Insights

When AI Can't Touch the Cloud: A Practical Case for Air-Gapped Deployment

7 min read
  • secure deployment
  • air-gapped AI
  • on-premises
  • data governance

Most conversations about deploying AI in an organisation start from a cloud-first default: pick a hosted model, call an API, iterate quickly. For a large share of use cases, that default is the right one. But for a meaningful minority of organisations — and a growing one — the cloud-first default simply isn’t available to them, because the data the AI needs to see legally, contractually, or operationally cannot leave the building.

This isn’t a niche concern confined to defence and intelligence. It shows up wherever data is classified, regulated, or bound by contracts that pre-date the AI conversation entirely.

Why the data can’t leave

There are several distinct reasons an organisation ends up needing on-premises or air-gapped AI, and it’s worth separating them because they lead to different architectures.

Legal and regulatory constraints. Some data categories are subject to data residency or handling rules that make transmission to a third-party cloud service — even a reputable one with strong contractual safeguards — legally fraught. This is common in regulated financial services, healthcare, and public sector contexts, where sector-specific rules sit on top of general data protection law and can restrict where data is processed, not just where it’s stored.

Contractual and client confidentiality obligations. Even where no statute applies, many organisations hold data under contracts with their own confidentiality clauses — client records, proprietary designs, unpublished research, commercially sensitive negotiations. Sending that data to a third-party API, even briefly and even without retention, can breach the letter of the contract regardless of the provider’s own privacy practices.

Sovereign and security-sensitive use cases. For organisations handling nationally sensitive information, classified material, or critical infrastructure data, the requirement isn’t just “don’t send this to a public cloud” — it’s “this system must not have any network path to the outside world at all.” Here the concern is not only data exfiltration but also supply-chain integrity and the risk of an external dependency becoming a point of failure or compromise.

Operational continuity. Some environments — manufacturing plants, industrial control systems, remote or field-deployed sites — simply cannot guarantee reliable connectivity, or cannot tolerate a dependency on an external service that might change its terms, pricing, or availability without notice.

In each case, the underlying question is the same: who else gets to see this data, and who controls what happens to the model that’s seeing it?

What “air-gapped” actually means

“Air-gapped” is often used loosely to mean “secure” or “private,” but the term has a specific meaning worth being precise about: a system with no live network connection to any external network, including the internet. Not a firewalled connection, not a VPN, not an API call with encryption in transit — no connection at all.

In practice, a genuinely air-gapped AI deployment involves:

  • The model runs entirely on infrastructure the organisation controls — on-premises servers, or a private, physically isolated data centre — with inference happening locally rather than via a remote API.
  • Software and model updates arrive via controlled, manual transfer — typically vetted files moved across the gap on removable media through a formal process — rather than automatic downloads.
  • Monitoring, logging, and any supporting tooling are also self-hosted, since a “secure” model behind an air gap loses much of its value if a logging or telemetry component elsewhere in the stack still phones home.
  • Access control and audit trails are enforced locally, typically integrated with the organisation’s existing identity and access management rather than a third party’s authentication layer.

It’s also worth distinguishing air-gapped from the broader category of “on-premises” or “private cloud” deployment. Many organisations don’t need a full air gap — they need data processed within infrastructure they control, under contractual and technical guarantees that satisfy their regulatory position, but with some managed connectivity for updates and support. That’s a meaningfully different (and less costly) architecture, and part of the job in early scoping is establishing which one an organisation actually needs, rather than defaulting to the most extreme option.

The trade-offs, honestly

None of this is free, and it’s worth being direct about what an organisation gives up by going on-premises or air-gapped, rather than presenting it as a strictly superior option.

Cost. Running your own inference infrastructure means capital expenditure on hardware, ongoing power and cooling, and specialist staff time that a cloud subscription would otherwise absorb into a per-token price. For smaller deployments, the economics can compare poorly with cloud AI unless the compliance requirement makes cloud infeasible in the first place.

Maintenance burden. Someone has to patch, monitor, and maintain the environment. Without a managed service handling scaling, failover, and security patching, that responsibility sits with the organisation’s own IT function or a support partner — which needs to be resourced and budgeted for, not treated as an afterthought.

Model update cadence. Cloud AI providers ship model improvements continuously and near-invisibly. An air-gapped deployment update cycle is inherently slower: new model versions must be evaluated, tested against the organisation’s own use cases, and formally transferred across the gap before they’re live. That means air-gapped environments are usually running a deliberately chosen, slightly older model version rather than the newest release — a trade-off that needs to be made consciously, not discovered by accident.

Reduced flexibility. Trying a new capability, a new model provider, or a new feature is a matter of an API key in the cloud world. On-premises, it means a procurement, evaluation, and deployment cycle.

The organisations for whom air-gapped or on-premises AI makes sense are the ones where these costs are clearly outweighed by the alternative: a compliance breach, a lost contract, or a data exposure that the organisation cannot accept at any price. Getting that assessment right — rather than assuming the most locked-down option is automatically the safest or the most sensible one — is the first and most important step in the process.