Defense AI: Why Classified Workloads Can't Touch Public Cloud Infrastructure

The U.S. defense establishment needs AI to maintain strategic advantage. But classified data cannot touch infrastructure that the government does not fully control. The tension between AI capability and classification requirements is reshaping defense procurement, cloud architecture, and the relationship between Silicon Valley and the Pentagon.

In August 2024, the Department of Defense’s Chief Digital and Artificial Intelligence Office (CDAO) published its updated data strategy, setting a target of deploying AI capabilities across all combatant commands by 2027. The same month, the Pentagon’s Inspector General released a report finding that 67% of DoD AI projects faced delays due to data classification challenges – the inability to move classified data into environments where AI models can process it. These two facts define the central paradox of defense AI: the institution that most needs AI capability is the institution least able to use it.

The constraint is not technological. The constraint is architectural. Classified information – from Confidential through Top Secret/Sensitive Compartmented Information (TS/SCI) – is governed by a regulatory framework that predates not just AI but the internet itself. Executive Order 13526, which governs national security information classification, was issued in 2009. The foundational classification management directives trace back to the Eisenhower administration. These frameworks mandate physical and logical separation of classified data from unclassified networks, air-gap requirements that are fundamentally incompatible with the cloud-native, API-driven, data-hungry architecture of modern AI systems.

The defense sector is not asking whether AI is useful. It is asking whether AI is possible within the constraints that classified data imposes. The answer is yes – but only with infrastructure that most AI companies have never built and cannot easily replicate.

The Classification Hierarchy and Cloud Impact Levels

The DoD classifies data across multiple levels, each with distinct handling requirements:

Controlled Unclassified Information (CUI): Sensitive but unclassified data requiring safeguarding. This includes For Official Use Only (FOUO) data, export-controlled information, and law enforcement sensitive data. CUI can be processed in commercial cloud environments that meet FedRAMP Moderate baseline controls.

Impact Level 4 (IL4): CUI and non-CUI data in DoD cloud environments. Processed in FedRAMP High authorized clouds with additional DoD-specific controls. AWS GovCloud, Azure Government, Google Cloud for Government, and Oracle Cloud for Government all hold IL4 authorization.

Impact Level 5 (IL5): CUI and mission data with higher sensitivity, including National Security Systems data. Requires dedicated infrastructure with U.S.-based data centers, U.S. person staffing requirements, and enhanced access controls. Fewer cloud providers hold IL5 authorization – AWS GovCloud, Azure Government, and Google Cloud’s IL5 environment are the primary options.

Impact Level 6 (IL6): Classified data up to Secret. This is where the architectural challenge becomes severe. IL6 requires classified cloud infrastructure physically separated from commercial environments, operated in accredited facilities, with staff holding active Secret clearances. Only AWS Secret Region, Azure Government Secret, and a limited number of specialized providers operate at IL6.

Air-Gapped/TS/SCI: Top Secret and Sensitive Compartmented Information requires air-gapped environments with no connection to the internet or any unclassified network. AWS operates a Top Secret region (C2S) under a CIA contract. Microsoft Azure operates a TS-level environment. These are physically isolated data centers accessible only through classified networks (JWICS, SIPRNet).

The implication for AI is direct: the most capable AI models – GPT-4, Claude, Gemini – are developed on commercial infrastructure, trained on internet-scale data, and served through API endpoints on the public internet. None of these models can be deployed in their standard configuration at IL6 or above. Using them requires either redeploying the models within classified infrastructure (which requires the AI company to obtain the necessary facility clearances and personnel clearances) or developing alternative models within the classified environment from scratch.

FedRAMP and the Authorization Bottleneck

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized security assessment framework for cloud services used by federal agencies. FedRAMP High – the baseline required for sensitive federal workloads – mandates 421 security controls derived from NIST SP 800-53.

For AI services, FedRAMP authorization is the entry ticket to government use. Without it, a cloud AI service cannot process federal data. The problem is that FedRAMP authorization takes an average of 12-18 months to obtain, costs between $1 million and $5 million in assessment and remediation expenses, and requires ongoing continuous monitoring and annual reassessment.

As of early 2026, the FedRAMP marketplace lists over 370 authorized cloud services. But the number of FedRAMP-authorized AI services specifically designed for generative AI workloads remains small. Microsoft’s Azure OpenAI Service (FedRAMP High, IL5) is the most widely used. Google’s Vertex AI has FedRAMP High authorization. Amazon Bedrock is FedRAMP High authorized through AWS GovCloud. Anthropic’s Claude is available through AWS Bedrock in GovCloud. Palantir’s AIP platform, which integrates LLM capabilities, holds FedRAMP High authorization.

The gap between FedRAMP High (sufficient for IL4/IL5) and classified authorization (required for IL6+) is where most defense AI projects stall. A model that works brilliantly on CUI data in an IL5 environment cannot be used with classified data unless the entire stack – model weights, inference infrastructure, API layer, monitoring systems – is replicated within a classified enclave. This replication is expensive, slow, and creates version drift between the classified and unclassified deployments.

ITAR and Export Control Constraints

The International Traffic in Arms Regulations (ITAR) add another layer of complexity. ITAR restricts the export of defense-related articles and services to foreign persons, including foreign nationals working within the United States. For AI systems processing ITAR-controlled data:

All personnel with access to the data and systems must be U.S. persons (citizens or permanent residents)
Data must be stored and processed within the United States
Cloud infrastructure must be physically located within U.S. borders with no data replication to foreign regions
The AI vendor must have a facility clearance (FCL) if the data is also classified

The intersection of ITAR and AI creates specific problems for multinational AI companies. OpenAI, Anthropic, Google, and Microsoft all employ foreign nationals in technical roles. Ensuring that ITAR-controlled data is handled exclusively by U.S. persons requires organizational and technical segmentation that most commercial AI companies have not implemented.

The Defense Counterintelligence and Security Agency (DCSA) reported in 2025 that facility clearance processing times averaged 145 days for Secret and 285 days for Top Secret. AI startups seeking to serve the defense market face a multi-year timeline to achieve the clearance and authorization requirements, during which the commercial AI market evolves multiple generations.

The Air-Gap AI Problem

For the most sensitive defense workloads – intelligence analysis, operational planning, weapons systems – the data exists in air-gapped environments with zero connectivity to external networks. Running AI in these environments requires:

Model deployment within the air gap: The AI model weights must be physically transported (on encrypted media, via classified courier) into the air-gapped environment and deployed on hardware within that facility. This means the model is frozen at a point in time – it cannot be updated through standard software deployment processes.

Inference-only operation: Models in air-gapped environments operate in inference-only mode. They cannot be fine-tuned, retrained, or updated with new data without a physical update process. This creates capability degradation over time as the model falls behind commercial counterparts that receive continuous updates.

Hardware constraints: Air-gapped facilities may not have the GPU infrastructure required for large model inference. The NVIDIA H100s and A100s that power commercial AI data centers are export-controlled items themselves, and procurement for classified facilities follows defense acquisition timelines (measured in years, not weeks).

No RAG over classified data: Retrieval-Augmented Generation (RAG) – the technique of enhancing model outputs by retrieving relevant documents from a knowledge base – requires the knowledge base to be co-located with the model in the air-gapped environment. Building classified RAG systems requires ingesting, indexing, and embedding classified documents – a process that intersects with existing information management and records management regulations.

The result is that AI capability in classified environments lags commercial capability by 12-24 months, a gap that is widening as commercial AI advances accelerate. The Pentagon’s Project Lima and Project Maven initiatives have attempted to close this gap, but the fundamental constraint – the air gap itself – imposes irreducible latency on capability deployment.

The Silicon Valley-Pentagon Tension

The relationship between the technology industry and the defense establishment has been strained since at least 2018, when Google employees protested Project Maven (the DoD’s drone imagery analysis AI program) and Google withdrew from the contract. The cultural tension between Silicon Valley’s privacy-first, open-source ethos and the Pentagon’s classification-first, control-everything posture creates friction at every level.

For AI companies specifically, the defense market presents a dilemma:

Revenue opportunity: The DoD’s total IT spending exceeds $45 billion annually. The CDAO’s budget for AI-specific programs has grown from $600 million in FY2023 to over $1.8 billion in FY2026. The intelligence community’s AI investment is classified but estimated at comparable or higher levels.

Operational burden: Serving the defense market requires facility clearances, personnel clearances, dedicated infrastructure, specialized compliance programs, and the organizational segmentation necessary to handle classified data. These costs are front-loaded and ongoing.

Reputational risk: Some AI companies face internal resistance to defense work. Employees at major tech companies have organized against military contracts, and the talent pool for AI researchers who both hold security clearances and are willing to work on defense applications is limited.

The companies that have navigated this tension most successfully – Palantir, Anduril, Shield AI, and increasingly Microsoft and Amazon – have done so by building dedicated defense divisions with their own clearance infrastructure, rather than trying to adapt commercial organizations to defense requirements.

The relevance to broader AI privacy architecture is this: the defense community’s requirements represent the extreme end of a spectrum that every regulated industry faces. The need for zero-knowledge processing, zero-persistence architecture, and infrastructure that is structurally incapable of leaking data is not unique to classified environments. It is a universal requirement that varies in degree but not in kind. Healthcare organizations, financial institutions, and law firms face the same fundamental challenge: how to use AI with sensitive data without that data escaping their control.

Emerging Solutions: Confidential Computing and Edge AI

Two technological developments offer potential pathways through the defense AI impasse:

Confidential Computing

Confidential computing – processing data within hardware-based trusted execution environments (TEEs) that protect data in use, not just at rest and in transit – is gaining traction in defense contexts. NVIDIA’s Confidential Computing capabilities for GPUs, Intel’s Trust Domain Extensions (TDX), and AMD’s Secure Encrypted Virtualization (SEV) enable AI inference within encrypted enclaves where even the infrastructure operator cannot access the data.

For defense applications, confidential computing could enable classified data to be processed on shared infrastructure without risk of exposure to other tenants or the cloud operator. This does not eliminate the need for facility clearances and IL6+ authorization, but it provides a technical mechanism for data isolation that complements administrative controls.

Edge AI and On-Premise Inference

The shrinking of capable AI models – through quantization, distillation, and architecture optimization – enables deployment of useful AI capabilities on hardware that can be installed in classified facilities. Models like Llama 3 70B, Mistral, and Phi-3 can run on hardware footprints that fit within existing classified server rooms. The open-weights model movement is particularly significant for defense: models whose weights are publicly available can be deployed in classified environments without requiring a commercial relationship with the model developer.

DARPA’s Forward Deployment of AI (FDAI) program, initiated in 2025, specifically targets the deployment of AI capabilities at the tactical edge – on ships, aircraft, and forward operating bases where connectivity to rear-echelon data centers is intermittent or nonexistent. These edge AI systems must operate autonomously, process sensitive data locally, and maintain zero-persistence guarantees to prevent data capture if the hardware is physically compromised.

The defense AI problem is, at its core, the same problem every privacy-conscious organization faces: how to extract value from AI without surrendering control of sensitive data. The defense community solves it with air gaps, facility clearances, and billion-dollar classified cloud regions. The question – the one that Stealth Cloud architecture addresses – is whether the same guarantees can be achieved through cryptographic and architectural means, without the overhead that makes defense AI so expensive and so slow to deploy.

The Stealth Cloud Perspective

The defense sector’s classification requirements reveal a truth that applies to every industry handling sensitive data: physical and administrative controls are necessary but insufficient. The future belongs to architectures where data protection is mathematically guaranteed, not just procedurally mandated – where zero persistence and zero knowledge are properties of the system, not promises of the operator.