Don't connect to the internet, but do you have USB sockets or drives for removable disks?
Your XP computer might not connect directly to the internet, but does it have a USB socket, or diskette, CD, DVD or blu-ray drive?
Currently these other paths are being used to infect non-internet connected diplomatic and 'industrial command and control systems', and there is no reason to believe that they won't be used to infect XP systems in at least in 'attractive targets'.
It is even possible to migrate data off of these non-internet connected systems. The Israelis and Americans did it to the Iranian nuclear program, so it is feasible and who knows how often it has happened elsewhere.
Also, if you have an internet connected machine on the same network as your XP machines (whether or not it is running an up-to-date operating system and antivirus) it could be used as an entry point to any connected XP machines. One trojan, one stupid mistake, on that internet connected machine and it could quietly violate however many hundred XP machines are connected to it.
Is your business and that application an attractive target?
1. Would anyone be able to profit from the disruption of that application, directly or via blackmail?
2. Would anyone be able to profit from knowledge of data in that application, directly or via blackmail?
And there are doubtless other ways to be a high value target.
So if you're going to keep XP in your production environment I suggest you disable the drives for removable media and disable the USB sockets and make sure that no computer on the network with the XP machine have internet access.