Sovereign AI Deployment: FIPS 140-3, Air-Gapped FHE

Q: What does FIPS 140-3 require for AI key management?

FIPS 140-3 is the US federal standard for cryptographic modules. For AI key management, FIPS 140-3 requires that all cryptographic operations including key generation, storage, and use be performed inside a FIPS-validated cryptographic module (a hardware security module or a validated software module). Keys must never exist in plaintext outside the boundary of the validated module. For VectaX deployments, this means FPE keys and RBAC keys must be generated and stored inside a FIPS 140-3 validated HSM, not in application memory or environment variables.

Q: What compliance frameworks require sovereign or air-gapped AI deployment?

Several frameworks either require or strongly imply sovereign deployment for certain data types. FedRAMP IL4 and IL5 require that controlled unclassified information and national security systems be processed in environments meeting specific isolation requirements. ITAR restricts technical data related to defence articles to US persons and approved facilities. The EU AI Act and GDPR together can require that personal data used in high-risk AI systems be processed within EU jurisdiction. UK OFFICIAL-SENSITIVE guidance restricts cloud processing of sensitive government data. NATO STANAG requirements apply to allied defence systems.

Definitions

What sovereign AI means

Sovereignty in AI is not a single thing. It is a spectrum of control requirements, and different organisations land at different points on that spectrum depending on their data classification, regulatory environment, and operational context.

At one end is cloud deployment with contractual data residency: your data stays in an EU data centre but the inference service is operated by a US company subject to US law. This satisfies some residency requirements but not sovereignty ones. At the other end is fully air-gapped on-premises deployment: the model, the compute, the key management, and the data all live inside a physical boundary that has no external network connections. Nothing crosses a wire that you do not control.

Between those extremes sit sovereign cloud deployments (government-operated cloud infrastructure with your own compute), private cloud with encryption at inference (cloud compute but FHE ensures the provider cannot read the data), and on-premises with selective cloud connectivity (inference on-premises, model updates over a verified air gap).

What FHE adds to sovereign AI

In a standard on-premises deployment, you trust the hardware and the operating system not to leak data. If either is compromised, the plaintext data is exposed. FHE removes that dependency. The data is encrypted before it enters the inference pipeline. The model computes on ciphertext. Even a fully compromised inference server cannot read the data it is processing. Sovereignty with FHE does not require trusting the hardware to be uncompromised. It requires only that the cryptographic keys are secure.

Applicability

When sovereignty is required

Four conditions independently create a requirement for sovereign or air-gapped AI deployment.

Condition	Examples	Minimum deployment tier
Data classification prohibits external transmission	Classified government documents, ITAR-controlled defence technical data, intelligence community workloads	Full air-gap required
Regulatory data residency with sovereignty requirement	EU GDPR combined with national data localisation laws, UK OFFICIAL-SENSITIVE, Canadian Protected B	Sovereign cloud or on-premises
Operational requirement: disconnected environments	Naval vessels, forward operating bases, underground facilities, remote sites with no reliable connectivity	Full air-gap required
Supply chain risk requires hardware control	Critical national infrastructure operators, payment processing, healthcare data lakes	On-premises with FHE for inference isolation

Understanding which condition applies to your organisation determines the architecture. A hospital under GDPR in Germany needs a different deployment than an army unit operating in a disconnected forward base, even though both might say they need "sovereign AI."

What you are defending against

The air-gapped threat model

Air-gapped environments eliminate most network-based attack vectors but create a distinct set of threats that standard cloud deployments do not face.

Physical media exfiltration

An insider copies model outputs or training data to a USB drive. Air-gapped environments that require media for software updates are especially vulnerable during transfer windows.

Mitigation: FHE ensures copied data is ciphertext. Encrypted data on an exfiltrated drive is useless without the keys, which stay in the HSM.

Supply chain compromise

Malicious firmware or a backdoored driver in the inference hardware. The organisation cannot fully audit every component. A compromised GPU driver could theoretically exfiltrate data processed through it.

Mitigation: FHE. The GPU never processes plaintext. A backdoored driver operating on ciphertext has nothing useful to exfiltrate.

Covert channel via RF or acoustic

TEMPEST-class attacks that exfiltrate data via electromagnetic emissions or acoustic signals from hardware. Relevant to the highest classification environments.

Mitigation: Physical TEMPEST controls (shielded rooms, distance requirements). FHE reduces the value of any emission since plaintext never exists in processing hardware.

Insider key compromise

An authorised key custodian exports or copies RBAC keys or FPE keys. In an air-gapped environment the HSM is the only protection against this.

Mitigation: FIPS 140-3 validated HSM with dual-control/split-knowledge key ceremony. Keys never leave the HSM boundary. All key operations require multi-person authorisation.

Cryptographic standards

FIPS 140-3 for AI key management

FIPS 140-3 is the successor to FIPS 140-2 as the US federal standard for cryptographic module validation. For AI deployments in US government environments, FIPS 140-3 validated modules are required for any cryptographic operation on sensitive data. This is not optional: using a non-validated module is a finding in any FedRAMP or STIG assessment.

For a VectaX sovereign deployment, FIPS 140-3 applies to three operations: FPE key generation and storage, RBAC key generation and storage, and the key wrapping operations when keys are moved between systems during provisioning.

What FIPS 140-3 requires in practice

The standard has four security levels. Level 1 is software-only implementation. Level 2 requires evidence of tampering (tamper-evident seals). Level 3 requires tamper resistance and identity-based authentication. Level 4 is required only in the most extreme environments. For most government and regulated enterprise deployments, Level 2 or Level 3 HSMs are the requirement.

Key operation	FIPS 140-3 requirement	Practical implementation
FPE key generation	Key must be generated inside a validated module using approved algorithm (AES-FF1 or AES-FF3-1)	Run sdk.metadata.generate_key() on a system configured to use HSM for cryptographic operations
FPE key storage	Key must never exist in plaintext outside the validated module boundary	Store key handle in application; key bytes remain in HSM and are used via PKCS#11 interface
RBAC key generation	Same as FPE: generated in validated module, stored as handle	sdk.rbac.generate_user_secret_key() with HSM-backed crypto provider
Key distribution to users	Keys distributed to authorised users must be wrapped (encrypted) using a key-encryption key that stays in the HSM	Key ceremony with dual-control: two custodians required to unwrap any key for distribution
Key destruction	FIPS 140-3 specifies zeroisation procedures; key must be verifiably destroyed	HSM zeroisation command with audit log entry confirming destruction

The FIPS boundary is physical, not logical

A common misconception is that using a FIPS-validated algorithm in software satisfies FIPS 140-3. It does not. FIPS 140-3 validates the cryptographic module, not just the algorithm. Python's hashlib using SHA-256 is not FIPS 140-3 compliant even though SHA-256 is a FIPS-approved algorithm. You need a validated HSM or a FIPS-validated software module (for example, BoringCrypto in FIPS mode). Check the NIST CMVP list for currently validated modules.

Reference design

Reference architecture for sovereign VectaX deployment

This architecture applies to an on-premises deployment with no external network connectivity. All components live inside the physical security boundary.

Physical security boundary (the air gap)

Everything inside this boundary must be physically secured: badge access, CCTV, tamper-evident enclosures for servers. No wireless interfaces. Network ports physically blocked except for the internal isolated network.

Key management tier (FIPS 140-3 validated HSM)

Hardware Security Module (FIPS 140-3 Level 3 minimum for government, Level 2 for regulated enterprise)
Generates and stores all VectaX FPE keys and RBAC master keys
PKCS#11 interface used by VectaX for key operations
Dual-control access: two custodians required for any key management operation
Complete audit log of all key operations, tamper-evident
Network-isolated: accessible only from the inference tier via private network segment

Inference tier (VectaX FHE engine)

On-premises GPU or CPU servers running the inference workload
VectaX SDK installed from verified offline package (no pip install from internet)
Receives encrypted inputs from the data tier; never sees plaintext
Uses HSM-stored keys via PKCS#11 for FPE operations on metadata
Returns encrypted outputs to the application tier
No egress network capability: firewalled from all external connectivity

Application tier (AgentIQ local instance)

On-premises AgentIQ instance for policy evaluation (no cloud API call required)
Receives user queries, evaluates against deployed policies before routing to inference tier
Logs all policy decisions to the on-premises audit log store
User-facing interface (web UI, API, or agent endpoint)

Data tier (encrypted vector store)

On-premises vector database (ChromaDB, pgvector, or Qdrant in local mode)
Holds only VectaX-encrypted embeddings; no plaintext vectors stored
Encrypted at rest using hardware-accelerated AES-256 (FIPS-validated)
Access controlled by the inference tier only; application tier cannot query directly

Implementation

VectaX in offline environments

The VectaX SDK cryptographic operations are local. FHE, vector encryption, and FPE do not require network calls during encryption or decryption. The one component that normally requires network access is RBAC key management, which calls the Mirror Security API to generate and scope user keys.

For air-gapped deployments, RBAC keys are pre-generated inside the secure boundary during a provisioning ceremony and stored in the HSM. The SDK then uses those stored keys without making further API calls.

pythonsovereign_config.py

from mirror_sdk.core.mirror_core import MirrorSDK, MirrorConfig
from mirror_sdk.core.models import VectorData

# In a sovereign deployment, point the SDK to your on-premises Mirror instance
# This instance runs inside your physical boundary with no cloud dependency
config = MirrorConfig(
    api_key="your-on-premises-api-key",
    server_url="https://mirror-api.internal.yourorg.gov",  # on-prem URL
    telemetry_enabled=True,
    policy_eval_enabled=True,
    # Longer polling interval is fine in air-gapped environments
    # policy updates happen via the provisioning process, not dynamically
    polling_interval=3600
)
sdk = MirrorSDK(config)

# VectaX encryption operations are local
# This call makes no network request
embedding = [0.12, 0.45, 0.78]  # your actual embedding vector
vector = VectorData(vector=embedding, id="doc_classified_001")
encrypted = sdk.vectax.encrypt(vector)  # purely local crypto operation

# Decryption is also local
decrypted = sdk.vectax.decrypt(encrypted)  # no network call

print("VectaX FHE operations complete with no external network dependency")

Package installation in air-gapped environments

In a truly air-gapped environment, pip install cannot reach PyPI. Download the mirror-sdk and mirror_enc packages in advance on a connected machine, verify their hashes against the published checksums, transfer the verified packages across the air gap using your organisation's approved media transfer process, and install from the local copy. The same process applies to all dependencies.

Key lifecycle

Key management without cloud connectivity

Key provisioning in an air-gapped environment is a procedural process as much as a technical one. It happens during a controlled key ceremony and must be documented in detail.

pythonkey_ceremony.py

from mirror_sdk.core.mirror_core import MirrorSDK, MirrorConfig

# Key ceremony: run this on the HSM-connected provisioning workstation
# inside the physical security boundary
# Two authorised custodians must be physically present

config = MirrorConfig.from_env()
sdk = MirrorSDK(config)

# Step 1: Generate FPE key inside HSM
# The key material never leaves the HSM
# The SDK returns a handle (reference), not the key bytes
fpe_key_handle = sdk.metadata.generate_key()
print(f"FPE key generated. Handle: {fpe_key_handle[:8]}... (stored in HSM)")

# Step 2: Generate RBAC master policy
sovereign_policy = {
    "roles": ["analyst", "senior_analyst", "supervisor"],
    "groups": ["intelligence", "operations"],
    "departments": ["classified_division"]
}
sdk.set_policy(sovereign_policy)

# Step 3: Pre-generate RBAC keys for all authorised users
# Keys are generated now, stored in HSM, distributed to users via secure process
# No runtime API call is needed when users access the system

analyst_key = sdk.rbac.generate_user_secret_key({
    "roles": ["analyst"],
    "groups": ["intelligence"],
    "departments": ["classified_division"]
})

supervisor_key = sdk.rbac.generate_user_secret_key({
    "roles": ["analyst", "supervisor"],
    "groups": ["intelligence", "operations"],
    "departments": ["classified_division"]
})

# Step 4: Store keys in HSM under individual user key-encryption keys
# Each user's RBAC key is wrapped under their personal KEK in the HSM
# Users authenticate to the HSM to unwrap their key at session start

print("Key ceremony complete. All keys generated and stored in HSM.")
print("Ceremony must be documented and signed by both custodians.")

After the ceremony, the HSM holds all key material. The provisioning workstation retains only key handles, not key bytes. Key handles are configuration items, not secrets. The handles are deployed to the inference tier servers as part of normal configuration management.

Local policy enforcement

AgentIQ policy enforcement without cloud connectivity

In a standard deployment, the AgentIQ policy engine calls the Mirror Security API to evaluate policies. In a sovereign deployment, you run an on-premises AgentIQ instance that handles policy evaluation entirely within the physical boundary.

The on-premises instance receives your deployed policies during the provisioning process. Policy updates in a sovereign environment go through the same controlled change management process as any other software update: verified, approved, tested in a parallel environment, then deployed via the approved media transfer process.

pythonsovereign_agent.py

from mirror_sdk.ops.mirror_decorators import policy_monitor
from mirror_sdk.core.mirror_core import MirrorConfig

# All requests go to the on-premises AgentIQ instance
# No call ever reaches the internet
config = MirrorConfig(
    api_key="on-premises-key",
    server_url="https://agentiq.internal.yourorg.gov",
    telemetry_enabled=True,
    policy_eval_enabled=True
)

@policy_monitor(name="sovereign_agent_policy", mirror_config=config)
async def classified_query_handler(user_query: str) -> str:
    """
    Handles queries against classified document corpus.
    Policy evaluation runs on the on-premises AgentIQ instance.
    Retrieval runs against the on-premises encrypted vector store.
    Inference runs on local GPU with VectaX FHE.
    No component of this function reaches an external network.
    """
    # Your sovereign inference logic here
    # All components are on-premises
    return "[sovereign inference result]"

Real-world tradeoffs

Operational considerations

Sovereign AI deployments involve tradeoffs that cloud deployments do not. Understanding them before you commit to the architecture prevents expensive surprises.

Consideration	Cloud deployment	Sovereign deployment
Model updates	Transparent; provider manages model versioning	Manual process: verify, approve, transfer across air gap, test, deploy. Add 2 to 4 weeks to any model update.
Inference latency	Low; optimised cloud hardware	Higher; depends on your on-premises GPU capacity. FHE adds latency versus plaintext inference (factor of 2 to 10 depending on operation).
Software updates	Automatic or opt-in	All updates must go through the air gap process. A critical security patch for mirror-sdk requires the same approval cycle as any other update.
Key rotation	API call; can be automated	Requires physical access to HSM and two custodians. Plan rotation events as scheduled operations with 48 hours notice minimum.
Capacity scaling	Elastic; add compute in minutes	Physical procurement; add compute in weeks to months. Plan capacity for peak load at build time.
Failure recovery	Provider manages redundancy	You manage redundancy. HSM failure without a backup HSM means key loss. Always deploy HSM pairs.

The HSM backup problem

In a sovereign deployment, losing the HSM without a backup means losing all key material. All data encrypted under those keys becomes permanently unreadable. Always deploy HSMs in pairs with synchronised key material. The backup HSM must be stored in a separate physical location under the same physical security controls as the primary, not in the same rack. Test HSM failover before you need it.

Regulatory mapping

Compliance mapping for sovereign AI

Framework	Relevant requirement	How this architecture addresses it
FedRAMP IL4 / IL5	Controlled Unclassified Information and national security systems require GovCloud or on-premises deployment with specific isolation controls	Addressed Air-gapped on-premises with FIPS 140-3 HSM meets IL4/IL5 isolation requirements. FHE provides additional assurance beyond standard IL5 controls.
ITAR	Technical data related to defence articles must remain with US persons and facilities; cannot be processed by foreign-controlled cloud infrastructure	Addressed Air-gapped on-premises in ITAR-registered facility. FHE means foreign-manufactured hardware components cannot read ITAR data.
GDPR Article 44-46 (data transfers)	Personal data cannot be transferred to third countries without adequate protection; cloud inference often constitutes a transfer	Addressed On-premises within EU jurisdiction with no data egress. Sovereignty model eliminates the transfer question entirely.
UK OFFICIAL-SENSITIVE	Sensitive government data must be processed in environments meeting specific security controls; commercial public cloud requires additional controls	Addressed On-premises deployment in UK-controlled facility satisfies the baseline. FIPS 140-3 HSM supports CESG key management requirements.
EU AI Act Article 9 (risk management)	High-risk AI systems must have risk management systems including security controls	Partial FHE and AgentIQ policies address technical controls. Risk management documentation and human oversight requirements are procedural.
NIST AI RMF (Govern, Map, Measure)	AI risk governance including security of the AI pipeline	Addressed FHE provides the Govern and Map controls for data security. AgentIQ telemetry provides Measure evidence.

Common questions

FAQ

What is sovereign AI and when does it apply?

Sovereign AI refers to AI deployments where the organisation retains full control over data, models, and compute without any dependency on external cloud providers or networks. It applies when data classification prohibits transmission to external systems, regulatory requirements mandate data residency within a specific jurisdiction or physical boundary, supply chain risk requires that inference hardware and software be within the organisation's control, or operational requirements demand functionality in disconnected environments.

What does FIPS 140-3 require for AI key management?

FIPS 140-3 requires that all cryptographic operations including key generation, storage, and use be performed inside a FIPS-validated cryptographic module. Keys must never exist in plaintext outside the boundary of the validated module. For VectaX deployments, this means FPE keys and RBAC keys must be generated and stored inside a FIPS 140-3 validated HSM, not in application memory or environment variables.

Can VectaX FHE run in a fully air-gapped environment with no internet access?

Yes. The VectaX SDK uses local cryptographic operations for FHE, vector encryption, and FPE. The encryption itself does not require network connectivity. What normally requires network access is the Mirror Security API for RBAC key generation and policy evaluation. In an air-gapped deployment, RBAC keys are pre-generated inside the secure boundary and stored in the on-premises HSM, and an on-premises AgentIQ instance handles policy evaluation.

What is the difference between data residency and data sovereignty?

Data residency is a requirement that data be stored and processed within a specific geographic location. Data sovereignty is broader: it requires that the data be subject to the laws and governance of that jurisdiction, and that foreign governments or entities cannot compel access to it. For AI systems, sovereignty additionally means that the AI model, the inference compute, and the key management are all within the sovereign boundary. Storing data in an EU data centre while using a US cloud provider's AI API does not satisfy sovereignty even if it satisfies residency.

What compliance frameworks require sovereign or air-gapped AI deployment?

FedRAMP IL4 and IL5 require that controlled unclassified information and national security systems be processed in environments meeting specific isolation requirements. ITAR restricts technical data related to defence articles to US persons and approved facilities. The EU AI Act and GDPR together can require that personal data used in high-risk AI systems be processed within EU jurisdiction. UK OFFICIAL-SENSITIVE guidance restricts cloud processing of sensitive government data. NATO STANAG requirements apply to allied defence systems.

How does FHE help with the supply chain risk in sovereign AI?

Supply chain risk in AI arises when the organisation cannot fully verify the security of every component that handles sensitive data. A compromised embedding model, GPU driver, or inference framework could exfiltrate data even if the network boundary is intact. FHE addresses this by ensuring that sensitive data never exists in plaintext inside the processing components. Even if the inference hardware is compromised, it cannot read the data it is processing. The cryptographic guarantee is not conditional on trusting the supply chain.

Enterprise Agentic AI track complete

You have built a production agent policy chain with AgentIQ and designed the architecture for sovereign AI deployment with air-gapped FHE. These are the most demanding configurations Mirror Security supports. Contact the team to discuss your specific deployment requirements.

Talk to Mirror Security → ← Back to H1