with outbound traffic firewalled, but a path could be re-opened | Healthcare PHI, financial vault networks |
| True air gap | None, ever | Physically isolated; transfer only by USB or data diode | Classified, SCIF, CMMC L2/L3, ITAR |
The jump that trips teams up is the last one. An egress-blocked on-prem system is excellent security, but a firewall rule can be changed; a true air gap removes the physical connection, so there is no rule to misconfigure. That is why SCIFs, classified networks, and the most sensitive regulated environments insist on the genuine article.
What does an air-gapped AI deployment actually require?
Three things have to be true at once. First, the model must be an open-weight system you can run with no external dependency — in 2026 that usually means Meta's Llama, Mistral, Alibaba's Qwen, Google's Gemma, or Microsoft's Phi, frequently quantized so a capable model fits on a single GPU or even a CPU. Commercial products such as AirgapAI package this approach into a deployable application that runs entirely on the endpoint with no network connection required, illustrating what a production-ready implementation of these open models looks like inside an isolated environment. Second, every supporting component must live inside the boundary too. The most common failure in supposedly isolated deployments is a retrieval pipeline whose embedding step calls a remote API; the chat model is local, but the gap is already broken, and network monitoring later reveals outbound DNS queries from an enclave that should be silent. Third, the whole environment — weights, code, data, and telemetry — must stay inside the authorization boundary and pass its ATO. Updates arrive on physical media as discrete, auditable events rather than a constant connection, which adds operational friction by design.
Why air-gapped AI matters in 2026
Two forces converged this year. On the demand side, isolated deployment is now where the money is going: the on-premise segment led the sovereign-AI infrastructure market in 2025, and Precedence Research puts that broader market at roughly USD 19.2 billion in 2026 on the way to USD 177 billion by 2035. Gartner separately forecasts sovereign cloud IaaS spending to reach $80 billion in 2026, up about 36% year over year, as organizations pursue technological independence. On the regulatory side, the rules are catching up to the architecture. The FY2026 National Defense Authorization Act's Section 1513 directs the Department of Defense to build a cybersecurity and physical-security framework for AI/ML and fold it into the DFARS and CMMC, so that any contractor developing, deploying, storing, or hosting AI/ML for the DoD must comply; the law required a status update to Congress by June 16, 2026, per Crowell & Moring's analysis and the Congressional Research Service summary. The honest caveat for buyers: that framework's exact requirements are not final yet, so a 2026 air-gap architecture should be built to satisfy NIST SP 800-171 controls today while leaving room for the AI-specific rules to land.
The honest tradeoffs
Air-gapping is not free. You give up automatic model upgrades — when a stronger open model ships, someone has to validate it and carry it across the boundary, so an air-gapped fleet always runs slightly behind the frontier. You inherit the full operational burden of patching, scaling, and securing the stack yourself. And the hardest reasoning tasks may still favor the largest hosted models you cannot bring inside. The counterweight is that for the work most regulated teams actually do — searching and summarizing their own governed documents — a well-deployed open model over clean data is competitive, and it is the only option that keeps the data where the law requires. The teams that succeed treat the air gap as an architecture decision made before any model is chosen, not a feature bolted on afterward. If you are weighing this for healthcare, finance, or government, the deeper vertical-by-vertical view lives in our pillar guide to AI in regulated industries.
Frequently asked
What is air-gapped AI in simple terms?
Air-gapped AI is artificial intelligence that runs on a computer or network with no routable connection to the internet or any internet-connected system. The model, the data it reads, and the answers it produces all stay inside one physically isolated boundary, and the only way information crosses that boundary is through a controlled, audited channel such as an encrypted USB drive or a one-way data diode. Because nothing can call out, the system cannot use a hosted cloud model or send telemetry home. The strict test is whether any data path exists at any time; if one does, the system is on-premise or private, but not truly air-gapped. The trade-off is that updates and new models must be carried in by hand, which is slower but creates a checkpoint where security teams verify everything that moves.
Why must classified AI be air-gapped?
Classified information by definition cannot touch systems that are reachable from the open internet, so any AI used on it must run inside the same isolated boundary as the data. A cloud large language model would require sending classified text to an external provider, which is a spillage incident regardless of contractual assurances. Air-gapping removes the network path that an adversary could traverse and that an analyst could accidentally leak through. It is also the architecture that intelligence-community rules such as ICD 503 and the NIST SP 800-37 Risk Management Framework are built around, and it is what an Authority to Operate package for a Secret or Top Secret AI application has to demonstrate. For Secret, Top Secret, and TS/SCI work, an air gap is not a preference; it is the only way to apply a modern model to the material at all.
What is the difference between on-premise AI and air-gapped AI?
On-premise AI means the model runs on hardware you own or control, typically inside your own data center and behind your firewall, but that hardware can still reach the internet for updates, license checks, or telemetry. Air-gapped AI goes one step further and removes the network connection entirely, so there is no path out at all. Every on-premise system is private, but not every on-premise system is air-gapped. In practice, many tools marketed as on-premise still phone home for license validation or model updates, which quietly breaks the gap. The most common leak in supposedly isolated deployments is a retrieval pipeline that sends text to a remote embedding API; security teams catch it when network monitoring shows outbound DNS queries from an enclave that is meant to be silent.
Which models can run in an air-gapped environment?
Only open-weight models can run fully air-gapped, because the weights must be downloadable and runnable inside the boundary with no external dependency. The common choices in 2026 are Meta's Llama family, Mistral's open models, Alibaba's Qwen, Google's Gemma, and Microsoft's Phi, often quantized so they fit on a single GPU or even a capable CPU. Proprietary frontier models accessed only through a hosted API cannot be air-gapped, by definition, although several vendors now offer on-premise or sovereign packages of specific models. A critical and frequently missed requirement is that the embedding model used for retrieval must also live inside the enclave; if retrieval calls an external embedding service, the gap is broken even when the chat model itself is local.
What compliance frameworks apply to air-gapped AI?
Air-gapped AI deployments usually align with several overlapping regimes. For defense contractors, the Cybersecurity Maturity Model Certification (CMMC) Levels 2 and 3 govern Controlled Unclassified Information, with the FY2026 NDAA directing the Department of Defense to extend CMMC and the DFARS to cover AI and machine-learning systems specifically. Government agencies map to FedRAMP High and FISMA, and the intelligence community uses ICD 503 with NIST SP 800-53 controls and CNSSI 1253 overlays. Healthcare adds HIPAA, aerospace and defense manufacturing adds ITAR, and many enterprises layer on SOC 2 Type II. No single framework literally orders 'air-gap your AI,' but for classified work it is mandatory, and for everything else an air gap is often the architecturally simplest way to satisfy the controls.
Can air-gapped AI be as capable as cloud AI?
For most enterprise tasks, yes, though the gap depends on the workload. Open-weight models that can be run air-gapped have closed much of the distance to proprietary frontier systems on summarization, retrieval-augmented question answering, classification, and drafting, and modern quantization lets capable models run on standard local hardware. The very hardest reasoning benchmarks may still favor the largest hosted models, and an air-gapped system gives up the convenience of automatic upgrades the moment a new model ships. In practice the binding constraint is rarely the model itself; it is the quality and governance of the data fed into retrieval and the hardware available inside the enclave. A well-built air-gapped system over clean, governed data is competitive for the work most regulated teams actually need.