An air gap can be considered any kind of blank space between objects. But in the context of network security, Wikipedia defines an 'air gap' as:
a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. The name arises from the technique of creating a network that does not have, and often has never had, an active unsecured connection, by having the two physically separated, with air in between.
In the purest sense, an air gap requires that the sensitive machine or network is physically isolated from the rest of the network. Data can only move in or out via a USB drive or comparable removable media. This basically means that connecting an air-gapped computer to the rest of the network requires an overt, explicit and intentional operation by a user who has physical access to both ends of the connection (disregard advanced hackers, of course).
These same requirements (explicit action and physical access) also apply to enabling the privacy and security of Internet of Things devices. They specifically relate to devices that operate on behalf of users (e.g., wearables, health, connected cars, etc.).
How a device is configured and authorized to function on behalf of a given user should also be similar to the characteristics of an air gap. For example, think of it as a single time when a thermostat is first installed in the home, or multiple times as the user changes with a smart scale.
Crossing an air gap requires a user (typically an admin) to perform an explicit and physical operation, so the initial setup procedure of a device should also include a comparable 'consent gap'. Without this intentional action, the device won't fully operate. For users to trust their devices, the act of giving their consent to the device's subsequent operations on their behalf will be critical to their sense of safety and control.
The best way to implement this security control measure is likely through using existing identity standards. The consent that the user assigns to the device should already be present in the security credentials issued to the device--as made possible by the OAuth 2.0 and OpenID Connect 1.0 models.