§ Security · 12 min read
How to deploy production AI agents in fully disconnected environments. Technical architecture for defense, critical infrastructure, and healthcare organizations requiring complete network isolation.

Katonic AI
Security Engineering
Network posture
Complete network isolation
Deployment model:
Air-gapped, self-contained
"For most enterprises, 'on-premise deployment' means running software in your own data center but still with internet connectivity. Air-gapped is a fundamentally different threat model - and requires a fundamentally different architecture."
§ 01
For most organizations, cloud AI or on-premise deployment with internet access is sufficient. But for a growing segment - defense contractors, critical infrastructure operators, regulated healthcare providers, and classified government agencies - air-gapped deployment is not a preference. It is a regulatory or operational requirement.
An air-gapped system is physically isolated from unsecured networks. No inbound or outbound internet connections. No telemetry. No external API calls. The AI system must function entirely within a closed network perimeter.
Military and intelligence agencies operate in environments where any network connection is a potential vulnerability. Classified systems require complete isolation from public networks.
Power grids, water treatment facilities, and transportation systems cannot risk external network access to their operational technology (OT) environments.
Medical devices, research facilities with sensitive data, and healthcare systems in remote locations require AI that operates without external connectivity.
§ 02
Modern AI systems are built with connectivity assumptions baked in at every layer. Stripping those assumptions out requires deliberate architectural choices - not just flipping a configuration flag.
"The difference between 'on-premise' and 'air-gapped' is not just network topology - it's the complete elimination of any assumption that a network exists."
§ 03
A production air-gapped AI deployment requires every component to be designed for offline operation from the start. The following architecture eliminates all external dependencies.
Network isolation model
Public Network
Secure Enclave
§ 04
Every component in an air-gapped stack must operate without any assumption of network access. Here are the six core building blocks.
Self-hosted inference engine with pre-loaded model weights. Supports models from Llama, Mistral, Qwen, and other open-weight families. No external API calls required.
Embedded vector store for RAG workloads. Stores embeddings locally with no cloud sync. Supports Chroma, Milvus, or Qdrant in embedded mode.
Self-hosted connector layer for internal systems only. Connects to local databases, file systems, and internal APIs without external network access.
Web-based interface served from local containers. No CDN dependencies, external fonts, or analytics. All assets bundled and served locally.
Pre-populated local registry with all required container images. Enables Kubernetes deployments without pulling from Docker Hub or other external registries.
Local license validation that does not require network access. Perpetual or time-limited licenses validated against local cryptographic tokens.
§ 05
Before deploying an air-gapped AI system, every item in this checklist must be verified. Missing any one of these creates a failure point that may not surface until deployment.
§ 06
Understanding where air-gapped deployment sits relative to other options helps teams make the right architectural decision for their threat model and compliance requirements.
| Dimension | Cloud | On-Premise | Air-Gapped |
|---|---|---|---|
| Network Connectivity | Required | Required | None |
| Model Updates | Automatic | Pull-based | Physical media |
| External API Access | Yes | Yes | No |
| Data Residency | Provider region | Your DC | Your DC (isolated) |
| Exfiltration Risk | High | Medium | Minimal |
| Compliance (ITAR, etc.) | No | Partial | Yes |
| Setup Complexity | Low | Medium | High |
§ 07
Katonic was designed from the ground up for sovereign deployment. Every architectural decision - from license validation to dependency bundling - was made with air-gapped environments in mind.
§ 08
Air-gapped AI deployment is genuinely hard. It requires upfront planning, careful dependency management, and operational procedures that most AI vendors never consider. The complexity is real and the setup cost is higher than cloud or standard on-premise deployments.
But for organizations that require it, there is no substitute. Regulatory compliance, security posture, and operational integrity all depend on getting this right. A breach of an air-gapped environment - or a compliance failure because your AI system was phoning home - carries consequences that no cost savings can offset.
"With the right architecture, you can have both: production-grade AI capability and the complete network isolation that your security posture requires."

Katonic AI
Security Engineering
Katonic AI builds sovereign AI infrastructure for enterprises that cannot compromise on data control, security, or compliance. Our platform supports air-gapped, on-premise, and hybrid deployment models for regulated industries.
Read our Sovereign AI Playbook →§ Related articles
Air-gapped deployment
Talk to our security engineering team about deploying Katonic in fully disconnected environments.
