Home / Knowledge / Air-Gapped AI, Explained
Security
Air-Gapped AI, Explained: What It Is and Who Needs It
Air-gapped AI is an artificial intelligence system — typically a large language model — running on hardware that is physically isolated from all networks: no internet, no LAN uplink, no Wi-Fi, no Bluetooth. The term comes from the literal gap of air between the machine and any network medium. Data cannot leak from an air-gapped system for the simplest possible reason: no path out exists.
The concept long predates AI — air gaps have protected industrial control systems, classified networks and certificate authorities for decades. What's new is that open-weight models like NVIDIA Nemotron and Google Gemma now make it practical to put serious language-model capability behind the gap, instead of choosing between intelligence and isolation.
Air-gapped vs on-premise vs self-hosted
These three terms get used interchangeably in marketing. They describe very different security postures:
| Posture | Where it runs | Network exposure | Data leaves the building? |
|---|---|---|---|
| Self-hosted | Your cloud account or servers | Internet-connected | Often — telemetry, updates, APIs |
| On-premise | Hardware in your building | LAN, usually internet too | Can, via any connected path |
| Air-gapped | Hardware in your building | None — physical isolation | Cannot — no path exists |
The distinction matters because policy and physics fail differently. A firewall rule is a promise; an absent network interface is a fact. On-premise systems are compromised through their connections every week. An air-gapped system's attack surface is, almost literally, the door to the room.
Every air-gapped system is on-premise. Almost no on-premise system is air-gapped. The gap — not the postcode of the server — is what changes the threat model.
Who genuinely needs the gap
- Regulated confidentiality — law firms protecting privilege, healthcare bodies handling patient records, financial firms with insider information. For these, "we don't send data out" is a compliance statement that's much easier to defend when it's physically true. See legal and healthcare deployments.
- Classified and defence environments — where connected systems are prohibited outright, and any AI capability must live inside the accreditation boundary.
- Trade-secret R&D — pharma, deep tech, M&A. When the prompt itself reveals strategy, even an encrypted API call is a disclosure.
- Connectivity-denied operations — ships, mines, expeditions, disaster zones. Here the gap isn't chosen; it's the operating environment. Offline capability is the only capability. See offline AI for emergency response.
And one quieter group: organisations and individuals who simply want AI they own — no subscription, no terms-of-service drift, no vendor able to read, rate-limit or retire the thing they depend on.
How an air-gapped AI stays useful
The standard objection: "won't it go stale?" The answer is the same one secure facilities have used for decades — updates by physical media. Model weights, software patches and refreshed reference corpora arrive on signed, encrypted drives; the appliance verifies the cryptographic signature and applies the update locally. AIOD ships this quarterly as Knowledge Packs. The machine improves on schedule; the isolation is never broken.
The second objection — "won't it be dumber than the cloud?" — deserves an honest answer: frontier cloud models are stronger in the absolute. But an appliance is not trying to be everything; it's scoped to a mission, grounded by retrieval over an authoritative corpus, and present when the cloud isn't. For the jobs the gap exists to protect, that trade is not close.
Verifying a gap is real
"Air-gapped" should be an auditable claim, not an adjective. At minimum, demand:
- Hardware inspection — radios absent or disabled at firmware level; interfaces enumerated and locked.
- Signed-media-only updates — the system refuses anything it cannot cryptographically verify.
- Zero telemetry — if the vendor can see your usage, you are not air-gapped.
- The cable test — full functionality demonstrated with no network present at all. Our demos end this way on purpose.
For the full engineering picture — hardware sizing, model choice, retrieval and sustainment — continue with The Complete Guide to Offline LLM Deployment.