The dependency you did not inventory is the one that breaks you
Most AI frameworks were designed with the assumption of network access. Not as a feature, but as ambient infrastructure — so deeply embedded that the dependencies are invisible until the network is gone.
Common failure modes we've observed in practitioner environments (or documented in ecosystem issue trackers) include:
- License validation. Some commercial inference libraries or enterprise endpoints phone home to verify license status at startup (similar to legacy node-locked enterprise software requiring external license servers). Without network access, the library refuses to initialize. The failure message may not mention licensing.
- DNS resolution during model loading. Framework components that resolve hostnames as part of initialization, even when no data is transferred. On an air-gapped network, the DNS timeout adds minutes to startup or causes silent fallback behavior.
- Telemetry and analytics. Usage reporting baked into default configurations (such as default telemetry flags in widely used model hubs or SDKs). These calls fail silently on a disconnected network — until they don't, and instead block a thread or fill a log with connection timeouts.
- Model format dependencies. Serialized models that reference external tokenizer files (e.g., library defaults fetching
vocab.jsonfrom a public hub), configuration endpoints, or version-check URLs. The model file is local, but its loading path assumes the internet exists. - Driver update checks. System utilities or package managers that probe for updates before loading. On most systems this fails quietly. On some configurations it introduces a startup delay or a warning that confuses monitoring.
None of these are security vulnerabilities in isolation. They're availability risks that compound in environments where you can't "just restart it and see."
Why dependency control is a first-order concern
In a cloud-connected deployment, an unmanaged dependency is an inconvenience — the system retries, falls back, or an operator restarts the service. In an offline deployment, it's a deployment failure.
That distinction is why dependency analysis for offline AI goes deeper than standard packaging. It isn't enough to ship the model weights and the inference code. Every transitive dependency in the runtime stack needs to be verified for offline operation, across four layers:
-
System-level. Kernel modules, GPU drivers, firmware versions. These aren't application dependencies in the traditional sense, but they participate in the inference path and some have network-touching behavior.
-
Framework initialization. Deep learning frameworks have complex startup sequences. PyTorch, for example, probes hardware capabilities, initializes CUDA contexts, and loads shared libraries in an order that can vary by platform. Each step is a potential point of failure if an assumption about the environment is violated.
-
Transitive libraries. A framework depends on cuDNN, which depends on cuBLAS, which depends on specific CUDA runtime versions. Each layer may have its own initialization behavior, default configurations, and failure modes.
-
Configuration defaults. Many libraries ship with defaults that assume connectivity — cache directories pointing to network paths, logging that attempts HTTP transport, health-check endpoints that probe external services. These defaults must be identified and overridden before deployment.
The update problem
A connected system receives updates continuously — security patches, model improvements, framework fixes. An offline system receives updates when someone physically delivers them.
This creates two distinct challenges:
Staleness risk. The gap between a vulnerability disclosure and its deployment on an offline system is measured in planned maintenance windows, not hours. This is the same patching challenge described in the offline threat model — organizations need to define what staleness they accept and document it as a policy decision.
Update integrity. When updates arrive via physical media rather than authenticated TLS connections, the integrity verification shifts to the media-handling process. Who prepared the update package? How was it validated? What is the rollback procedure if the update causes a regression? These questions have answers in connected environments (signed packages, canary deployments, automatic rollback). In offline environments, the answers must be designed deliberately.
What a dependency inventory looks like
For an offline AI deployment, the dependency inventory should cover:
- Every shared library loaded during inference, with version and provenance
- Every file accessed during model loading, including tokenizer configs and auxiliary data
- Every network call attempted during initialization, startup, and steady-state operation — tested by running the full stack on a network-isolated host and monitoring for connection attempts
- Every environment variable or configuration file that references external paths, URLs, or services
- The specific GPU driver, CUDA, and cuDNN versions required, verified against the hardware determinism constraints that apply to the deployment
This inventory is not a one-time exercise. Framework updates, driver updates, and model changes can introduce new dependencies. The inventory needs to be re-verified against each change.
Connection to the broader threat model
Dependency control feeds directly into the offline threat model. Every unmanaged dependency is either:
- An availability failure waiting for the wrong moment
- An unintended network connection that violates the air-gap assumption
- A configuration assumption that will break when the system moves from the development environment to the deployment environment
Teams that treat dependency control as a packaging problem — "put everything in a container and ship it" — reliably discover edge cases in production. The ones that treat it as an architectural concern find them during testing, when there's still time to fix them.