What Air-Gapped Actually Means
Air-gapped is one of the most abused words in government IT marketing. It does not mean "private." It does not mean "in your tenant." It means there is no network path between the system and the outside world. No inbound connection, no outbound telemetry, no model weights downloaded at runtime, no license check phoning home.
A real air gap is a physical and logical fact, not a configuration setting. You can walk to the rack. The data center has no route to the public internet. Updates arrive on media that goes through a review process before it touches the system.
For an AI platform, that constraint reaches further than most procurement teams expect. The model has to be present locally. The inference runs on local hardware. The vector store, the logs, the prompts, and the outputs never leave the enclave. Any component that assumes connectivity is a component that does not belong inside the gap.
This is the line that separates classified AI work from everything else. Once you accept that nothing leaves, a large category of products is ruled out by architecture, not by policy.
Where Cloud-Hosted AI Stops
ChatGPT Gov is a real product, and it is worth being precise about what it is. It runs on the Azure OpenAI Service. An agency can deploy it in an Azure commercial or Azure Government tenant, apply its own controls, and meet frameworks like FedRAMP High, IL5, CJIS, and ITAR through the compliance it manages itself. That is a legitimate path for a lot of sensitive workloads.
It is also a managed cloud service. The agency manages compliance and configuration, but the infrastructure is Microsoft's, the models are GPT only, the agency does not receive the source code, and the deployment requires connectivity to the Azure region hosting it. None of that is a flaw. It is simply what a hosted service is.
The problem appears when the workload sits inside a true air gap. A system that depends on reaching an Azure region cannot run with the network unplugged. A GPT-only service cannot host an open-weight model the agency vetted for classified use. A product the agency cannot read at the source level cannot be inspected to the depth that IL6 and SCIF environments require.
So the question is not whether government cloud AI is good. It often is. The question is whether it can operate where there is no cloud to reach. For disconnected, classified work, the answer is structural, and it is no.
The Data That Forces the Decision
Plenty of agency work runs fine on a connected, well-governed cloud service. The decision tightens only for specific data types, and those data types are the reason air-gapped AI exists.
IL5 and IL6 workloads carry handling requirements that assume the data never traverses a shared or internet-reachable network. Classified information governed by ICD 503 lives in accredited enclaves with no general internet route. Law-enforcement-sensitive case data, ITAR-controlled technical specifications, and Privacy Act records each carry their own constraints on where processing may happen.
When an AI platform touches any of these, the platform inherits the constraint. An analyst summarizing classified cables cannot send those cables to a managed endpoint, even a government-cloud one. The summarization has to happen on hardware inside the boundary.
This is where the general case for owning your AI, which we made in the argument for sovereign AI for government agencies, becomes a hard requirement rather than a preference. For most agency data, ownership is the smarter choice. For this data, disconnected ownership is the only choice that complies.
Open-Weight Models for Disconnected Use
A connected service gives you the vendor's models and nothing else. Inside an air gap, that constraint flips. You can only run a model whose weights you physically hold, which turns out to be an advantage.
Open-weight models can be downloaded once, scanned, and loaded onto air-gapped hardware where they run forever without contacting anyone. The agency picks the model based on the mission and the classification level, not on what a hosted service happens to offer. A model handling Secret material and a model handling CUI can be different models, each chosen and tuned for its enclave.
Model choice also means the agency is not locked to a single vendor's roadmap or pricing inside its most sensitive systems. When a better open-weight model clears review, the agency swaps it in. The weights are a file the agency owns, not a feature it rents.
A platform that is model-agnostic by design makes this routine. ibl.ai runs the model the agency provides, including open-weight models staged for disconnected environments, rather than tying the agency to one provider's API.
Owning the Platform, Not Just the Tenant
Hosting AI in your own tenant is a meaningful step. Owning the platform is a different one. In an air gap, the difference is the whole game.
A tenant deployment still rests on a vendor's code and a vendor's release schedule. An owned, full-code deployment gives the agency the source, which is what makes deep inspection possible. The CISO's team can read how data flows, how logs are retained, and how the model is invoked, then validate those behaviors against NIST 800-53 controls at the implementation level instead of trusting a SOC 2 report from outside the boundary.
ibl.ai is built for this through its air-gapped AI deployment service and its on-premise, full-source-code license. The agency runs the Agentic OS on bare metal inside the enclave, owns the source, and chooses its own models. The same platform already serves more than 1.6 million users across 400-plus organizations, so the disconnected build is a deployment mode of a proven system, not a one-off science project.
If a connected, government-cloud option fits the workload, it may well be the right call. There is also a fair comparison to make on features and control, which we lay out in detail for teams weighing a ChatGPT Gov alternative. But once the data cannot leave the enclave, the field narrows to one architecture: disconnected, agency-owned, inspectable at the source. For classified, IL5/IL6, CUI, and law-enforcement-sensitive work, that is not a preference. It is the requirement.