Deployment Mode · 5 of 5
Air-Gapped AI.
The deployment mode for environments that have no internet connection. None. Models, data, agents, integrations, governance - everything runs inside a network that cannot reach external services. Updates happen through controlled physical mechanisms. Classified operations, critical infrastructure, defense workloads, intelligence environments. The most extreme isolation tier BrainPack supports - and the only deployment mode that satisfies certain regulatory and operational frameworks at all.
There Is No Network That Cannot Be Reached. Except This One.
Every other deployment mode has a network path to the outside world. Public cloud sends queries to a vendor. ZDR routes the same queries under a different contract. Self-hosted keeps the data inside controlled infrastructure but the GPUs still talk to package repositories, monitoring services, and update servers somewhere. On-premise stays inside a customer data center but typically maintains internet connectivity for the same operational reasons. All four can be reached - by an attacker, a regulator, a misconfigured firewall, or a third-party dependency that has its own breach. Air-gapped cannot. The network is severed at the perimeter. The AI environment runs without an internet connection. That is the point.
Air-gapped is the deployment mode for the workloads where the answer to "is there any path from this environment to the public internet?" must be no. Classified defense operations. Intelligence community workloads. Critical infrastructure operating networks. Some regulated banking core systems in jurisdictions with strict isolation rules. Every system in those environments has been air-gapped for decades; AI capability arriving inside them follows the same rule. BrainPack delivers an AI operating layer that runs entirely inside a network with no external connectivity, with all the same capabilities the cloud-connected modes provide - minus what cannot exist without internet.
This page is honest about that "minus." Air-gapped trades some operational convenience for the strongest isolation guarantee in the deployment spectrum. The trade is worth it for some workloads and pointless for others. Both are real.
A Network Isolation Decision, Not A Location Decision.
Air-gapped means the network containing the AI infrastructure has no path physical or logical to the public internet. The boundary is the network perimeter, not just the data center. No internet uplink. No VPN to a corporate network that has internet. No machine on the network running a browser. No package repository call to update software. Nothing leaves; nothing enters; the environment runs in isolation.
The defining characteristic is network isolation, not physical location. On-premise puts the GPU in your data center but typically keeps an internet connection for operational reasons. Air-gapped removes the connection entirely. The same data center can host both air-gapped enclaves alongside connected systems separated by physical and logical network boundaries.
Air-gapped runs without external dependencies of any kind. Every component required for inference lives inside the perimeter model weights, tokenizer files, software packages, license servers, monitoring infrastructure, documentation. Even time synchronization, in some environments, runs from internal sources rather than public NTP. Anything that would normally "phone home" must be reconfigured to phone nowhere.
Updates happen through controlled mechanisms, not connectivity. Air-gapped systems still need new model versions, security patches, new agents, and configuration changes. Updates flow through physical media transfer with strict review, through one-way data diodes for certain government environments, or through scheduled connection windows in less restrictive variants. The mechanism is operational discipline, not network access. Air-gapped is appropriate for the strictest data classes and operationally heavy for everything else. The deployment decision is a network-isolation-and-classification decision, not a location decision.
BrainPack treats Air-Gapped as one execution surface among five. The Connect, Orchestrate, and Govern layers do not change. What changes is where the inference actually executes and the fact that no packet, prompt, or response ever crosses the network perimeter into or out of the environment.
How It Actually Works — Govern LayerWhen Air-Gapped Is The Right Mode.
Five Workloads Where It Wins.
Five workload categories where air-gapped is the only acceptable choice — when the data classification or operating environment makes any network path a non-starter.
Classified Defense & Intelligence Workloads
Controlled Unclassified Information, Secret, Top Secret, and equivalent classifications under national security frameworks. The data cannot transit any network connected to the public internet, full stop. Air-gapped is not a preference here it is the legal and operational baseline. No other mode satisfies the requirement.
Critical Infrastructure & Operational Technology
Power grid control systems, water treatment SCADA, nuclear plant operations, defense manufacturing lines. The networks running these systems are isolated by design connecting them to introduce AI capability would defeat the isolation. Air-gapped AI brings the inference inside the perimeter rather than punching a hole in it.
Sovereign Government & Diplomatic Data
Cabinet-level deliberations, diplomatic cables, intelligence analysis, sovereign financial reserves data. Even ally-government cloud regions are not acceptable for the most sensitive tiers. The hardware, the network, and the operators all need to sit inside the sovereign perimeter, with no path out.
Pre-Disclosure Material At Maximum Sensitivity
The narrow band of corporate workloads where pre-announcement market-moving information sits — central bank rate decisions before release, sovereign debt restructuring, defense contractor merger documents under regulatory review. On-premise with internet connectivity is sometimes enough; for the highest tier, only air-gapped is.
Environments Where The Network Itself Is The Threat Model
Operations in adversarial network environments, deployments where supply-chain compromise of any connected component is assumed possible, scenarios where the act of phoning home is itself a security event. Air-gapped is the only mode that survives a threat model where every external connection is presumed hostile.
When Air-Gapped Is The Wrong Mode.
And Where The Workload Should Go Instead.
Five workload categories where air-gapped is the wrong answer and where BrainPack routes work to public cloud, ZDR, self-hosted, or on-premise instead.
General Productivity & Knowledge Work
Drafting emails, summarizing public documents, brainstorming, code completion on non-sensitive repos. The data class does not require network isolation, and routing this work through air-gapped infrastructure adds operational overhead with no security benefit. Public cloud handles it faster, cheaper, and on better models.
Workloads That Need Frequent Model Updates
Frontier capability moves week by week. Air-gapped updates flow through physical media transfer or scheduled connection windows measured in weeks or months, not hours. If a workload needs the newest model the day it ships, air-gapped is structurally the wrong surface. Public cloud or ZDR is where new capability lands first.
Bursty Or Unpredictable Volume
Air-gapped capacity is fixed at the hardware you installed inside the perimeter. There is no elastic spillover every other mode is on a different network. Workloads with unpredictable demand belong on infrastructure that scales on call. Reserve air-gapped for steady, predictable, regulated throughput.
Workloads That Depend On External Data
Anything that needs to query public APIs, fetch live web content, pull from external SaaS systems, or integrate with cloud services during inference. Air-gapped means none of those reachable. If the workload's value depends on real-time external data, the workload does not belong air-gapped it belongs on a connected mode with the right data-class controls.
Use Cases Where Operational Burden Outweighs The Threat Model
Air-gapped carries real cost physical media review processes, separate operations teams, slower iteration, no live monitoring tooling. For data classes that are sensitive but not at the classified or critical-infrastructure tier, on-premise or self-hosted delivers most of the protection at a fraction of the operational weight. Air-gapped is the right answer for the strictest classifications, not a default for caution.
Where to route them instead
How Air-Gapped Orchestrates.
With Every Other Deployment Mode.
Even organizations that need air-gapped AI rarely run only air-gapped. The classified, sovereign, or critical workloads run air-gapped; everything else runs on the appropriate non-isolated mode. The orchestration is the value - air-gapped handles what it must, while the rest of the business runs on faster, more economical modes.
A real BrainPack deployment looks like this:
Same user. Same conversational interface. Same agent library. Same governance policies. Five different inference paths — selected automatically by the Govern layer based on data classification, regulatory framework, and policy.
The user never picks the deployment mode. The mode picks itself.
Air-Gapped Inside the BrainPack Layer.
What BrainPack Adds On Top Of A Raw API Call.
Running BrainPack inside an air-gapped environment is operationally distinct from connected deployments. Several adjustments make air-gapped deployments practical at enterprise scale.
Self-contained model deployment. Open-source models
Llama, Mistral, Qwen, DeepSeek - packaged with all dependencies, weights, tokenizer files, and runtime requirements for offline operation. Models are fully functional inside the air-gap with no external lookups during inference.
Internal connect layer
The integration engine connects to systems inside the air-gapped network - ERPs, databases, file systems, internal applications - using the same patterns as external deployments. The data sources change; the integration architecture does not.
Internal agent library
Pre-built agents shipped as part of the deployment package. Agent updates and new agents flow through the controlled update mechanism. Custom agents are developed by the BrainPack embedded team using internal tools and internal data.
Internal observability
Monitoring, logging, audit, and incident response all run inside the air-gap. The audit infrastructure that the customer's security team already operates is the audit infrastructure for BrainPack - no external logging endpoints, no external monitoring services, no external alerting.
Embedded team with appropriate clearances
BrainPack engineers operating air-gapped deployments hold the security clearances appropriate to the environment. For SCIF-level work, this means cleared US persons; for allied environments, equivalent clearances; for less restrictive air-gap deployments, standard background checks plus customer-specific vetting.
Update packaging and deployment. BrainPack maintains an air-gap update factory
a process that produces signed, verified update packages on physical media with full chain-of-custody documentation. Customer security teams review every update before application. Updates are versioned, reversible, and fully audited.
Failover within the air-gap
Air-gapped deployments use redundant capacity inside the same isolated environment. Failover does not cross the air-gap. The redundancy is internal.
The result: enterprise-grade AI capability operating inside environments that would normally be considered impossible for AI deployment at all. Connect, Orchestrate, Govern - all functioning, all auditable, all evolving on the controlled cadence the environment permits.
Costs And Speed.
What You Actually Get.
Public cloud is the fastest deployment mode and, for most workloads, the cheapest unit cost. Both statements come with caveats.
To first capability. API integration. No GPU procurement, no infrastructure standup.
Per call. Frontier models on public cloud are the fastest available — optimized to the limits of physics.
No upfront commitment. Light workloads cost near-zero. Heavy reasoning still beats self-hosted unless utilization is extreme.
Tokens-per-day where self-hosted GPU becomes cheaper. BrainPack models this and routes accordingly.
The real expense of public cloud AI is not the inference bill — it is the cost of a workload going to the wrong mode and creating a compliance, IP, or audit problem. The Govern layer makes this misclassification structurally impossible.
Air-Gapped, Running Now.
Alongside Every Other Mode, Per Data Class.
Air-gapped is the deployment mode used for the highest-isolation workloads of enterprises and government organizations. Operating today, alongside connected modes for non-classified workloads.
A defense contractor: air-gapped BrainPack inside SCIF-rated facilities handles classified analytical workloads. On-premise BrainPack on the corporate network handles controlled-but-unclassified operations. ZDR handles client-facing engagements. Public cloud handles general productivity. Four modes, one governance layer.
A critical infrastructure operator: air-gapped BrainPack inside the operational technology network handles AI for control system operations. On-premise BrainPack on the corporate IT network handles business analytics. The two environments share governance policies but no data path.
A government intelligence organization: air-gapped BrainPack inside the classified enclave handles intelligence analysis. The same governance policies extend to less-classified environments through other modes.
Some Workloads Cannot Leave the Building.
On-premise AI is the deployment mode for workloads where the regulatory framework, the IP exposure, or the sovereignty requirement makes cloud unacceptable. Talk to an architect about which workloads in your environment require on-premise, and how the orchestration policy should split work across all five deployment modes.