MICKAI®
Article · 11 July 2026

Data Diodes and One-Way Transfer: How Data Enters an Air-Gapped AI Safely

Data crosses into an air-gapped AI system through a one-way path: a data diode or signed media, quarantine on ingest, then a signed log.

Data Diodes and One-Way Transfer: How Data Enters an Air-Gapped AI Safely
Author
Micky Irons
Published
11 July 2026
Follow Micky Irons
LinkedInX
air-gapped aidata diodesone-way transfersovereign aiaudit ledger

Data enters an air-gapped AI system through a single controlled inbound path that only moves in one direction. A hardware data diode or signed physical media carries the file across the boundary, the file is scanned and held in quarantine before it reaches the model, and the import is written to a cryptographically signed audit ledger. This works because the inbound route is one directional by physics and by policy, so bytes can arrive while neither the data nor the model has any way to leave.

The question matters more in 2026 than it did five years ago. Regulated buyers in finance, defence, healthcare and critical infrastructure are being told to keep sensitive workloads off public cloud AI services, because those services carry data outside the buyer's control and, under the US CLOUD Act, within reach of foreign legal process. Air-gapping removes the outbound risk. The engineering problem that remains is narrow and practical: if nothing leaves, how does anything get in without quietly opening the same hole that was just closed.

An air-gapped system is safe not because it is hard to reach, but because the inbound path is one directional and every byte that crosses it is inspected, quarantined and permanently recorded.

What does one-way transfer actually mean?

An air gap means there is no network route between the AI system and any outside network. One-way transfer is the disciplined exception to that rule. Inbound movement is permitted through a single inspected channel. Outbound movement is not permitted at all. The distinction is enforced, not merely configured. A conventional firewall can allow traffic in both directions and can be weakened by a bad rule or a stolen credential. A one-way transfer boundary is built so that return traffic is physically or cryptographically impossible, which means a compromised inside system still has no channel to send data back out.

Data Diodes and One-Way Transfer: How Data Enters an Air-Gapped AI Safely, illustration 1

How does a hardware data diode work?

A data diode is a physical device that carries data in one direction only. The common design uses an optical link with a transmitter on one side and a receiver on the other and no return fibre, so there is no medium for a reply signal to travel along. Because the restriction is a property of the hardware, it cannot be switched off by software, a misconfiguration or an attacker with administrative access. A diode is the cleanest way to let telemetry, updates or reference data flow into a sealed enclave while guaranteeing that nothing flows back. Where a full diode is not practical, signed physical media performs the same one-way role under manual chain of custody.

Data Diodes and One-Way Transfer: How Data Enters an Air-Gapped AI Safely, illustration 2

What checks run before a file reaches the model?

Arrival is not acceptance. Every inbound file lands first in a quarantine enclave that the model cannot read from directly. In that enclave the file is scanned for malware, its format is validated against an expected schema, and its size and structure are checked for anomalies. Only after it passes is it promoted into the working corpus. This staging step is where poisoned training data, malformed documents and hidden executables are caught. Classification decisions at this stage can be checked by more than one model, so a single misjudgement does not wave a bad file through. Nothing reaches the model on trust alone.

Data Diodes and One-Way Transfer: How Data Enters an Air-Gapped AI Safely, illustration 3

How is signed physical media handled safely?

When data is carried on physical media, the safeguard is the signature, not the disk. Before ingest, the system verifies a cryptographic signature over the payload against a known, pre-loaded public key. If the signature does not match, the import stops. A valid signature proves two things at once: the data came from an authorised source and it has not been altered in transit. The media is then treated as untrusted hardware and its contents pass through the same quarantine as any other inbound file. Chain of custody is recorded from the moment the media is issued to the moment its contents are released.

Data Diodes and One-Way Transfer: How Data Enters an Air-Gapped AI Safely, illustration 4

What can an auditor check after an import?

Every import is written to an append-only audit ledger before the data is used. Each entry records a cryptographic hash of the imported file, the authorising identity, the time, and the media or channel it arrived on. That identity is hardware attested and bound to the ledger, so an entry cannot be forged or repudiated after the fact. The ledger itself is sealed with post-quantum digital signatures under FIPS 204 (ML-DSA), the primary signature standard, alongside FIPS 205 (SLH-DSA). An auditor can verify the whole record offline: recompute the hash of any imported file, match it against the ledger, and check the signature with no network and no vendor in the loop. This inbound perimeter, the sealed ledger and the hardware-bound identity model sit within a body of 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD, all filed and patent pending, none yet granted.

Which rules make this necessary?

Several 2026 regimes push regulated buyers toward exactly this architecture. The EU AI Act's high-risk obligations under Annex III, once expected on 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027, with embedded high-risk systems under Annex I moving to 2 August 2028 and the Article 50 transparency duties largely unchanged. We read that as a build window, not a reprieve. DORA has been in force since January 2025 and demands operational resilience and traceability for financial entities. NIS2 extends similar duties to essential and important entities across critical sectors. GDPR restricts where personal data may travel, and the US CLOUD Act is why many buyers cannot accept a foreign-controlled cloud at all. ISO/IEC 42001 sets the management-system expectation that every one of these controls is documented and evidenced. A logged, one-way ingest path answers all of them with the same mechanism.

Frequently asked questions

Can data leave an air-gapped AI system at all?

No outbound route exists by design. The perimeter is zero-egress, so the model and its data have no network path out. Results are reviewed and exported only through the same controlled, logged boundary, under human authorisation, never automatically.

Is a data diode the same as a firewall?

No. A firewall is software policy on a two-way link and can be misconfigured or bypassed with the right credentials. A data diode enforces one direction in hardware, so return traffic is physically impossible regardless of software state. That is the difference between a rule and a law of physics.

How do you stop poisoned or malicious data getting in?

Every inbound file is quarantined before the model can read it, scanned for malware, validated against an expected schema, and checked by more than one model where classification is uncertain. Only files that pass are promoted into use, and each import is hashed and written to the audit ledger.

How can an auditor trust the import log if it is offline?

The ledger is append-only and sealed with post-quantum signatures under FIPS 204 and FIPS 205. An auditor recomputes each file's hash, matches it to the ledger entry, and verifies the signature locally, with no network connection and no reliance on the vendor. Offline verifiability is the whole point.

Why not just use a private cloud instead of an air gap?

A private cloud still sits on someone else's infrastructure and, for a US-linked provider, within reach of the CLOUD Act. An air-gapped SIOS runs on operator-owned hardware with no egress, which is why regulated buyers who need full custody of sensitive data choose it.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/data-diodes-and-one-way-transfer-how-data-enters-an-air-gapped-ai-safely. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles