Sovereign AI at the Front Door of Care: A Physically Unidirectional Architecture for Secure Clinical Intelligence

TL;DR

This paper introduces a secure, on-device clinical AI system using physically unidirectional data channels to eliminate network attack surfaces, enabling high-assurance medical triage in sensitive environments.

Contribution

It proposes a novel architecture leveraging physical unidirectionality for secure clinical AI, formalizes its security properties, and demonstrates its applicability across various deployment scenarios.

Findings

Eliminates network attack surface through unidirectional data flow.

Formal security analysis of receiver-side unidirectionality.

Demonstrates deployment feasibility in resource-constrained and high-risk settings.

Abstract

We present a Sovereign AI architecture for clinical triage in which all inference is performed on-device and inbound data is delivered via a physically unidirectional channel, implemented using receive-only broadcast infrastructure or certified hardware data diodes, with no return path to any external network. This design removes the network-mediated attack surface by construction, rather than attempting to secure it through software controls. The system performs conversational symptom intake, integrates device-captured vitals, and produces structured, triage-aligned clinical records at the point of care. We formalize the security properties of receiver-side unidirectionality and show that the architecture is transport-agnostic across broadcast and diode-enforced deployments. We further analyze threat models, enforcement mechanisms, and deployment configurations, demonstrating how physical one-way data flow enables high-assurance operation in both resource-constrained and high-risk environments. This work positions physically unidirectional channels as a foundational primitive for sovereign, on-device clinical intelligence at the front door of care.