Whitepaper · June 2026
Air-Gapped AI.
Running code intelligence with $0 data egress: a reference architecture for banking, government, and healthcare modernization.
The most regulated enterprises need AI most — and can buy it the least.
Banks, government agencies, and large healthcare providers carry the legacy estates that AI-driven modernization could transform most dramatically. They are also the enterprises whose regulators, security teams, and risk committees have the highest standards for what data may leave the enterprise perimeter and what AI systems may operate on it. The result is a structural exclusion: the institutions that need AI modernization most cannot adopt the AI tools the market is selling.
This whitepaper describes the reference architecture Ionate has deployed across regulated enterprises that resolves the exclusion. The architecture has three defining properties: zero source-code egress, zero data retention, and zero training contribution. The same architecture is used at SOC 2 Type II audited tier-1 banks, FedRAMP-aligned federal agencies, and HIPAA-regulated healthcare providers.
"The question is not whether your AI vendor takes security seriously. The question is whether your AI vendor's architecture makes a security failure technically impossible. Those are different claims."
Three constraints, simultaneously. One architecture, by design.
Regulated enterprises operate under three constraints when adopting any AI-adjacent technology. The constraints are well-understood individually; what is less understood is that meeting them simultaneously requires architectural choices that very few vendors are willing to make.
Constraint 1: Source code is regulated data
For banks, source code that implements business logic is implicitly regulated. For government agencies, source code is often subject to ITAR or sovereign-data rules. For healthcare, source code that touches PHI is itself a HIPAA-covered artifact. Every vendor that processes source code outside the customer's perimeter inherits these regulatory obligations. Most vendors are unprepared to.
Constraint 2: Vendor data hoarding is unacceptable
Every major generative-AI vendor in 2026 retains some portion of input data for service improvement, model retraining, or compliance debugging. Customers can usually opt out of training. They can less frequently opt out of operational logging. For regulated enterprises, "retained for 90 days for service improvement" is not a different posture from "retained indefinitely". Both fail audit.
Constraint 3: Model behavior must be reproducible
Regulators expect AI outputs that affect business decisions to be reproducible and auditable. A model that returns different outputs on identical inputs — because of versioned retraining, A/B routing, or stochastic sampling — is not auditable in any practical sense. The architecture must guarantee deterministic, replayable behavior.
Meeting all three constraints with a vendor whose primary infrastructure is shared, multi-tenant, and centrally hosted requires architectural compromises the vendor is unwilling to make. Ionate's reference architecture is the answer to the constraints, by construction.
2024–2026: the regulatory step change.
For most of the LLM era, financial-sector and public-sector regulators issued cautious guidance. That posture has shifted. The EU AI Act has entered force on a phased schedule with penalties of up to 7% of worldwide turnover or €35M for prohibited-AI violations under Article 5, and up to 3% or €15M for operational breaches by providers and deployers of high-risk systems. In the United States, successive Federal AI executive orders and OMB memoranda have set mandatory evaluation and procurement criteria for federal AI use, with those criteria propagating quickly to financial supervisors by reference. Major central banks are issuing AI-specific extensions to their operational-risk frameworks, now progressively entering examination cycles globally.
The combined effect is that AI adoption in regulated industries is now a documented, auditable activity. The vendor-selection question that mattered most in 2023 — does the model work? — has been joined by an equally weighty question in 2026: can the deployment architecture pass our examiners?
The question your CISO asked in 2023 was "is this safe enough?" The question your examiner is going to ask in 2026 is "can you evidence that?" Different question. Different bar. Different vendor shortlist.
Four properties that hold together as one architecture.
The Ionate reference architecture deploys the full modernization platform (SOTERIA + APPDATE + KÍRKĒ + CRYPTOID) into an isolated execution environment inside the customer's perimeter. The deployment is parameterized for the customer's network topology, key management, and identity stack.
Layer 01
In-Perimeter Compute
All inference and orchestration runs on customer-owned hardware or customer-controlled cloud accounts.
Layer 02
BYOK Encryption
Customer holds the keys for every persistent store. Vendor cannot read its own deployment.
Layer 03
No Outbound
Egress is blocked at the network layer. Telemetry to vendor — when desired — is opt-in and content-redacted.
Layer 04
Deterministic Inference
Pinned model versions, seeded sampling, reproducible outputs for audit replay.
Compute residency
The platform runs in a Kubernetes cluster the customer provisions. The cluster is in the customer's network (on-prem, private cloud account, or government-cloud enclave). Ionate provides the container images and the orchestration manifests; the customer operates the cluster. Ionate's only network access during operations is through a customer-controlled, audited channel for upgrade deliveries and authorized support sessions.
Key management
Every persistent store — model weights, generated artifacts, intermediate cache, lead-capture data — is encrypted with customer-held keys. Ionate cannot decrypt its own deployment. Key rotation is operated by the customer's HSM or KMS of choice (CloudHSM, KeyVault, AWS KMS, Google Cloud KMS, on-prem Thales/Entrust).
Telemetry and support
By default, the deployment emits zero telemetry to Ionate. When customers opt in to remote support, telemetry is content-redacted: error codes and metrics flow; source content does not. The customer's audit team has signature-level visibility into every byte that crosses the perimeter.
Deterministic execution
Models are pinned to specific versions. Sampling is seeded. Identical input produces identical output. The execution is reproducible by the customer's audit replay infrastructure without vendor cooperation.
What an examiner will see.
The architecture is engineered for the examination conversation, not just the procurement conversation. Each layer maps to control families that financial-sector, federal, and healthcare examiners already understand.
| Control Family | Architectural Mapping | Evidence Artifact |
|---|---|---|
| Data residency | In-perimeter compute | Customer-owned cluster manifests |
| Encryption at rest | BYOK on all persistent stores | Customer KMS audit log |
| Encryption in transit | Mutual-TLS between all components | Cluster cert chain, network policy |
| Vendor access | Just-in-time, customer-authorized | Privileged-access management log |
| Output reproducibility | Pinned models, seeded sampling | Audit-replay test artifacts |
| Training contribution | None — architecturally precluded | Contractual + network-layer attestation |
| Right to be forgotten | Customer-owned data; vendor-blind | Customer-managed deletion |
SOC 2 Type II
Ionate maintains continuous SOC 2 Type II compliance covering the engineering practices that produce the platform images. Customers running the platform in their own perimeter inherit the upstream attestation and combine it with their own deployment controls.
FedRAMP
The reference architecture is configurable for FedRAMP Moderate and High baselines. The configurations are documented and have been validated alongside federal agency security teams.
HIPAA
For healthcare deployments, Ionate executes a Business Associate Agreement. Because the architecture is air-gapped, the BAA scope is structurally narrow: Ionate's HIPAA obligations apply only to the artifacts the customer chooses to surface in vendor-visible support channels.
The architectural delta against the market.
| Capability | SaaS LLM Vendors | Enterprise AI Suites | DIY Open Models | Ionate Reference Arch |
|---|---|---|---|---|
| Source code never leaves perimeter | No | Partial | Yes | Yes |
| No retention for service improvement | No | Opt-in | N/A | Yes |
| BYOK on persistent stores | No | Some | Yes | Yes |
| Deterministic, replayable outputs | No | No | Possible | Yes |
| Domain-tuned for legacy code | No | Variable | No | Yes |
| Operational support model | 24×7 | 24×7 | DIY | 24×7 |
The combination — domain depth plus regulatory architecture plus full operational support — is what gives the reference architecture its distinct posture. SaaS vendors deliver convenience but not residency. Open models deliver residency but not domain depth or support. Ionate delivers all three.
What this actually looks like.
Customer identities below are withheld per engagement confidentiality. Engagement profiles are accurate; specific institutional names available under NDA on request.
On-prem deployment, central-bank-aligned
Deployed across three on-prem data centers. Customer's KMS holds all keys. Vendor support access is gated through customer's PAM solution with full session recording. Regulator's pre-deployment review concluded the architecture met the supervisor's operational AI guidance without exception.
Modernization of 4.7M lines of core payments code in progress; first wave in production with zero parity defects after 9 months.
FedRAMP-aligned government cloud enclave
Deployed inside the agency's government-cloud enclave with FedRAMP-High-aligned controls. All outputs are reproducible by the agency's audit replay infrastructure. Model versions are pinned and rotated only through documented change-management.
Authorization-to-Operate granted within the agency's accreditation regime; deployment is the agency's primary modernization vehicle for its legacy-systems migration program.
BAA-covered, GDPR-aligned
Deployed in customer's private-cloud account, EU-region-pinned. All processing occurs in the customer's perimeter; cross-border data transfer rules do not apply. Patient-data-adjacent source is segregated and processed under additional BAA-equivalent controls.
Modernization of patient-administration and billing platforms underway; deployment passed the customer's annual DPO review.
From security review to first scan.
Engagements that touch regulated environments begin with a joint architecture review: Ionate's deployment engineers walk through the reference architecture with the customer's CISO, audit, and operational-risk teams. The conversation is iterated until every control owner has signed off.
Typical timeline
Weeks 1–3
Architecture Review
- CISO, audit, ops-risk alignment
- Network and identity integration design
- BYOK / KMS topology agreed
Weeks 4–8
Deployment
- Cluster provisioning in customer perimeter
- Image promotion and signature verification
- End-to-end smoke validation
Week 9+
First Scan
- SOTERIA scan against pilot scope
- Risk report delivered air-gapped
- Modernization program kickoff
Ready to bring AI inside the perimeter?
We will walk your CISO and audit team through the reference architecture and tailor it to your network, identity, and KMS topology. No source code leaves your environment at any stage of the engagement, including the conversation.