Zero-Trust for Developer Environments: What Air-Gapped AI Actually Means

The Developer Environment Trust Problem

Zero-trust network architecture has matured significantly over the past five years. Most enterprises have implemented network-level zero trust: assume breach, verify continuously, least-privilege access.

Developer environments have been left out of this model. A developer with legitimate access to a sensitive codebase typically has broad, persistent access to the code, and the tools they use (AI coding assistants, cloud-based IDEs, CI/CD platforms) inherit that access.

The Cloud AI Assistant Trust Boundary

When a developer uses a cloud-based AI coding assistant:

1. Source code is sent to the provider's API
2. Context (file content, open tabs, recent edits) is included in the API call
3. The provider's logging, retention, and training policies determine what happens next

For most organizations, this is acceptable for non-sensitive code. For organizations handling CUI, classified information, ePHI, PCI cardholder data, or proprietary algorithms, this trust boundary is unacceptable.

The question is not "do we trust the AI provider". It's "does our security policy allow source code containing CUI to traverse a third-party API?" In most regulated environments, the answer is no.

NSA/CISA Guidance on AI Tool Risk

The NSA Cybersecurity Information Sheet "Deploying AI Systems Securely" (November 2023) explicitly addresses the risk of AI tools that send development context to external endpoints. The guidance recommends:

• Inventorying all AI tools with network egress capabilities
• Evaluating whether tool data transmission is consistent with data classification requirements
• Considering on-premises alternatives for sensitive development contexts

The Supply Chain Angle: IDE Plugin Trust

IDE plugins are frequently granted filesystem access (to read code) and network access (to communicate with the plugin backend). A malicious or compromised plugin is a data exfiltration vector disguised as a productivity tool. The XZ Utils attack demonstrated that sophisticated attackers will invest in supply chain positioning. An IDE plugin used by 100,000 developers is a high-value target.

What Air-Gapped Actually Means

"Air-gapped AI" in a development context means:

1. No model API calls: inference runs locally, no outbound connections to provider endpoints
2. No telemetry: no crash reports, no usage analytics, no feature flags that phone home
3. No implicit context sharing: auto-complete, code suggestions, and security scans don't send code snippets anywhere

A "locally hosted" model that still sends telemetry is not air-gapped. A model that runs locally but includes a licensing component that calls home is not air-gapped.

The Performance Argument Against Local AI

The counterargument to local AI is performance: GPT-4 or Claude running in a data center is more capable than a 14B parameter model running on a developer's machine.

This is true and will remain true for general tasks. For security-specific tasks (vulnerability detection, compliant fix generation, compliance mapping), a model fine-tuned on security data and evaluated on security benchmarks outperforms a general model given the same task. Domain specificity closes the capability gap.

How Deva Addresses the Zero-Trust Requirement

Deva Coder, the local model, runs on Ollama with no outbound calls. The scanner runs entirely on-device. No source code, no findings, no prompts, no completions, no telemetry leave the machine.

For organizations that can't run on-device inference (insufficient GPU memory, managed device policies), Deva can provision a dedicated inference server inside the organization's network boundary. The source code path is the same: local scanner, local or network-local model, no external egress.

This satisfies the zero-trust requirement for AI tooling: the tool's network blast radius is limited to what's explicitly authorized. For background terms (air-gapped, classified, CUI, SBOM, OIDC), see the glossary; for the CMMC-specific air-gap requirements that drive much of this, see the CMMC compliance page.