The economic context
IBM's 2025 Cost of a Data Breach Report puts the average global breach cost at $4.44 million. Breaches involving data spread across multiple environments — public cloud, private cloud, and on-premises — average $5.05 million and take 276 days to identify and contain. On-premises breaches average $4.01 million with shorter detection times.
The pattern is consistent: operational complexity correlates with higher breach cost and slower response. That is the economic backdrop for any discussion of where AI systems should run and how data should move.
What goes away when you cut the network
An air-gapped or network-restricted AI deployment eliminates or severely constrains several attack categories:
Remote exploitation disappears. No network listener means no remote code execution via exposed services. The entire class of attacks that begin with "attacker sends a crafted request to the inference endpoint" becomes irrelevant if there's no endpoint.
Cloud misconfiguration becomes moot. Misconfigured S3 buckets, over-permissive IAM roles, exposed API keys to cloud model providers — none of these apply when the system doesn't interact with cloud services.
Network exfiltration narrows dramatically. If no network path exists, data can't leave through it. The attack surface for exfiltration narrows to physical channels and authorized data-transfer procedures.
Supply chain telemetry goes away. Cloud-connected AI systems often phone home — license checks, usage telemetry, model update pings. Each outbound connection is both a data-movement risk and an availability dependency. Removing them simplifies the security boundary.
What replaces it
Offline operation shifts the risk rather than reducing it.
Insider threat increases in relative importance. With external attack vectors removed, the remaining vectors are internal — physical access, authorized user misuse, social engineering against operators. NIST SP 800-171 addresses this through access control and audit requirements that apply regardless of network connectivity.
Physical security becomes load-bearing. An air-gapped system's security boundary is the facility perimeter and the media-handling procedures. NIST guidance explicitly addresses air-gapped environments: systems where "data transfer is only possible through human interaction." Media protection controls — sanitization, tracking, access logging — carry more weight when removable media is the only data path.
Supply chain integrity shifts from continuous to delivery-time. Cloud-connected systems face ongoing supply chain risk through updates. Offline systems face it at installation and during physical media updates. The window is narrower but higher-consequence — compromised media introduced into an air-gapped environment may persist undetected longer.
And patching becomes a planned operation. Without network-based update mechanisms, security patches require deliberate action: staging, validation, physical transfer, application during a maintenance window. Unpatched vulnerabilities persist until the next scheduled cycle.
CMMC and air-gapped CUI environments
For defense contractors handling Controlled Unclassified Information, the CMMC program under 32 CFR Part 170 governs security requirements through NIST SP 800-171. Air-gapping a CUI environment is a valid architectural approach for limiting scope, but it does not reduce the control count.
NIST SP 800-171's scoping guidance allows organizations to isolate CUI into separate security domains using physical separation, logical separation, or both. All 110 security requirements still apply to the components within that domain. Some network-specific controls may be satisfied differently — remote access controls are less relevant when there is no remote access — but controls around access management, audit logging, media protection, and configuration management remain fully in force.
The practical implication: an offline AI deployment in a CMMC-scoped environment needs the same governance rigor as a connected one, applied to a different set of boundaries.
Dependency control is the hidden variable
The most common failure mode we have seen in offline AI deployments is not a sophisticated attack. It is an unmanaged dependency — a framework that assumes network access during initialization, a library that phones home for license verification, a driver that probes for updates. These are availability failures, not security vulnerabilities in the traditional sense, but they compound in environments where you cannot restart and observe.
Dependency control as a first-order architectural concern covers the specific failure modes and what an inventory looks like in practice. The short version: every unmanaged dependency is either a failure waiting to happen or an unintended network connection waiting to be discovered.
What to document
For organizations building an offline AI threat model:
- Map every data-movement path, including physical media, maintenance connections, and diagnostic interfaces
- Identify which NIST 800-171 controls change in implementation (not applicability) due to air-gapping
- Define the patching cadence and the accepted risk window between vulnerability disclosure and offline deployment of the fix
- Inventory every external dependency in the inference stack and verify that each one functions without network access
- Treat hardware variation across deployments as a configuration management concern, not just a performance variable
- Consider multi-tenant isolation requirements if the offline infrastructure serves multiple workloads or classification levels
The defense primes and cleared facilities that operate well in these environments share one trait: they document the differences honestly. Air-gapping is an architectural choice with real security benefits — but it isn't a shortcut.