Download PDF

Whitepaper  ·  June 2026

Air-Gapped AI.

Running code intelligence with $0 data egress: a reference architecture for banking, government, and healthcare modernization.

Prepared by Ionate, Inc. · IONATE CRYPTOID · Public — June 2026
01 — Executive Summary

The most regulated enterprises need AI most — and can buy it the least.

Banks, government agencies, and large healthcare providers carry the legacy estates that AI-driven modernization could transform most dramatically. They are also the enterprises whose regulators, security teams, and risk committees have the highest standards for what data may leave the enterprise perimeter and what AI systems may operate on it. The result is a structural exclusion: the institutions that need AI modernization most cannot adopt the AI tools the market is selling.

This whitepaper describes the reference architecture Ionate has deployed across regulated enterprises that resolves the exclusion. The architecture has three defining properties: zero source-code egress, zero data retention, and zero training contribution. The same architecture is used at SOC 2 Type II audited tier-1 banks, FedRAMP-aligned federal agencies, and HIPAA-regulated healthcare providers.

"The question is not whether your AI vendor takes security seriously. The question is whether your AI vendor's architecture makes a security failure technically impossible. Those are different claims."

$0Data for Training
0 KBSource Egress
SOC 2Type II Audited
100%In-Perimeter Execution
BYOKCustomer-Held Keys
02. The Sovereign-AI Imperative

Three constraints, simultaneously. One architecture, by design.

Regulated enterprises operate under three constraints when adopting any AI-adjacent technology. The constraints are well-understood individually; what is less understood is that meeting them simultaneously requires architectural choices that very few vendors are willing to make.

Constraint 1: Source code is regulated data

For banks, source code that implements business logic is implicitly regulated. For government agencies, source code is often subject to ITAR or sovereign-data rules. For healthcare, source code that touches PHI is itself a HIPAA-covered artifact. Every vendor that processes source code outside the customer's perimeter inherits these regulatory obligations. Most vendors are unprepared to.

Constraint 2: Vendor data hoarding is unacceptable

Every major generative-AI vendor in 2026 retains some portion of input data for service improvement, model retraining, or compliance debugging. Customers can usually opt out of training. They can less frequently opt out of operational logging. For regulated enterprises, "retained for 90 days for service improvement" is not a different posture from "retained indefinitely". Both fail audit.

Constraint 3: Model behavior must be reproducible

Regulators expect AI outputs that affect business decisions to be reproducible and auditable. A model that returns different outputs on identical inputs — because of versioned retraining, A/B routing, or stochastic sampling — is not auditable in any practical sense. The architecture must guarantee deterministic, replayable behavior.

Meeting all three constraints with a vendor whose primary infrastructure is shared, multi-tenant, and centrally hosted requires architectural compromises the vendor is unwilling to make. Ionate's reference architecture is the answer to the constraints, by construction.

03 — Why Regulators Stopped Waiting

2024–2026: the regulatory step change.

For most of the LLM era, financial-sector and public-sector regulators issued cautious guidance. That posture has shifted. The EU AI Act has entered force on a phased schedule with penalties of up to 7% of worldwide turnover or €35M for prohibited-AI violations under Article 5, and up to 3% or €15M for operational breaches by providers and deployers of high-risk systems. In the United States, successive Federal AI executive orders and OMB memoranda have set mandatory evaluation and procurement criteria for federal AI use, with those criteria propagating quickly to financial supervisors by reference. Major central banks are issuing AI-specific extensions to their operational-risk frameworks, now progressively entering examination cycles globally.

The combined effect is that AI adoption in regulated industries is now a documented, auditable activity. The vendor-selection question that mattered most in 2023 — does the model work? — has been joined by an equally weighty question in 2026: can the deployment architecture pass our examiners?

The question your CISO asked in 2023 was "is this safe enough?" The question your examiner is going to ask in 2026 is "can you evidence that?" Different question. Different bar. Different vendor shortlist.

04. The Reference Architecture

Four properties that hold together as one architecture.

The Ionate reference architecture deploys the full modernization platform (SOTERIA + APPDATE + KÍRKĒ + CRYPTOID) into an isolated execution environment inside the customer's perimeter. The deployment is parameterized for the customer's network topology, key management, and identity stack.

Layer 01

In-Perimeter Compute

All inference and orchestration runs on customer-owned hardware or customer-controlled cloud accounts.

Layer 02

BYOK Encryption

Customer holds the keys for every persistent store. Vendor cannot read its own deployment.

Layer 03

No Outbound

Egress is blocked at the network layer. Telemetry to vendor — when desired — is opt-in and content-redacted.

Layer 04

Deterministic Inference

Pinned model versions, seeded sampling, reproducible outputs for audit replay.

Compute residency

The platform runs in a Kubernetes cluster the customer provisions. The cluster is in the customer's network (on-prem, private cloud account, or government-cloud enclave). Ionate provides the container images and the orchestration manifests; the customer operates the cluster. Ionate's only network access during operations is through a customer-controlled, audited channel for upgrade deliveries and authorized support sessions.

Key management

Every persistent store — model weights, generated artifacts, intermediate cache, lead-capture data — is encrypted with customer-held keys. Ionate cannot decrypt its own deployment. Key rotation is operated by the customer's HSM or KMS of choice (CloudHSM, KeyVault, AWS KMS, Google Cloud KMS, on-prem Thales/Entrust).

Telemetry and support

By default, the deployment emits zero telemetry to Ionate. When customers opt in to remote support, telemetry is content-redacted: error codes and metrics flow; source content does not. The customer's audit team has signature-level visibility into every byte that crosses the perimeter.

Deterministic execution

Models are pinned to specific versions. Sampling is seeded. Identical input produces identical output. The execution is reproducible by the customer's audit replay infrastructure without vendor cooperation.

05 — Controls and Evidence

What an examiner will see.

The architecture is engineered for the examination conversation, not just the procurement conversation. Each layer maps to control families that financial-sector, federal, and healthcare examiners already understand.

Control FamilyArchitectural MappingEvidence Artifact
Data residencyIn-perimeter computeCustomer-owned cluster manifests
Encryption at restBYOK on all persistent storesCustomer KMS audit log
Encryption in transitMutual-TLS between all componentsCluster cert chain, network policy
Vendor accessJust-in-time, customer-authorizedPrivileged-access management log
Output reproducibilityPinned models, seeded samplingAudit-replay test artifacts
Training contributionNone — architecturally precludedContractual + network-layer attestation
Right to be forgottenCustomer-owned data; vendor-blindCustomer-managed deletion

SOC 2 Type II

Ionate maintains continuous SOC 2 Type II compliance covering the engineering practices that produce the platform images. Customers running the platform in their own perimeter inherit the upstream attestation and combine it with their own deployment controls.

FedRAMP

The reference architecture is configurable for FedRAMP Moderate and High baselines. The configurations are documented and have been validated alongside federal agency security teams.

HIPAA

For healthcare deployments, Ionate executes a Business Associate Agreement. Because the architecture is air-gapped, the BAA scope is structurally narrow: Ionate's HIPAA obligations apply only to the artifacts the customer chooses to surface in vendor-visible support channels.

06 — How This Compares

The architectural delta against the market.

Capability SaaS LLM Vendors Enterprise AI Suites DIY Open Models Ionate Reference Arch
Source code never leaves perimeterNoPartialYesYes
No retention for service improvementNoOpt-inN/AYes
BYOK on persistent storesNoSomeYesYes
Deterministic, replayable outputsNoNoPossibleYes
Domain-tuned for legacy codeNoVariableNoYes
Operational support model24×724×7DIY24×7

The combination — domain depth plus regulatory architecture plus full operational support — is what gives the reference architecture its distinct posture. SaaS vendors deliver convenience but not residency. Open models deliver residency but not domain depth or support. Ionate delivers all three.

07 — Deployments in the Field

What this actually looks like.

Customer identities below are withheld per engagement confidentiality. Engagement profiles are accurate; specific institutional names available under NDA on request.

Global Tier-1 Bank · APAC

On-prem deployment, central-bank-aligned

In-perimeterBYOK

Deployed across three on-prem data centers. Customer's KMS holds all keys. Vendor support access is gated through customer's PAM solution with full session recording. Regulator's pre-deployment review concluded the architecture met the supervisor's operational AI guidance without exception.

Modernization of 4.7M lines of core payments code in progress; first wave in production with zero parity defects after 9 months.

Federal Agency · North America

FedRAMP-aligned government cloud enclave

FedRAMPDeterm.

Deployed inside the agency's government-cloud enclave with FedRAMP-High-aligned controls. All outputs are reproducible by the agency's audit replay infrastructure. Model versions are pinned and rotated only through documented change-management.

Authorization-to-Operate granted within the agency's accreditation regime; deployment is the agency's primary modernization vehicle for its legacy-systems migration program.

Major Healthcare System · Europe

BAA-covered, GDPR-aligned

GDPRHIPAA-eq

Deployed in customer's private-cloud account, EU-region-pinned. All processing occurs in the customer's perimeter; cross-border data transfer rules do not apply. Patient-data-adjacent source is segregated and processed under additional BAA-equivalent controls.

Modernization of patient-administration and billing platforms underway; deployment passed the customer's annual DPO review.

08 — Getting Started

From security review to first scan.

Engagements that touch regulated environments begin with a joint architecture review: Ionate's deployment engineers walk through the reference architecture with the customer's CISO, audit, and operational-risk teams. The conversation is iterated until every control owner has signed off.

Typical timeline

Weeks 1–3

Architecture Review

  • CISO, audit, ops-risk alignment
  • Network and identity integration design
  • BYOK / KMS topology agreed

Weeks 4–8

Deployment

  • Cluster provisioning in customer perimeter
  • Image promotion and signature verification
  • End-to-end smoke validation

Week 9+

First Scan

  • SOTERIA scan against pilot scope
  • Risk report delivered air-gapped
  • Modernization program kickoff

Ready to bring AI inside the perimeter?

We will walk your CISO and audit team through the reference architecture and tailor it to your network, identity, and KMS topology. No source code leaves your environment at any stage of the engagement, including the conversation.