Governments and agencies are deploying Agentic AI for defense, intelligence, and workflow automation to gain geopolitical advantage. Gartner predicts that by 2028, at least 80% of governments globally will deploy AI agents to automate routine decision-making. Sovereign AI has already reached peak priority status on the 2025 Gartner Hype Cycle for government services. Relying on foreign AI supply chains is now seen as a national security risk. To maintain sovereignty and operational independence, many agencies run AI workloads on classified, isolated, or air-gapped networks. These environments still require delivery, security, and operational services, and most tools assume cloud or internet connectivity that these environments cannot allow.
Air-gap compatibility
Most AI security and delivery tools are designed for connected environments. Cloud dependencies for license validation, policy updates, threat feeds, and telemetry are baked into their architecture. When attack databases stop updating and threat feeds go stale, defenses become progressively blind to emerging threats.
Fragmented operating models
Government agencies typically operate air-gapped infrastructure as part of a broader hybrid cloud strategy spanning connected, disconnected, and cross-domain deployments. Inconsistent vendor capabilities across deployment models force teams to maintain separate tools, policy frameworks, and operational runbooks for each context, leading to misconfiguration or inconsistent enforcement and service disruption.
Tool sprawl
Point solutions addressing diverse AI security requirements add integration complexity, skills burden, and management overhead. This is compounded in air-gapped environments where external support is unavailable. Without unified visibility, models drift, threats go undetected, and incident response is delayed. The coverage gaps between tools become the attack surface.
F5 AI Guardrails is the primary AI security enforcement layer for government agencies operating in air-gapped and sovereign environments. Deployed as a certified Red Hat OpenShift operator within the agency's own Kubernetes environment, it operates without external dependencies after initial setup with the latest policies and threat intelligence. In mission-critical environments, policy updates are delivered via air-gap transfer and applied manually, keeping defenses current without external connectivity.
During inference, Guardrails sits between users, agents, and AI models, inspecting every input and output against defined policies. It blocks prompt injection attempts and jailbreak attacks before they reach the model, prevents sensitive data from leaking through model outputs, and enforces boundaries on model and agent privileges to prevent privilege escalation. Every interaction is logged with full context, giving security and compliance teams the auditability and explainability that regulations demand.
F5 AI Red Team conducts adversarial testing against AI models, configurations, and use cases by simulating thousands of attack patterns, including techniques that rarely surface in traditional penetration testing. It draws from an attack database that grows by over 10,000 new entries monthly, delivered via an air-gap transfer package in disconnected environments to keep testing current inside the boundary.
Findings are risk-scored and explainable, showing exactly how each vulnerability was exploited and why, producing audit-ready reports that support authorization to operate processes, FISMA continuous monitoring requirements, and Risk Management Framework assessments. Those findings also inform updates to Guardrails policies, closing the loop between vulnerability discovery and runtime enforcement.
F5 AI Guardrails and F5 AI Red Team protect against the critical risks defined in the OWASP Top 10 for LLM Applications, covering both runtime enforcement and adversarial testing layers. AI models and agents interact through APIs over encrypted channels and integrate into application workflows, expanding the attack surface.
F5 Application Delivery and Security Platform (ADSP) extends security within the sovereign boundary, defending AI workloads and their APIs against layer 7 attacks and application-layer threats, while inspecting encrypted traffic to ensure SSL and TLS channels don't become blind spots. Logs and telemetry from F5 ADSP feed into on-premises SIEM platforms operating in disconnected mode, giving teams the visibility to detect anomalies, maintain compliance, and respond to incidents.
For government agencies and critical infrastructure operators deploying agentic AI, F5 ADSP delivers a unified platform operating consistently across connected, disconnected, and hybrid environments.
