Running AI fully air-gapped

There is a tier of data sensitivity where “private cloud” is not enough. Medical records from national health systems, intelligence assessments, critical-infrastructure control logic, M&A deal rooms — in these environments, the only acceptable network perimeter is no network at all. Air-gapped AI means running large language models on hardware that has never had, and will never have, a live internet connection. Privonis designs and deploys exactly this class of system.

What air-gapped actually means

An air gap is a physical and logical isolation: no Ethernet uplink, no Wi-Fi radio, no Bluetooth, no out-of-band management port reachable from outside the secure enclave. Data enters and exits only through controlled media — encrypted USB drives with hardware write-blockers, optical one-way data diodes, or physically escorted removable storage. The AI inference stack, the model weights, the vector database, and the user-facing interface all run entirely within the enclave. No query, no document fragment, no embedding ever leaves the building.

Who needs it

• Defence and intelligence agencies processing classified material
• Critical-infrastructure operators (energy grids, water treatment, transport)
• Hospitals and health insurers handling patient data under NIS2 or sectoral rules
• Investment banks and M&A advisors working on pre-announcement deal documents
• Government ministries subject to national security data-handling mandates
• Industrial manufacturers protecting proprietary process recipes or CAD designs

The common thread is not just regulatory obligation but consequence asymmetry: a breach or exfiltration in these sectors causes harm that no contract, fine, or PR campaign can repair. Air-gapping eliminates the network attack surface entirely rather than hardening it.

How model updates work without internet

The most common objection to air-gapped AI is model staleness: “what happens when a better model is released?” The answer is a controlled update workflow. New model weights are downloaded and cryptographically signed on an internet-connected preparation workstation that lives outside the secure enclave. The weights and their signature file are transferred to write-once optical media or a hardware-encrypted drive. Inside the enclave, an integrity-verification step checks the signature against the known public key before the model is loaded. The preparation workstation and the transfer media never enter the enclave; only the verified payload crosses the boundary. Privonis automates this pipeline so updates that might otherwise take a week of manual process complete in a controlled two-hour maintenance window.

Trade-offs to accept

Air-gapping imposes real constraints that buyers should understand before committing. Real-time threat-intelligence feeds, automatic software patches, and cloud-hosted monitoring dashboards are all unavailable by definition. Web-retrieval augmentation — where the model fetches live URLs to answer questions — is impossible without a carefully controlled one-way data diode. Latency for model updates is higher than in connected deployments. And the initial commissioning process is more involved: Privonis engineers physically attend the installation, there is no remote bootstrap. These are not bugs; they are the deliberate cost of the security guarantee.

Eliminating the network attack surface is not a configuration option — it is an architectural commitment. Air-gapping is the only control that makes network-borne exfiltration physically impossible.

How Privonis deploys air-gapped AI

Privonis ships pre-configured server nodes with model weights already loaded and verified. The hardware arrives sealed, with tamper-evident packaging and a hardware attestation certificate. On-site commissioning takes one to two days: the Privonis engineer installs the node inside the client’s secure enclave, runs a local acceptance test suite, and hands over the system with full documentation. No model weights, configuration, or diagnostic data is transmitted during this process — the commissioning laptop operates in an isolated mode and its logs remain on-site.

Post-deployment support follows the same physical protocol. Remote access is never granted. Support sessions occur via a local terminal inside the enclave or via a secured video call where the engineer talks the client’s own operator through any procedure. This discipline is demanding, but it is the only honest way to offer a true air-gap guarantee — and it is why clients in defence and critical infrastructure trust Privonis with their most sensitive workloads.