Air-gap AI: why regulated industries need it
· Avery NXR
Half the world's most interesting AI workloads cannot touch the cloud.
Defense contractors processing classified documents. Hospitals running PHI analysis. Law firms doing privileged document review. Banks handling material non-public information. Finance teams analyzing insider data. Government agencies with FedRAMP High requirements.
These teams cannot use ChatGPT, Claude, Cursor, or any cloud-based AI tooling. Not because they don't want to. Because the compliance teams say no and the lawyers back the compliance teams.
The cloud AI industry mostly ignores this segment. The default business model is cloud-first, and serving the air-gap segment requires a different architecture. But the segment is huge, underserved, and willing to pay enterprise prices for tools that actually meet their requirements.
This post is the case for air-gap AI. What it actually means, who needs it, what it requires technically, and how Avery NXR's architecture meets those requirements out of the box.
What air-gap AI actually means
"Air-gap" gets used loosely. The strict definition: the AI system runs on hardware that has no network connectivity. No internet. No corporate intranet bridge. Nothing.
The weaker definition: the AI system runs on hardware with network access strictly controlled. Outbound calls only to specifically allowlisted endpoints. No telemetry. No model weights downloaded after initial deployment. No phone-home behavior.
Both versions are different from "private cloud AI" or "VPC-deployed AI." Those are still cloud architectures with network paths to external services, even if those services are the same provider's other instances. The cloud architecture has assumptions baked in that air-gap breaks.
True air-gap requires:
Signed binaries. Every executable on the machine has a verified signature chain. No unauthorized code can run.
Local model files. The AI models live on disk. No API calls, even encrypted ones, even to "trusted" providers.
Full audit logs. Every model call, every input, every output, logged locally with tamper-evident storage.
No telemetry. The system does not phone home. No metrics, no error reports, no usage analytics. None.
Air-gap deployment patterns. Either complete network isolation, or strictly controlled outbound paths with auditable rules.
This is genuinely different from cloud architectures. It requires building from the ground up with the constraint in mind, not retrofitting.
Who actually needs this
Defense. Anything classified at SECRET or higher. Anything subject to ITAR. Anything covered by CMMC Level 3 or above. Government contractors handling FOUO or CUI. Direct US government agencies and their international peers.
Healthcare with sensitive PHI. Hospital systems processing patient records. Insurance companies analyzing claims with PHI. Research institutions doing genomic analysis. Mental health providers handling especially sensitive records.
Legal. Law firms processing privileged documents. In-house legal teams analyzing material non-public information. Forensic investigators handling evidence. Anyone subject to attorney-client privilege or work product doctrine.
Finance. Trading desks handling material non-public information. Investment banks processing deals before announcement. Hedge funds with proprietary research. Compliance teams analyzing insider trading patterns.
Critical infrastructure. Energy operators with NERC CIP requirements. Water treatment systems. Telecom infrastructure. Anything covered by national security regulations.
Government services. Tax agencies processing returns. Social security systems handling benefits data. State and local agencies handling sensitive citizen data.
The list keeps growing. Privacy regulations tighten. Industry-specific rules emerge. The set of workloads that genuinely cannot use cloud AI expands every year.
Why cloud AI fails these use cases
The structural mismatch goes deeper than "they need to control the data."
Cloud AI providers offer Business Associate Agreements (HIPAA), SOC 2 reports, FedRAMP Moderate certifications. These are useful but insufficient.
A BAA covers the vendor relationship. The compliance burden for your specific workflow is still yours. If a healthcare worker pastes PHI into a prompt that gets logged on the vendor's side, the BAA does not automatically make that compliant.
FedRAMP Moderate is not FedRAMP High. Many federal workloads require High, which most cloud AI providers do not have.
ABA Opinion 512 explicitly says attorney-client privilege does not automatically survive a third-party AI vendor. Even with a strong vendor contract, lawyers face real exposure.
CMMC Level 3 requires the entire processing chain to be assessed. Routing CUI through a cloud AI provider creates an out-of-scope component that breaks the assessment.
Material non-public information has its own dynamics. Sharing MNPI with a cloud AI provider, even with a contract, creates regulatory exposure that compliance teams cannot accept.
The pattern: cloud AI providers can serve workloads where their standard compliance posture is enough. They cannot serve workloads where the compliance requirement extends to the architecture itself.
What air-gap AI requires technically
Building a system that survives a compliance audit for these use cases requires specific technical properties.
Local model execution. The model weights live on the local machine. No remote inference. No "private endpoint" that is really a tunnel to a vendor's GPU cluster.
Signed software chain. Every executable, every library, every plugin has a verifiable signature. No surprises about what the system is running.
Comprehensive audit logging. Every prompt and every response logged locally. Timestamp, user, input, output, model version. Tamper-evident storage. Retention policies aligned with industry requirements (HIPAA wants six years, some defense requirements are longer).
Network isolation by default. The system does not call out unless explicitly configured. No telemetry endpoints. No "improvement" data collection. No update checks against vendor servers.
Optional and controlled cloud escalation. For tasks that genuinely require frontier capability, an explicit per-task escalation pattern. The user sees what would be sent. The user can decline. Anonymization is applied. The escalation is logged.
Air-gap deployment topology. Either complete network isolation, or strictly controlled networks with allowlists and outbound monitoring.
Hardened hardware support. Optional but valuable: TPM-bound encryption, secure enclave for sensitive operations, integration with existing access control infrastructure (Active Directory, SAML, hardware security keys).
Avery NXR's air-gap architecture
Avery NXR was built with these constraints from the start, not retrofitted.
The default product is local-first. Models run on the user's hardware. Inputs and outputs stay local. No telemetry collection by default.
For air-gap deployments specifically, the system runs in a stricter mode. All network calls disabled. Signed plugin chain verified at startup. Audit logging required, not optional. The Central Server (used in some deployments) can be deployed on-premise so the desktop agents never connect to anything outside the customer's network.
The audit log format is designed for compliance reviews. Tamper-evident. Includes everything needed to demonstrate that PHI/CUI/MNPI never left the appropriate boundary.
The deployment patterns we've worked through with customers include:
Standalone laptops with no network access. Used by lawyers and consultants doing client work in sensitive matters.
On-premise servers in air-gapped data centers. Used by defense contractors and government agencies for classified workloads.
Hybrid networks where the AI processing nodes are on a strictly controlled segment with audited outbound paths. Used by hospitals and financial services firms that need broader functionality.
Each pattern has its own deployment guide, audit log template, and compliance documentation we provide to customers.
Real use cases by industry
Defense. A contractor processing classified intelligence reports. The reports are pulled from a secure storage system, the AI runs on hardware in a secured room, the analysis output goes back to the storage system, and a complete audit trail is generated for the program office.
Healthcare. A hospital running PHI summarization for case prep. A clinician on rounds wants quick summaries of complex patient histories. The local AI on the hospital workstation reads the EMR data, generates structured summaries, never sends anything to a vendor.
Legal. A law firm doing discovery on a major case. Tens of thousands of documents to review for relevance and privilege. The local AI tags each document, applies privilege filters, generates a privilege log. Nothing leaves the firm's infrastructure.
Finance. A trading desk analyzing the documents from a not-yet-announced acquisition target. The AI runs on isolated hardware in the deal team's secure workspace. Pattern detection, summarization, gap analysis. No risk of insider information leaking to a vendor.
Government. A state agency processing benefits applications. PII and SSNs in every record. Local AI extracts structured data, flags anomalies, drafts case worker notes. Compliance with state-specific privacy laws verified through the audit log.
The compliance documentation pattern
Technology alone doesn't satisfy a compliance audit. Documentation matters as much.
The documentation pattern for air-gap AI deployments typically includes:
Architecture diagrams showing data flow and trust boundaries.
Configuration management documentation showing how the system is deployed, who has access, how updates are managed.
Audit log retention policies aligned with industry requirements.
Access control documentation showing who can use the system and how their access is managed.
Incident response procedures for the air-gap configuration (since you can't just call the vendor when something breaks).
Periodic review schedules for the configuration and access.
Avery NXR ships templates for all of these aligned to specific compliance frameworks. HIPAA, FedRAMP, CMMC, GDPR Article 28. The templates aren't a substitute for your compliance team's review, but they cut the documentation effort from weeks to days.
The TAM and the strategic call
The total addressable market for air-gap AI is large and growing.
Defense and government: hundreds of billions of dollars in IT spending, increasingly with AI components, almost all requiring some form of air-gap or strictly controlled deployment.
Healthcare: hundreds of billions in IT spending, where the AI component is in the early innings but where every workflow involving PHI is a candidate for local-first or air-gap deployment.
Legal: the legal tech market is in the tens of billions, with privilege concerns making cloud AI structurally difficult.
Finance: trading, banking, insurance. The AI use cases are growing rapidly and most of the high-value ones involve MNPI or PII.
Regulated industries broadly: pharma, telecom, energy, utilities, transportation. Each has compliance frameworks that make cloud AI tricky.
Cloud AI providers will continue to win the workloads where their compliance posture is enough. They will not win the workloads where the compliance requirement is at the architecture layer.
Products built for air-gap from the start have a structural advantage in this segment. Avery NXR is one of those products. The architecture matches the requirement. The documentation supports the audit. The deployment patterns fit the use cases.
If you are in a regulated industry and your team has been told "no cloud AI" by compliance, the air-gap path is real. The tooling exists. The deployment patterns are documented. The audit trail is generated by design.
The work that has been waiting on compliance approval can move forward now.
avery.software