Agentic AI inside the air gap
For networks that can never touch the internet. We deploy capable, open-weight agents entirely on your isolated hardware — your data stays in, telemetry stays out, and the gap stays intact.
- Zero outbound network egress
- Open-weight models on your GPUs
- One-way, signed update ingest
- Full on-prem audit & lineage
What runs behind the gap
Every layer of the stack lives on hardware you control. Nothing phones home.
Local model serving
Open-weight LLMs served on your GPUs via vLLM or TGI — no hosted inference API, no license callbacks, no token egress.
On-prem retrieval
A self-hosted vector store and embedding pipeline so agents reason over your classified corpus without it ever leaving the rack.
Self-contained agents
Orchestration, tool-calling, and memory all run inside the gap. Agents act through an internal action layer, never an external one.
Egress denial
Default-deny networking, no DNS to the outside, and host-level controls that make an outbound connection physically impossible.
Local audit & lineage
Every prompt, retrieval, and action is logged to storage you own, giving you complete decision lineage for review and accreditation.
Accreditation support
Controls mapped to your framework — IL-tiers, CMMC, FedRAMP-High patterns — to make the assessor's job straightforward.
From threat model to live enclave
A measured path that respects your accreditation boundary at every step.
Scope
We map your data classification, threat model, and the exact accreditation boundary the system must live within.
Provision
We spec and stand up GPU hardware, serving stack, and default-deny networking inside your isolated network.
Tune
We select and fine-tune open-weight models and retrieval so local inference meets your accuracy bar on real tasks.
Accredit
We document controls, evidence, and the one-way update path so your assessor can sign off — then keep it current.
Staying current without breaking the gap
The hard part of air-gapped AI isn't day one — it's day ninety, when a better model ships and your enclave still can't reach the internet. Most teams either freeze on a stale model or quietly punch a hole in the perimeter.
We solve it with a one-way ingest pipeline. New weights and container images are scanned, checksummed, and signed in a staging zone outside the gap, then moved in across a data diode or controlled media. Nothing in the enclave ever opens an outbound connection, so you stay current and the air gap stays provably intact.
- Scan, checksum, and sign before ingest
- Data diode or controlled-media transfer
- No outbound connection, ever
Hosted AI vs. air-gapped AI
Why an isolated enclave is a fundamentally different deployment, not just a stricter firewall.
| Hosted / API AI | Air-gapped enclave | |
|---|---|---|
| Data path | Leaves your perimeter to a vendor | Never leaves your hardware |
| Models | Vendor-hosted frontier APIs | Open-weight, served locally |
| Network | Requires outbound internet | Zero egress, default-deny |
| Updates | Automatic, vendor-controlled | One-way, signed, you control |
| Audit | Trust the provider's logs | Full lineage on storage you own |
Frequently asked questions
What exactly is an air-gapped AI deployment?
Every component — models, weights, vector store, orchestration, and logs — runs on hardware inside your isolated network with no route to the public internet. No third-party inference APIs, no license callbacks, no telemetry. Updates arrive through a controlled one-way transfer, not an outbound connection.
Can you run capable models without calling Anthropic or OpenAI?
Yes. Air-gapped enclaves use open-weight models (Llama, Mistral, Qwen, and similar) served locally on your GPUs via vLLM or TGI. We size the model to the task and the hardware, then tune retrieval and prompting so an on-prem 70B can match a hosted frontier model on your specific workflows.
How do model and software updates get in if there's no internet?
Through a documented one-way ingest: new weights and container images are scanned, checksummed, and signed in a staging zone, then moved across a data diode or sneakernet into the enclave. Nothing ever initiates an outbound connection, so the air gap stays intact while you stay current.
Is air-gapped overkill if a private VPC would do?
Often, yes. A VPC-isolated or on-prem deployment is enough for most regulated work. Air-gapping is for classified networks, OT/ICS environments, and data that legally cannot touch a routable network. We'll tell you honestly which tier your threat model actually requires.
Capable agents. Zero egress.
Bring your threat model and accreditation boundary. We'll map an air-gapped architecture that keeps every byte inside the gap.