Every data platform that talks to a hosted model has a door in its perimeter. It might be guarded. It might log every crossing. It might strip names and mask identifiers on the way through. But it is a door, and doors are managed by policy, and policy is exactly the thing that fails on a quiet Thursday afternoon when a connector update ships with a default nobody read. We built 0plus on a different premise: the platform has no code path to public AI at all. Not a disabled one. Not one hidden behind a feature flag. None.

That sounds like a marketing line until you try to build it, because refusing the door is not a feature you add at the end. It is a constraint that reaches backward into every layer of the architecture: how connectors are written, where the models physically run, what the audit log has to prove, and what the word sovereignty is allowed to mean.

A gateway is a promise. Absence is a property

Most of the market answers the sovereignty question with a gateway: an AI proxy at the boundary that filters, redacts, or anonymizes traffic on its way to a hosted model. The pitch is control. The reality is that a gateway is a promise, renewed on every request, that the filter is correct, the redaction is complete, and the configuration has not drifted since the last audit. Each new model version, each new prompt template, each new connector is a fresh chance to be wrong.

Removing the code path is a different kind of claim. It is not renewed per request because there is nothing to renew. There is no client library for a hosted model anywhere in the build, no API key to rotate, no endpoint to misconfigure. The property holds because the artifact that could violate it does not exist.

A gateway is a promise renewed on every request. An absent code path is a fact you can check once and keep checking. We would rather ship the fact.

What refusal does to the connector layer

The first place the constraint bites is the connector layer. Connectors are where platforms quietly grow outbound dependencies: an enrichment call here, a geocoding lookup there, a helpful sentiment endpoint someone added in a sprint. In 0plus, every connector is built against an allowlist that works in one direction. Data flows in from your databases, sheets, applications, and Arabic documents. Open data and market feeds flow in for benchmarking. Nothing in the connector SDK can open an outbound socket to an address that is not declared, reviewed, and inside the perimeter.

  • Connectors declare their destinations at build time. An undeclared host fails at connection, not just at review.
  • External sources are inbound only. Open data and market feeds enter the perimeter, and results never travel back out.
  • No connector can depend on a hosted inference API, because the SDK exposes no primitive for it.
  • Third-party connector code runs against the same allowlist as ours. There is no privileged tier.

This is stricter than a firewall rule because it happens at the layer where developers work. A firewall stops the packet. The allowlist stops the pull request.

The model runtime lives inside

If no path leads out, the intelligence has to come in. The full model runtime, language models for Arabic and English, AutoML, semantic search, embedding and retrieval, is installed inside your environment: on-premises, in a private cloud, or fully air-gapped. Model weights arrive the way any other governed artifact does, as signed packages through your change process, not as calls to someone else's endpoint.

This changes the economics honestly. You provision compute for the model instead of renting it per token. In exchange, latency becomes a local number, capacity becomes a planning decision instead of a rate limit, and the model that read your contracts yesterday is exactly the model that reads them today, because upgrades happen when you install them.

Verifiable at the network layer

Our favorite property of this design is that you do not have to take our word for any of it. A gateway vendor's claims live in their codebase. Ours live in your packet capture. Point a network monitor at the deployment and watch: there is no TLS session to any model provider, because there is no code that could open one. As an example, an egress policy for a full deployment fits on one screen:

# egress policy for the entire deployment
default_action: deny
allow:
  - to: lakehouse.internal       # governed tables
  - to: model-runtime.internal   # in-perimeter inference
  - to: catalog.internal         # lineage and audit
# note the absence: no rule for any public AI endpoint,
# because no component ever asks for one

Short allowlists are auditable allowlists. Your security team can read this in a minute and confirm it against live traffic in an afternoon.

What removing the door means, and what it costs

We should be plain about the trade. Refusing hosted AI means we cannot ride each week's newest frontier model the moment it is announced. Model packs are curated, tested against Arabic and English workloads, and shipped into the perimeter on a deliberate cadence. For a team whose data carries no sensitivity, that discipline may read as overhead. For a ministry, a bank, or a hospital group, it is the entire point: the lineage graph and the audit log can account for every answer, because every read, transform, and inference happened on infrastructure you control.

Gateway sovereignty says: your data left, but politely. Removed-door sovereignty says: your data never left, and here are the network trace, the lineage record, and the audit log that agree with each other. When a regulator, a board, or your own security team asks how you know, the answer is not a vendor attestation. It is a property of the building. We did not lock the door to public AI. We built the wall without one.