Scale AI Donovan vs a sovereign air-gapped operating system for defence: what is the difference?
Donovan is a US government mission capability you access; a sovereign air-gapped operating system is one you own, run offline and can independently verify.
Scale AI Donovan and a sovereign air-gapped operating system answer two different questions. Donovan is a mission analytics capability built and accredited for United States government use, and it is cleanly placed there. A sovereign air-gapped operating system is different in design: it runs entirely offline on hardware the operator owns, accepts no outbound connection, and seals every action to a post-quantum signed ledger the operator holds. The difference is custody: one is a capability you reach into, the other is a system you possess and can verify without trusting the supplier.
This matters in 2026 because most defence and critical-infrastructure buyers now have to prove where their data lives and who could reach it. A capability accredited for one government's programme may be an excellent fit inside that programme and the wrong fit for a buyer in another jurisdiction. The honest comparison is not which model is cleverer. It is which architecture lets an operator run offline, retain custody, and prove both to an auditor.
How does each one actually run?
Donovan is delivered as a hosted mission capability inside accredited United States government environments. Buyers should confirm the exact deployment options and accreditation scope with the supplier directly for their own jurisdiction.
A Sovereign Intelligence Operating System runs on operator-owned hardware inside the operator's own perimeter. Mickai is built this way. It installs on premises, runs its sovereign models locally, and has no dependency on any public cloud AI service. Where a regulated buyer cannot send data to public cloud AI services, an offline system removes the question entirely because nothing leaves the box.
What can an auditor actually check?
An auditor should be able to verify custody without taking the vendor's word for it. That is the test. A sovereign system is designed to pass it in three concrete ways.
- Zero-egress inbound perimeter: the system accepts approved inbound data and makes no outbound calls, so there is no channel by which prompts, documents or results can leave.
- Post-quantum signed audit ledger: every action writes an entry to an append-only ledger, and each entry is cryptographically sealed so tampering is detectable.
- Hardware-attested identity: the operator and device are bound into that same chain, so the record shows not only what happened but on which attested machine and under which identity.
These are checkable claims. An auditor can inspect the perimeter, replay the ledger, and confirm the signatures offline.
Which rules make an operator-held air gap necessary?
Several regimes now push the same way. The US CLOUD Act means data held by a US-linked provider can face lawful access requests regardless of where the servers sit, which is the exact exposure a foreign defence buyer needs to remove. DORA has been in force since January 2025 and demands operational resilience and control over third-party dependency for financial entities. NIS2 raises security duties for essential and important entities across critical sectors. GDPR governs personal data throughout. ISO/IEC 42001 sets a management standard for AI systems that an operator-held ledger helps evidence.
On the EU AI Act, the high-risk Annex III obligations once due on 2 August 2026 were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk uses moved to 2 August 2028 and the Article 50 transparency duties largely unchanged. We read that as a build window, not a reprieve.
What does hardware-attested identity add to the comparison?
Access control tells you a login succeeded. Attestation tells you which physical machine did the work and that its identity was cryptographically proven at the time. Binding that attestation into the audit chain is what turns a log into evidence. In a sovereign system every sealed action carries the attested identity of the device and operator, so custody can be reconstructed after the fact and defended in a review. That property is difficult to reproduce when the compute sits in a shared external environment you do not control.
How is the audit ledger sealed for the post-quantum era?
The ledger is signed with post-quantum digital signatures so its integrity survives the arrival of quantum computers. FIPS 204, the ML-DSA standard, is the primary signature scheme, and FIPS 205, the SLH-DSA standard, provides a hash-based alternative for defence in depth. Signing is what makes the ledger verifiable. Key encapsulation standards such as FIPS 203 protect data in transit and never sign or seal the record, so the verifiable custody claim rests on FIPS 204. Because verification is offline and mathematical, an operator can prove the chain years later without contacting the supplier.
“A defence buyer should be able to verify custody without trusting the vendor, and that is only possible when the system runs offline on owned hardware and seals every action to a ledger the operator holds.”
Where does Donovan fit, and where does a sovereign system fit?
Donovan fits a buyer operating inside the United States government mission environment it was accredited for, where that hosted context is an advantage. A sovereign air-gapped operating system fits a buyer who must keep data on ground they own, run with no external connection, and hold their own provable record. The two are not really rivals; they occupy different points on the custody spectrum. A further design property of a sovereign system is cross-model consensus, where several sovereign models must agree before a high-consequence output is accepted, which reduces reliance on any single model. Mickai is engineered for the sovereign end of that spectrum, and its underlying methods sit within 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD; never granted or patented.
Frequently asked questions
Is Scale AI Donovan available to defence buyers outside the US government?
Donovan is positioned and accredited for United States government mission use, and it is cleanly placed there. A defence buyer in another jurisdiction should confirm availability, deployment options and accreditation scope with the supplier directly. Where cross-border data exposure is a concern, an operator-held air-gapped system removes the question by keeping everything on owned hardware.
Can an AI system run fully air-gapped with no external connection?
Yes. A sovereign operating system installs on operator-owned hardware, runs its own models locally, and operates behind a zero-egress inbound perimeter. It accepts approved inbound data and makes no outbound calls, so nothing reaches any public cloud AI service. That is the practical meaning of air-gapped for defence use.
What is the difference between a private cloud deployment and an air-gapped operating system?
A private cloud deployment still runs on infrastructure a provider operates and can reach, which keeps a legal and technical path to the data. An air-gapped operating system runs on hardware the operator owns, with no outbound connection and a locally held audit ledger. The difference is custody and reachability, not branding.
Which post-quantum standard seals the audit ledger?
FIPS 204, the ML-DSA signature standard, is the primary scheme that seals and verifies the ledger, with FIPS 205, the SLH-DSA standard, available as a hash-based alternative. FIPS 203 is a key encapsulation standard for protecting data in transit and does not sign anything. Verifiable custody therefore rests on FIPS 204.
Does the EU AI Act require air-gapped AI for defence right now?
No single clause mandates an air gap, but the direction of travel favours provable control. The high-risk Annex III obligations once due on 2 August 2026 were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I uses moved to 2 August 2028. We treat that timeline as a window to build verifiable, operator-held systems rather than a reason to wait.




