First option is out. Not only do the USB ports get disabled on such machines, but you can't take a USB stick anywhere near them, any more than you could a phone.
Second option suffers the same "can't get a phone within 10 meters of the machine" that the parent mentioned.
Third, if you can pay a person with security clearance to do this then it isn't a computer problem.
Fourth, people who do this work are not as rigorously checked as their workers/software people, but you will note that all the secure places I know of run custom bios firmware that have checksums to stop this.
Yes, I know people who work at these places, both with clearance (operators and such) and techies that support them, getting to their secure networks/air-gapped networks is not trivial and certainly cannot be done with a USB stick anywhere on your person.