u/Distinct-Ebb-9763

I'm building a product that runs entirely inside Docker containers, including trained AI models and proprietary backend logic. The target customers are labs that run air gapped (no internet) and have full root access to the host machine where the containers will be deployed.

The customer (legitimate buyer) wants to use the software, but my client is terrified that the lab's IT admins will reverse engineer the containers and steal the IP, especially the models and business logic.

I've explained that if someone has root on the host, they can docker exec, dump memory, copy files from overlay layers, etc. True isolation is impossible. But the client wants to make it "very hard to steal", essentially a strong speed bump.

Some ideas we've considered:

- Wrapping containers with a master key (only client knows it).

- Self destruct on 3 failed key attempts, deleting container images but preserving customer data.

- Compiling Python backend to native binaries and obfuscating model files.

The twist: the machines are air gapped, so no phone home licensing or cloud attestation.

What practical techniques have you seen work to raise the bar against root level extraction in on premises Docker deployments? I know perfect security is impossible here. I just need to make extraction expensive and annoying enough to deter all but the most determined attackers.

Thanks.

Hi everyone it's my first year in the industry. So recently I am working on a project that is based on information extraction from complex layout forms and there are portions in it that are rotated at 90 degree anticlockwise as well.

At base, I have implemented a VLM. Works great but tends to hallucinate and makes it less reliable. But if coupled with detection models, accuracy goes beyond 90%.

At first only 3 detection models were being used for some region cropping and rotating that region, etc and semantic signs detection for better interpretation.

Now there are some more edge cases that have been described by owner and honestly the VLM is not able to interpret it. So I can foresee that all those edge cases can be covered by training 3 more models.

So the production pipeline will have a VLM, 6 small sized fine-tune object detection in ONNX format running on CPU plus a lightweight OCR. And a bit of OpenCV.

No constraints on resources at all neither in speed as some processes run in parallel.

This could have been resolved by one single model like GPT or Gemini. But the owner wants everything to be processed locally. Neither does the owner have computer resources or data to finetune the VLM.

So the way I am having things done is that normal in production? Or is it too much or overengineered?