Back to Insights
Industry Perspectives11 min readJanuary 29, 2026

Air-Gapped AI for Defense: Deployment in Classified Environments

Deploying artificial intelligence in classified defense environments presents a set of challenges that have no parallel in the commercial sector. The systems must operate on networks that have no connection to the internet. Every hardware component, software library, and model weight must pass through a supply chain verification process. The deployment must comply with multiple overlapping security frameworks that govern everything from physical facility requirements to the configuration of individual operating system parameters.

For defense program managers, security engineers, and technology leaders working in classified programs, AI represents both an enormous capability advantage and a significant security challenge. This article addresses the architectural, compliance, and operational considerations for deploying AI systems in environments where data classification, operational security, and supply chain integrity are non-negotiable requirements.

Classification Levels and Their Impact on AI Deployment

The U.S. classification system defines three levels of classified information: Confidential, Secret, and Top Secret, with additional compartmented access programs (SAPs and SCIs) that impose further restrictions. Each classification level carries specific requirements for facility construction, personnel clearances, network architecture, and data handling that directly affect how AI systems can be deployed and operated.

Secret and Below Interoperability (SABI)

At the Secret level, the Defense Information Systems Agency provides the SIPRNet as the primary classified network. AI systems deployed on SIPRNet must meet the same accreditation requirements as any other system on the network. The process for obtaining an Authority to Operate involves a comprehensive security assessment that evaluates the system against NIST SP 800-53 controls, as tailored for the specific environment.

AI inference workloads at the Secret level can leverage existing data center infrastructure, provided the GPU hardware and supporting software stack have been evaluated and approved for use at that classification level. The availability of GPU hardware with the appropriate certification has improved, but it remains a procurement planning consideration that can add months to a deployment timeline.

Top Secret and Compartmented Programs

Top Secret and SCI environments impose stricter requirements on every aspect of the deployment. Facilities must meet SCIF (Sensitive Compartmented Information Facility) construction standards. Personnel require appropriate clearances and formal access approvals. Networks are isolated from all lower-classification networks. And the accreditation process is more rigorous, with additional oversight from the cognizant security authority.

For AI systems, the most significant impact of higher classification levels is the complete elimination of any external connectivity. At the Top Secret/SCI level, there is no possibility of cloud-based AI services, remote model updates, or external API calls. The AI system must be entirely self-contained, with all models, data, and supporting infrastructure physically present within the accredited facility.

FedRAMP and Impact Level Requirements

The Federal Risk and Authorization Management Program provides a standardized approach to security assessment for cloud services used by federal agencies. While classified systems do not use FedRAMP directly, the Department of Defense has established a parallel framework through the Cloud Computing Security Requirements Guide that defines Impact Levels (IL) for different data sensitivity categories.

Impact Levels Relevant to AI

IL4 covers Controlled Unclassified Information and requires FedRAMP High baseline controls. IL5 covers higher-sensitivity CUI and National Security Systems information, adding requirements for data residency and personnel access. IL6 covers classified information up to Secret and requires dedicated infrastructure within government-accredited facilities.

For AI workloads, the impact level determines whether cloud or hybrid architectures are permissible and what security controls must be applied. IL4 and IL5 workloads can potentially leverage commercial cloud providers that have achieved the corresponding authorization, though the AI services themselves must be included in the authorization scope. IL6 and above require on-premise deployment within accredited facilities, which is the focus of true air-gapped AI deployment.

CMMC Considerations for AI Contractors

The Cybersecurity Maturity Model Certification program establishes cybersecurity requirements for defense contractors handling Controlled Unclassified Information. While CMMC primarily applies to unclassified environments, contractors developing AI systems for defense applications must achieve the appropriate CMMC level before they can participate in relevant contracts.

For AI development, CMMC Level 2 requires compliance with 110 security practices derived from NIST SP 800-171. These practices cover access control, awareness training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

AI development environments present specific CMMC challenges. Model training often requires large datasets that must be protected throughout the development lifecycle. Version control systems containing model architectures and training code must be treated as controlled information. And the software supply chain for AI frameworks, libraries, and dependencies must be documented and secured in accordance with CMMC requirements.

Supply Chain Verification for AI Components

The supply chain for an AI system in a classified environment extends far beyond the final deployed model. It encompasses GPU hardware, firmware, operating systems, container runtimes, AI frameworks, model weights, and every dependency in the software stack. Each component represents a potential attack vector that adversaries could exploit to compromise the classified environment.

Hardware Verification

GPU hardware for classified environments must come from trusted supply chains. This means verified manufacturers, documented chain of custody from production to installation, and hardware inspection procedures to detect tampering. The firmware running on GPUs and associated hardware must be verified against known-good baselines, and firmware update procedures must be documented and controlled.

The dependency on specialized GPU hardware from a limited number of manufacturers creates concentration risk in the supply chain. Defense organizations are increasingly evaluating alternative compute platforms, including custom ASICs and FPGA-based inference accelerators, that may offer more supply chain diversity for classified AI workloads.

Software and Model Supply Chain

AI frameworks like PyTorch and TensorFlow have extensive dependency trees that include hundreds of open-source packages. Each package must be evaluated for known vulnerabilities, verified for integrity, and approved for use in the classified environment. This evaluation process is time-consuming and must be repeated whenever a dependency is updated.

Model weights present a unique supply chain challenge. Pre-trained models obtained from external sources could contain backdoors or trojans that activate under specific conditions. Defense organizations must either train models from scratch using verified data within the classified environment or subject externally obtained models to rigorous testing that includes adversarial evaluation, behavioral analysis, and comparison against clean reference models.

Air-Gapped Deployment Architecture

The architecture of an air-gapped AI system must account for the complete absence of external connectivity while maintaining the operational capability and performance that make AI valuable.

Data Ingestion and Transfer

Data enters and exits the air-gapped environment through controlled transfer mechanisms. Cross-domain solutions provide hardware and software-enforced transfer capabilities between networks at different classification levels. These systems perform content inspection, format verification, and malware scanning on every piece of data that crosses the boundary.

For AI systems, data transfer considerations include getting training data into the classified environment, transferring pre-trained model weights if models are not trained in-place, and extracting unclassified results or performance metrics from the classified environment for reporting purposes. Each of these transfers must go through the approved cross-domain solution and be subject to review procedures appropriate for the classification level.

Compute Architecture

The compute architecture for air-gapped AI typically consists of GPU servers for inference and potentially training, a model serving infrastructure that manages model loading and request routing, a data storage layer for training data and model artifacts, a monitoring and logging infrastructure for system health and security audit, and an application layer that exposes AI capabilities to end users through the classified network.

Container orchestration platforms like Kubernetes can be used in air-gapped environments but require significant configuration changes from their standard deployment. Container images must be pre-built and transferred through the cross-domain solution. Container registries must operate entirely within the air-gapped network. And the orchestration platform itself must be configured to operate without external API calls for image pulling, DNS resolution, or certificate validation.

Model Management Without Connectivity

In a connected environment, model updates are straightforward: pull the new model from a registry, run validation tests, and deploy. In an air-gapped environment, every model update requires a deliberate transfer process. The new model must be validated in an unclassified or lower-classification environment, packaged for transfer, moved through the cross-domain solution, validated again within the classified environment, and deployed through the internal deployment pipeline.

This process can take days to weeks depending on the classification level and the organization's transfer approval procedures. Organizations must plan model update cadences that account for this latency and ensure that deployed models remain fit for purpose during the intervals between updates.

STIG Compliance for AI Infrastructure

Security Technical Implementation Guides provide detailed configuration requirements for IT systems in Department of Defense environments. STIGs exist for operating systems, databases, web servers, application servers, network devices, and other infrastructure components. AI deployments must comply with applicable STIGs across the entire stack.

Operating System and Container STIGs

The base operating system for AI servers must be hardened according to the applicable STIG. For Red Hat Enterprise Linux, which is commonly used in defense environments, this involves several hundred individual configuration checks covering authentication, access control, audit logging, file permissions, network configuration, and service management.

Container runtime STIGs add requirements for container image security, runtime configuration, network policies, and resource isolation. AI containers must be built on approved base images, must not run as root, must implement appropriate resource limits, and must have network policies that restrict communication to only necessary endpoints.

Application-Level Security

AI serving frameworks and APIs must implement authentication, authorization, encryption in transit, input validation, and comprehensive audit logging. The STIG requirements for web applications and application servers apply to AI inference endpoints. This includes requirements for TLS configuration, session management, error handling, and protection against common application-layer attacks.

For LLM-based applications, additional security considerations include prompt injection defense, output filtering to prevent classified information from being included in responses at inappropriate classification levels, and input validation to prevent adversarial inputs that could cause unexpected model behavior.

Operational Security for Defense AI

Operational security for AI in classified environments extends beyond traditional IT security. The AI system's behavior itself can reveal classified information. Model outputs that reflect patterns in classified training data could, in theory, be used to infer information about the data even without direct access to it.

Classification of Model Outputs

An AI model trained on classified data produces outputs that must be treated at the classification level of the training data, at minimum. The determination of output classification requires analysis by a classification authority. In some cases, model outputs may be determined to be unclassified if they do not reveal classified source material, but this determination cannot be made automatically and requires human review.

This classification requirement has practical implications for how AI systems are integrated into workflows. If an analyst uses an AI system to summarize classified intelligence, the summary is classified at the same level as the source material. The AI system cannot be used to circumvent classification by producing "unclassified summaries" of classified information without a formal declassification review.

Personnel and Training

Personnel who operate, maintain, or use AI systems in classified environments must hold appropriate clearances and must receive training on the proper use of AI within the security context. This training should cover the classification implications of AI inputs and outputs, the procedures for reporting AI system anomalies, the prohibition against using classified AI systems to process information above the system's accredited classification level, and the procedures for handling AI-generated content in accordance with classification guidance.

Air-gapped AI deployment is not simply a matter of running the same AI systems without internet access. It requires a fundamentally different approach to architecture, supply chain management, compliance, and operations that reflects the unique security requirements of classified environments.

Defense organizations that invest in building the infrastructure and processes for air-gapped AI deployment will gain significant operational advantages. Intelligence analysis, logistics optimization, sensor data processing, and decision support are all areas where AI can provide transformative capability. The key is ensuring that the deployment methodology matches the security rigor that classified environments demand.

Free: Enterprise AI Readiness Playbook

40+ pages of frameworks, checklists, and templates. Covers AI maturity assessment, use case prioritization, governance, and building your roadmap.

Ready to put these insights into action?