Quick answer
Air-gapped AI coding for regulated industries means running the editor, the agent, and the model on isolated hardware with all network egress blocked at the OS and the application level. The drivers are sector-specific: HIPAA Security Rule for PHI handlers, PCI DSS v4.0.1 for payment data, UK FCA rules for regulated financial services, NIST SP 800-171 Rev. 3 for defense contractors handling CUI. This post covers what each framework actually requires, where most cloud AI tools fall short, the model options that hold up in 2026, the hardware tiers that work, and what to hand your security team as evidence.
What regulated industries actually require (and why most AI tools fail it)
The requirements vary by sector, but the common thread is data residency and network-egress control. Sending source code, PHI, payment data, or CUI to an external AI provider is a problem your security team has to evaluate, regardless of how the vendor markets it.
Healthcare (HIPAA, GDPR). The HIPAA Security Rule (45 CFR Part 164 Subpart C) requires covered entities and business associates to apply administrative, physical, and technical safeguards to PHI. If development code touches PHI, sending it to a cloud AI provider typically requires a BAA with that provider and an audit trail that satisfies the documentation retention rules. Most AI coding tools do not offer BAAs. GDPR Article 32 sets a similar bar for technical and organisational measures on personal data; the regulation is explicit that these are required, not optional.
Finance (PCI DSS, FCA, SOC 2). Payment-card data is governed by PCI DSS v4.0.1; Requirement 12.8 covers third-party service providers, which can include cloud AI coding tools. UK-regulated firms inherit FCA outsourcing and operational-resilience rules on top, plus the same data-residency expectations that apply to any production code touching financial systems. SOC 2 Type II is an attestation framework many enterprises require of their tooling, and it shapes which AI tools an internal security team will approve.
Defense and government (NIST SP 800-171, CMMC, ITAR). NIST SP 800-171 Rev. 3 governs CUI on contractor systems and is the framework DoD contractors are typically assessed against via CMMC. The relevant control families for AI tooling are AC (access control) and SC (system and communications protection). FedRAMP is sometimes mentioned in the same breath, but FedRAMP governs cloud services consumed by federal agencies, not the local desktop tools contractors use. The distinction matters because mixing them up leads to evaluating a desktop tool against the wrong framework.
Legal. Attorney-client privilege concerns apply to any cloud-based tool that could touch case-related code or systems. Privilege is not formally regulated the way the other three sectors are, but firms treat it with similar rigor because the consequences of a breach are personal.
The gap between “cloud with privacy settings” and a verified air-gap
The most common point of confusion in regulated-industry evaluations is the gap between a cloud tool with privacy controls and a tool that actually keeps data on the machine. Three setups look superficially similar; only one is air-gapped.
| Setup | Does code leave the machine? | BAA / contractual control required? | Works fully offline? |
|---|---|---|---|
| Cloud AI tool with “enterprise privacy mode” | Yes. The code transits to a vendor-controlled server. | Yes. The protection is contractual, not technical. | No. |
| Cloud AI tool with BYOK (bring your own key) | Yes. BYOK changes which provider processes the call and who is billed. The code still travels to the model provider. | Depends on the model provider, not the IDE. | No. |
| On-premises air-gapped IDE with local model | No. The editor, the agent, and the model all run on the machine. Network egress is blocked. | Not for the development tool, because no PHI / CUI / payment data transits to a third party in the first place. | Yes. |
Read the BYOK row carefully. BYOK is often pitched as a privacy feature, but the technical effect is to redirect billing and choose which cloud model processes the request. The data still leaves the machine. For a regulated environment, the IDE that enforces network isolation is doing the load-bearing work; the model provider choice is downstream.
How Bodega One Code's air-gap enforcement holds (as of beta.26)
Bodega One Code's air-gap mode is not a single toggle that disables the cloud LLM selector. As of beta.26 (June 2026), it is 9 separate enforcement layers covering every outbound path the application can reach, plus a top-bar Air-Gap Active indicator so users and reviewers can see the state at a glance.
- Tool filtering: web_fetch and web_search are removed from the agent's tool list.
- Pre-execution guard: every tool call is checked before execution.
- Shell command blocking: curl, wget, and similar network commands are blocked in the integrated terminal.
- Context assembly guard: prevents web content from being injected into the context.
- Auto-updater blocking: no update checks or downloads.
- UI feedback: persistent top-bar indicator showing air-gap is active (beta.26).
- Cloud STT blocking: speech-to-text uses only local providers.
- System prompt filtering: strips any instructions referencing external URLs.
- Git IPC and Git AI blocking: remote git operations are blocked, and as of beta.26 air-gap mode also covers Git AI features (commit-message generation, AI review) so those cannot quietly call a cloud model.
Each of these layers supports the technical implementation aspect of broader control families in NIST SP 800-53 Rev. 5 (notably AC-4 information flow enforcement and the AU audit family) without the post claiming the product satisfies any specific control on its own. Control satisfaction requires assessment against the full text of the control and the organization's policies and procedures, which is your security team's call, not the vendor's.
For the full enforcement-architecture walkthrough, see the 9 layers technical post.
Current local model capability (Qwen3.6, DeepSeek V4, MiniMax M3)
The concern regulated teams raise most often is whether local models are good enough to justify the setup cost. In 2026 the answer is yes for the vast majority of development work, and the gap to frontier cloud has narrowed sharply.
- Qwen3.6-27B (Alibaba, Apr 2026) scores 77.2% on SWE-bench Verified and runs on a single 24 GB GPU at Q4_K_M (~17 GB). This is the current consumer-tier gold standard for air-gapped coding.
- DeepSeek V4-Pro (Apr 24 2026, MIT-licensed, server tier) scores 80.6% on SWE-bench Verified with a 1M-token context window. Hybrid sparse-attention architecture cuts per-token FLOPs ~73% and KV cache memory ~90% versus V3.2. The strongest open-weight coding model that ships under a permissive license.
- MiniMax M3 (Jun 1 2026, server tier) is the first open-weight model to combine frontier coding, 1M-token context, and native multimodal capabilities in a single architecture. Scores 59.0% on SWE-Bench Pro, a separate and harder benchmark than SWE-bench Verified (Opus 4.8 sits at 69.2% on the same SWE-Bench Pro for comparison).
For the full ranking by VRAM tier and current SWE-bench numbers, see the local LLM catalog. For VRAM sizing per model, the VRAM calculator takes a model and a hardware profile and tells you whether it fits.
Hardware setup for regulated environments (three tiers)
Three hardware patterns cover the bulk of regulated-team deployments.
- Individual developer workstation. A machine with a 16-24 GB VRAM GPU (RTX 4070 Ti Super, RTX 3090, or RTX 4090) running Qwen3.6-27B at Q4_K_M is the current practical standard for local coding AI. One-time hardware cost, no recurring API fees, and the workstation can be locked down at the endpoint by the organization's standard policies.
- Shared on-premises inference server. A single high-VRAM server (2x A100 80 GB for Qwen3.6-27B-class workloads, or 8x H100 for DeepSeek V4-Pro) running vLLM can serve a team of developers on an internal subnet that never touches the public internet. Each developer's Bodega One Code instance points to the internal vLLM endpoint. This is the common pattern in regulated environments that want centralized model management and a single audit boundary.
- Apple Silicon for Mac shops. The M3 Ultra with 192 GB unified memory runs large models in a standard Mac Pro form factor. The Neural Engine and unified-memory architecture make it a credible option for shops standardized on Apple hardware.
What to verify and hand your security team
This is the section most generic “air-gapped AI” articles skip. The reason regulated developers care about air-gap is not the toggle. It is what they can prove to their compliance, security, or audit reviewer when the conversation gets specific. The following are reproducible signals available with Bodega One Code in air-gap mode as of beta.26.
1. Visible session-state evidence. The Air-Gap Active indicator in the top bar (added in beta.26) provides a screenshot-able state that says air-gap was on during the session. This is the kind of point-in-time evidence reviewers ask for first.
2. Reproducible egress proof. While Bodega One Code runs in air-gap mode, two single-line shell checks demonstrate the network state:
# macOS / Linux: list non-loopback sockets owned by the Bodega process
lsof -nP -i | grep -i bodega
# macOS: watch for any DNS query other than the local resolver
sudo tcpdump -nn -i any 'port 53 and host not 127.0.0.1' 2>&1 | grep -v cacheAir-gap on, the lsof output should show only loopback. The tcpdump output during a full agent task should be zero lines. The 9 layers post covers Windows and additional verification snippets.
3. Architectural documentation for the policy file. The 9 enforcement layers map to specific outbound paths a developer machine could leak through. A reviewer can read the architecture, walk through it with the engineering team, and decide whether it satisfies the technical implementation aspect of the relevant control family. The list is not a substitute for the policy your organization writes; it is the input.
4. Log retention is your responsibility. Bodega One Code stores session logs locally in the application data directory. Retention and rotation are configurable per workspace. The product does not host a remote log store. Teams subject to HIPAA documentation retention (six years) or PCI DSS 4.0 Requirement 10.7 (12 months online, 3 months immediately available) are responsible for exporting logs into their organization's log-management workflow. The lsof and tcpdump output is point-in-time evidence; long-term retention is your team's policy, not the vendor's.
What this post does not claim. Bodega One Code is not HIPAA-certified, does not provide BAAs, is not FedRAMP authorized, and is not SOC 2 attested. Air-gap mode is a privacy capability backed by 9 enforcement layers as of beta.26; whether that capability satisfies any specific framework is a question for your compliance counsel and your organization's security review. The point of an air-gapped tool in a regulated environment is to remove the data-egress vector entirely, so the question shifts from “does the vendor comply” to “can we prove no data left the machine” which is a question your team can answer with the evidence above.
The beta is free for everyone, commercial use included. At full release, Personal stays free for personal use and Pro is $39 one-time for commercial use on two machines. Download free. For the full air-gap product overview, see the air-gap page.
Sources
- HHS HIPAA Security Rule (45 CFR Part 164 Subpart C), the technical safeguards reference for PHI handlers: hhs.gov/hipaa/for-professionals/security
- PCI Security Standards Council document library (PCI DSS v4.0.1 and supporting guidance, Requirement 12.8 third-party service providers): pcisecuritystandards.org/document_library
- NIST SP 800-171 Rev. 3, the CUI protection framework defense contractors are assessed against: csrc.nist.gov/pubs/sp/800/171/r3/final
- GDPR Article 32 (Security of processing): gdpr-info.eu/art-32-gdpr
- NIST SP 800-53 Rev. 5 controls catalog (AC-4 information flow enforcement and the AU audit family): csrc.nist.gov/pubs/sp/800/53/r5
- LiveBench coding benchmark snapshot (anchors the Qwen3.6-27B 77.2% and DeepSeek V4-Pro 80.6% SWE-bench Verified numbers): livebench.ai
- MiniMax M3 announcement and SWE-Bench Pro scores (separate benchmark family from SWE-bench Verified): datanorth.ai/news/minimax-launches-m3
- Bodega One Code air-gap mode overview (canonical product page): bodegaone.ai/air-gap
- Air-gap mode: 9 layers that guarantee zero network egress (full enforcement-architecture deep-dive with the verification snippets): bodegaone.ai/blog/air-gap-mode-9-layers-of-enforcement
Common questions
- Does Bodega One Code offer a BAA for healthcare teams?
- No. Bodega One Code is a local development tool, not a covered entity or business associate under HIPAA. The product's value for HIPAA-adjacent work is that when it runs fully air-gapped with a local model, PHI does not transit to a third party, which can keep the development tool outside the BAA scope entirely. Whether that interpretation holds for your specific workflow is a question for your compliance counsel, not the vendor.
- Is Bodega One Code FedRAMP authorized or SOC 2 certified?
- No, not currently. FedRAMP governs cloud services consumed by federal agencies, and SOC 2 is a service-organization attestation. Bodega One Code is a local-first desktop tool with no cloud dependency in air-gap mode. For defense contractors working with CUI, the framework that usually applies is NIST SP 800-171 Rev. 3 (and CMMC for DoD), which evaluates whether the tool's data handling fits your organization's system security plan, not whether the vendor has a cloud authorization.
- Which regulated industries use air-gapped AI coding workflows?
- Healthcare developers handling systems that process or touch PHI; finance and payment teams subject to PCI DSS or UK FCA data handling requirements; defense and government contractors with CUI handling requirements under NIST 800-171 or ITAR; legal teams with attorney-client privilege concerns on case-related code. The common thread is data-residency and network-egress requirements, not any single certification.
- What evidence can I show my security team that no data left the machine?
- Three reproducible signals as of beta.26: the Air-Gap Active indicator in the Bodega One Code top bar provides visible session-state confirmation; running lsof -nP -i during a session shows zero non-loopback TCP connections owned by the Bodega process; tcpdump on UDP/TCP 53 during an agent task should produce zero lines. The 9-layer enforcement architecture is documented at /blog/air-gap-mode-9-layers-of-enforcement for policy review. None of these depend on trusting vendor claims.
- Can one shared on-premises inference server work for a whole team?
- Yes, and this is the common pattern in regulated environments that want centralized model management. A vLLM server on internal infrastructure running Qwen3.6-27B, DeepSeek V4-Pro, or MiniMax M3 exposes an OpenAI-compatible API on a private subnet. Each developer's Bodega One Code instance points to that endpoint. No traffic leaves the private network. The team gets consistent model behavior and the security team gets a single audit boundary.
- How long does Bodega One Code retain its own audit logs?
- Bodega One Code stores session logs locally in the application data directory; retention and rotation are configurable per workspace. The product does not host a remote log store. Teams subject to HIPAA documentation retention (6 years) or PCI DSS 4.0 Requirement 10.7 (12 months online, 3 months immediately available) are responsible for export and retention through their own log-management workflow. Treat the per-session lsof/tcpdump output and the Air-Gap Active indicator as point-in-time evidence; treat long-term retention as your organization's responsibility.
Written by the Bodega One team. We build Bodega One Code, the local-first AI IDE, and we write here about local models, AI costs, and what we learn shipping it. More about the team and why we build local-first on the about page.
Related posts
Stay in the loop
Build-in-public updates, model picks, and Copilot/Cursor news as it breaks.
Follow @BodegaOneAI on X →