Classified Document Workflows With On-Premise LLMs

Classified estates do not buy AI to be impressed. They buy it to compress reading time on documents whose contents cannot leave the room. The hard part is not the model. The hard part is wiring the model into a document workflow that respects classification boundaries, mandatory access controls, and a chain of audit that survives an inspector general visit. This piece walks through the pattern, from the classification matrix down to the air-gapped rack, that we see working in defence ministries and internal-security bodies across the GCC.

The classification matrix and its GCC equivalents

Most modern classification regimes inherit a four-tier structure that maps cleanly across the Atlantic and into the Gulf. The labels differ; the logic does not.

• UNCLASS / Public. Material with no harm-on-disclosure. In Omani practice this is the default for press releases, published procurement, and open OSINT. Equivalent in GCC neighbours: عام / Public.
• CONFIDENTIAL / سري. Disclosure would damage operations or relationships but is recoverable. Routine staff work, internal memos, contract drafts.
• SECRET / سري للغاية. Disclosure would cause serious damage to national security. Operational plans, source identities, tender evaluation files for sovereign assets.
• TOP SECRET / سري للغاية مشدّد. Disclosure would cause exceptionally grave damage. Strategic intelligence, cabinet-level decision papers, signals collection.

Above TOP SECRET, compartmented programmes (the Western community calls them SCI, GCC ministries use programme-specific cover names) add need-to-know on top of the level. AI inside these compartments is engineered the same way as AI inside TOP SECRET, with the additional rule that compartment membership is enforced at the row level inside the index, not just at the network boundary.

Where AI helps and where it must not be allowed

The first conversation with any classified-estate buyer is not about model performance. It is about scope. AI earns its place on four tasks and is refused on a fifth.

• Drafting. Producing a first draft of a routine memo, report, or staff note from analyst-supplied bullets. The cleared author edits and signs. The model accelerates a task the author would do anyway.
• Suggesting classification. Reading a draft and proposing a classification level with citations to the matrix. A cleared reviewer accepts or overrides. The suggestion is logged, the override is logged, the decision belongs to the human.
• Redaction. Marking spans that match named-entity, source-identity, or compartment patterns for downgrade review. The redacted document is reviewed against the original by a cleared officer before any release.
• Summarisation and Q&A. Compressing long files into reading aids, with grounded citations to the source spans. The summary is a reading aid, never the record.

The fifth task is autonomous declassification, and AI must not be allowed near it. Lowering the classification of a document is a sovereign decision with downstream legal consequences. A model can stage a candidate, write a justification draft, and present the diff. A cleared, named officer signs. The audit log shows the candidate, the signature, and any subsequent appeal. No exceptions.

Clearance and access control: MLS without the mythology

Classified workflows have run on multi-level security (MLS) thinking for fifty years. The Bell-LaPadula model, codified by NIST, gives the two rules that matter for AI: no read-up (a SECRET process cannot read TOP SECRET) and no write-down (a TOP SECRET process cannot write into SECRET storage). Translated to a model-serving stack:

1. Each classification level runs on its own enclave with its own model instance, its own retrieval index, and its own audit log. There is no shared GPU pool that touches more than one level.
2. Mandatory access control labels propagate through every layer, OS, file system, retrieval index, prompt, and response. The model sees only what the calling user is cleared for, enforced by the platform, not by prompt-engineering.
3. Cross-level transfers (a TOP SECRET analyst quoting a SECRET source upward) are explicit, logged, and reviewed. There is no implicit promotion through caching, embeddings, or shared vectors.

Practically, this is the same posture US Department of Defense systems achieve under NIST SP 800-171 Rev. 3 for Controlled Unclassified Information and the enhanced controls of SP 800-172 for high-value assets. GCC ministries achieve equivalent posture under sovereign frameworks, with the same audit obligations.

Workflow pattern: ingest, classify, route, summarise, audit

A defensible classified-AI deployment follows a single five-stage pipeline regardless of level. The stages do not change; the controls around them tighten as the level rises.

• Ingest. Documents enter the enclave through a one-way data diode or a controlled cross-domain solution. The ingest service stamps every record with origin, hash, and provisional level. Nothing reaches the index uncatalogued.
• Classify. The model proposes a classification using the matrix and named-entity patterns specific to the institution. A cleared reviewer accepts, downgrades, or upgrades. The decision is final and logged.
• Route. The classified record lands in the retrieval index for its level. Compartment tags route further into row-level enclaves where applicable. The user's access labels constrain what they can retrieve.
• Summarise. On request, the model produces grounded summaries, draft memos, or comparison tables, citing source spans the analyst can re-read. Output inherits the highest classification of any source touched.
• Audit. Every action (ingest, classification suggestion, override, retrieval, model invocation, output, downgrade) lands in an immutable log keyed by user, document hash, model version, and prompt template. This log is the inspector general's first request and the institution's strongest defence.

Air-gap deployment realities

Running this stack inside a SCIF-equivalent facility means accepting a set of operational realities that do not apply to public-cloud AI. Hosn's pattern, described in our pillar on air-gap AI for defence and internal security, treats them as design inputs.

First, no vendor heartbeat. The model weights, the retrieval index, the audit store, and the operating system live entirely on institution hardware. Updates arrive on signed media through a documented sneakernet, are scanned by the institution's own tooling, and are deployed under change control. Hosn does not phone home, does not stream telemetry, and does not require a license server.

Second, classified-aware backups. Backups inherit the classification of their source. A SECRET retrieval index backs up to SECRET storage on the same enclave. There is no cross-level backup, no cloud DR, no off-site replication except into another facility cleared at the same level under the same authority.

Third, ICD 705 or sovereign-equivalent housing. Compute lives in racks inside facilities accredited to standards comparable to Intelligence Community Directive 705 (TEMPEST shielding, perimeter control, two-person integrity rules). Hosn supplies the AI tier; the SCIF or sovereign-equivalent facility supplies the rest. The integration plan is part of every briefing, not an afterthought.

If you are scoping an AI workflow over classified material in Oman or the wider GCC, the next step is a one-hour briefing tailored to your classification matrix, compartment structure, and existing accreditation. Email [email protected] or message +968 9889 9100. We will walk through the workflow stages, the MLS controls, and a credible plan against your existing facility. Pricing is by quotation, sized to your specific requirement.