How to Run AI on Classified Networks Without Internet Access
Keep the models, inference and audit ledger inside the enclave, take updates on signed media or a data diode, and verify everything offline.
To run AI on a classified network with no internet access, you keep the whole system inside the enclave: the sovereign models, the inference engine, the identity service and the audit ledger all sit on operator-owned hardware with no route to the public internet. New models and updates arrive on signed physical media or across a one-way data diode, and every action is cryptographically sealed so the record can be verified later with no network present. The perimeter is zero-egress by design, so no weight, prompt or answer can ever leave the enclave.
This matters in 2026 because the buyers who most need modern AI cannot touch a public endpoint. Defence, intelligence, critical national infrastructure, regulated finance and health hold data that must never reach a foreign provider. Public cloud services such as ChatGPT, Claude and Gemini are ruled out, because they need outbound connectivity and operate under regimes such as the US CLOUD Act.
How does offline AI work on an air-gapped network?
The whole stack lives inside the classified boundary. Sovereign models run on local processors, whether GPU, CPU or a hybrid split. There is no API call to a remote service and no telemetry beacon. Mickai is a Sovereign Intelligence Operating System, a SIOS, built to run this way from the start, not a hosted service in disconnected mode.
The defining property is the perimeter. A zero-egress inbound design means the enclave accepts controlled input but permits no outbound connection: even a misconfigured component has no route for data to leave. This architecture is the subject of 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD, patent pending and never granted.
How do new models and updates get in without a connection?
Two routes are accepted, both one-directional. The first is signed physical media: a model or update is packaged, signed by the originator and carried into the enclave, where its signature is checked before anything loads. The second is a one-way data diode, hardware that permits inbound data while making an outbound flow physically impossible in the optics, not the software.
Provisioning follows a fixed order: verify the signature, confirm the hash against the manifest, load into a staging area, and promote to live only after the checks pass. Where confidentiality of the transferred package matters, key encapsulation uses the FIPS 203 ML-KEM standard, which handles key exchange and does not sign. Signing and verification are a separate step.
Why can public cloud AI services not be used inside the enclave?
Cloud AI services are built around egress. They send the prompt to a remote data centre and return an answer, so outbound connectivity is not optional for them, which is disqualifying on a classified network. Providers subject to the US CLOUD Act can also be compelled to produce data held anywhere they operate, so a hosted service creates legal exposure that no configuration inside the building can remove.
A contractual promise of data residency is not a technical guarantee. Using a cloud endpoint for classified work creates structural risk rather than a settled breach, and that risk does not disappear because a supplier signs a data-processing addendum. The only way to remove the exposure is to remove the egress.
“Sovereignty on a classified network is not a firewall rule, it is an architecture where nothing can call out and everything can be verified offline.”
What can an auditor check when there is no network?
Everything, without going online. Each action inside the SIOS is written to an append-only audit ledger, and each entry is signed with the FIPS 204 ML-DSA post-quantum signature standard. An auditor takes the ledger, the public verification keys and a verifier, then confirms the chain on an isolated machine, because verification is a mathematical check, not a lookup.
Three properties make the record trustworthy offline:
- Hardware-attested identity binds every entry to the specific device and operator that produced it, so an entry cannot be forged onto another machine.
- The post-quantum signed ledger is append-only, so a later edit breaks the chain and is detectable.
- Cross-model consensus records where several sovereign models had to agree before a high-consequence action, so the reasoning is reviewable, not a single opaque output.
The test is simple: take the sealed ledger to an air-gapped verifier and confirm every signature resolves. If one fails, the chain is compromised at that point and the failure is visible.
How is trust established without external DNS or a certificate authority?
Classified enclaves do not trust the public certificate system, because it depends on external authorities and, in most deployments, external DNS. Both are unavailable and both are attack surface, so trust is rooted internally. Identities are pinned to keys held inside the enclave, device identity is anchored in hardware attestation, and no component asks a remote authority whether a certificate is still valid. Trust becomes a property the operator controls, not a service rented from the internet.
Which regulations make an offline architecture necessary?
Several regimes push the same way. DORA has applied to EU financial entities since January 2025 and demands operational resilience and third-party control. NIS2 raises the bar for essential and important entities. GDPR governs where personal data may go, and the US CLOUD Act is why a foreign hosted service is a jurisdictional risk. ISO/IEC 42001 gives a management-system standard for AI that an offline audit chain supports rather than replaces.
On the EU AI Act, the high-risk obligations under Annex III, once due on 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027, with embedded high-risk systems under Annex I moving to 2 August 2028 and the Article 50 transparency duties largely unchanged. We read that as a build window, not a reprieve. An architecture that is offline-verifiable today supports these duties as they arrive, but no architecture satisfies a regulation on its own, and no vendor should claim it does.
Frequently asked questions
Can you run a large language model completely offline?
Yes. A sovereign model runs entirely on local hardware with no internet connection, because the weights and the inference engine live inside the enclave. The only inbound steps are provisioning and updating it, both using signed media or a data diode rather than an open connection.
What is a data diode and why does a classified AI system need one?
A data diode is hardware that allows data to travel in one direction only, enforced physically rather than by software. A classified AI system uses one so updates can enter the enclave while an outbound leak stays impossible. Because the restriction sits in hardware, a misconfiguration cannot open a return path.
Is using ChatGPT or Claude on a secure network a compliance breach?
It is more accurate to call it a risk than a settled breach. Public services require outbound connectivity and often operate under the US CLOUD Act, which creates legal and data-exposure risk on classified or regulated networks. A supplier's contractual promise is not a technical guarantee, so most secure environments keep AI fully offline.
How does an auditor verify AI activity with no internet access?
The auditor works from the sealed audit ledger. Each entry is signed with the FIPS 204 ML-DSA post-quantum standard and bound to hardware-attested identity, so a verifier confirms the whole chain on an isolated machine with no external lookup. If any signature fails, the point of tampering is visible.
Does an air-gapped AI system meet DORA and the EU AI Act?
No architecture meets a regulation by itself. An offline, verifiable design supports the operational-resilience duties in DORA, in force since January 2025, and the high-risk obligations arriving under the EU AI Act, now deferred by the Digital Omnibus to 2 December 2027. Compliance still depends on how the organisation governs and documents its use.




