MICKAI®
Article · 11 July 2026

Isolated vs air-gapped vs zero-egress AI: what is the actual difference?

Isolated AI filters egress, air-gapped AI removes the network entirely, and zero-egress keeps inbound service while closing every outbound path.

Isolated vs air-gapped vs zero-egress AI: what is the actual difference?
Author
Micky Irons
Published
11 July 2026
Follow Micky Irons
LinkedInX
air-gapped aizero-egresssovereign aidata residencyai security

Isolated, air-gapped and zero-egress describe three different limits on where AI data can travel, and they are not interchangeable. Isolated AI runs in a private cloud segment with filtered but real outbound routes, so traffic can still leave through approved channels and the cloud operator keeps control-plane access. Air-gapped AI has no network connection at all, so nothing moves in or out except on physical media carried by hand. Zero-egress AI stays reachable for local users but removes every outbound path: no NAT, no external DNS, and updates arrive only as one-way signed media.

This matters in 2026 because buyers in finance, defence, health and government are being sold a private network segment as an air gap. Regulation is tightening at the same time: DORA has applied across the EU since January 2025, NIS2 has widened who counts as an essential entity, and the EU AI Act adds duties for high-risk systems. The gap between a marketing air gap and a provable one is now an audit finding.

What does isolated AI actually mean?

Isolated AI usually means a private virtual private cloud, a dedicated tenant, or a network segment with firewall rules that restrict outbound traffic. It is not a closed system. The data still sits on infrastructure the buyer does not own, the provider keeps a control plane, and egress is allowed through approved routes such as logging, updates and licence checks. Isolation reduces exposure, but it removes neither the outbound path nor the provider from the trust boundary.

Isolated vs air-gapped vs zero-egress AI: what is the actual difference?, illustration 1

What makes an air gap a real air gap?

A real air gap means no network connection between the AI system and any other network, full stop. No cable, no bridged interface, no radio, no shared switch. Data crosses only on physical media a person carries. The cost is real: models drift because updates are slow, the transfer media becomes the attack surface, and operational friction tempts teams to punch a hole through it. An air gap someone has connected for convenience is no longer an air gap.

Isolated vs air-gapped vs zero-egress AI: what is the actual difference?, illustration 2

What is a zero-egress inbound perimeter?

Zero-egress is the middle path many regulated buyers need. The system is reachable on the operator's own network so staff can use it, but it has no way to send data out. There is no default route to the internet, no Network Address Translation on any interface, and no external DNS resolver, so a public domain cannot be looked up. Updates and reference data enter through a one-way path as signed media, verified against a public key before anything is applied.

A perimeter is only sovereign when an auditor can prove, offline, that no path out exists and that every action was signed as it happened.

Isolated vs air-gapped vs zero-egress AI: what is the actual difference?, illustration 3

How can an auditor tell the difference?

Claims are cheap, so ask for tests that produce evidence. Five checks separate a real containment posture from a slide:

  • The route test. Inspect the routing table and confirm there is no default gateway or outbound route to any external network.
  • The DNS test. Confirm no external resolver is configured and a query for any public domain fails to resolve.
  • The NAT test. Confirm no NAT or masquerade rule exists on any interface, so internal addresses cannot reach outside.
  • The packet test. Generate outbound traffic, confirm it is dropped, and read the firewall drop counter to prove it.
  • The ledger test. Verify the signed audit ledger against its public key on a disconnected machine and confirm the chain is unbroken.

An isolated deployment fails the route, DNS and NAT tests; a real air gap and a zero-egress perimeter pass them. The ledger test proves the record was sealed as the action happened, not assembled later.

Isolated vs air-gapped vs zero-egress AI: what is the actual difference?, illustration 4

Which rules make this necessary?

Several regimes now push toward provable containment rather than trust. DORA requires financial entities to control third-party ICT risk and evidence operational resilience. NIS2 extends security and reporting duties to essential and important entities. GDPR restricts moving personal data outside a controlled boundary. The US CLOUD Act lets US authorities compel a US-operated provider to disclose data wherever it is physically held, so a private segment on a US cloud is isolated but not sovereign. ISO/IEC 42001 expects this control to be documented and testable. On the EU AI Act, the high-risk Annex III obligations once due on 2 August 2026 were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I obligations moving to 2 August 2028 and the Article 50 transparency duties largely unchanged. We read that as a build window, not a reprieve.

How does Mickai implement a zero-egress perimeter?

Mickai is a Sovereign Intelligence Operating System, a SIOS, that runs offline on operator-owned hardware. The perimeter is zero-egress by design: no NAT, no external DNS, and inbound updates only through one-way signed media. Identity is hardware-attested and bound to the audit chain, so an action traces to an attested device rather than a shared credential. The audit ledger is a post-quantum signed record using the FIPS 204 signature standard, verifiable offline, so tampering breaks the chain visibly. The underlying architecture is covered by 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD, and these remain filed applications, never granted or patented.

Which one does a given buyer need?

Match the containment to the threat and the workflow. If the workload is classified at the highest levels and can tolerate slow, manual updates, a true air gap is correct. If the organisation needs current models and live use on privileged data but cannot allow data to leave, a zero-egress inbound perimeter is the right fit. Isolation alone suits lower-sensitivity workloads where controlled egress is acceptable. The mistake to avoid is buying isolation and believing it is an air gap, since the tests above expose the difference during diligence.

Frequently asked questions

Is a private VPC the same as air-gapped?

No. A private VPC is isolated, not air-gapped. It restricts outbound traffic with firewall rules but keeps real egress routes and a provider control plane, so data can still leave through approved channels. If a route table, a DNS resolver or a NAT rule exists, it is isolation, not an air gap.

Can an air-gapped AI still receive updates?

Yes, but only through physical media a person carries across the gap, never over a network. This keeps the containment intact while letting new models and data in. The trade-off is that updates are slower and the transfer media becomes something you must scan and control.

Does zero-egress mean the system is offline?

Not in the everyday sense. A zero-egress system is reachable by its own users on the operator's internal network, so it feels live and current. What it lacks is any outbound path to the internet: no default route, no external DNS and no NAT. Data can be served to staff, but it cannot be sent out of the perimeter.

How do you verify a vendor's air-gap claim?

Ask the vendor to run the tests in front of you. Inspect the routing table for a default route, check for an external DNS resolver, look for NAT rules, generate outbound traffic and read the firewall drop counter, and verify the audit ledger offline against its public key. A genuine air gap or zero-egress perimeter passes all five, and isolation fails the route, DNS and NAT checks.

Does the CLOUD Act reach data in a private cloud?

Yes, if the provider is subject to US jurisdiction. The US CLOUD Act allows US authorities to compel a US-operated provider to disclose data it controls, regardless of where the data is physically stored. A private VPC does not change that, because the provider still holds the control plane. Only a system on operator-owned hardware with no outbound path removes the provider from the disclosure chain.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/isolated-vs-air-gapped-vs-zero-egress-what-is-the-actual-difference. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles