Defense contractors face AI compliance squeeze

Defense AI is starting to look less like a software boom and more like a compliance obstacle course. The Pentagon wants more AI in planning, logistics, intelligence, and classified networks. But every model, dataset, cloud environment, and subcontractor adds another place sensitive information can leak, drift, or get misused. That gap — between fast adoption and slow trust — is why contractors are suddenly getting squeezed from both sides. ### Why is AI different from normal defense software? Regular defense software is already regulated hard. AI piles on extra problems — training data provenance, model behavior that can be hard to audit, and systems that keep changing after deployment. Bradley Arant’s May 4 note makes the key point: “AI contracting” is not a separate lane. It drags existing procurement rules into messier territory, especially around cybersecurity, export controls, data rights, ethics, and false-claims exposure. (mondaq.com) ### What rules are doing the squeezing? The biggest immediate pressure is cybersecurity. DoD’s CMMC program is now live in regulation, and the department says the final DFARS rule integrating CMMC 2.0 into contracts was published on September 10, 2025, with a three-year phased rollout beginning November 10, 2025. That means more contractors — and subcontractors — have to prove they can protect Federal Contract Information and Controlled Unclassified Information before they can comfortably compete. (buildsmartbradley.com) ### Where does DFARS still matter? Right in the middle of all this sits DFARS 252.204-7012. That clause still requires “adequate security” for covered defense information and cyber incident reporting, and it applies to information collected, developed, received, transmitted, used, or stored in support of a DoD contract. In plain English, if an AI workflow touches defense data anywhere in the stack, the compliance burden follows the data. Cloud hosts, fine-tuning vendors, and niche model suppliers do not make that problem disappear. (business.defense.gov) ### Why are subcontractors suddenly a bigger deal? Because AI supply chains are sprawling. A prime contractor might use one company’s model, another company’s cloud, a third company’s labeling pipeline, and a fourth company’s security tooling. That is like bolting together an aircraft from parts built in different hangars, then trying to certify the whole thing as one safe machine. If one supplier mishandles CUI or cannot document controls, the prime can lose time, money, or the award itself. (acquisition.gov) ### Is Pentagon demand actually rising anyway? Yes — which is why this squeeze matters now. The Pentagon announced agreements in early May with major tech firms including AWS, Google, Microsoft, OpenAI, NVIDIA, SpaceX, and Reflection to bring advanced AI into classified networks. At the same time, companies trying to break into defense work are complaining that Palantir has effectively become a gatekeeper in parts of the market. So demand is expanding, but access is not getting easier. (mondaq.com) ### Where do ethics and governance come in? They are no longer side issues. DoD’s Responsible AI pathway says lawful, trustworthy, and governable use has to run through design, testing, procurement, deployment, and use. Outside government, that pressure is showing up inside companies too. Microsoft’s Israel chief Alon Haimovich is expected to leave after an internal ethics probe intensified scrutiny of Azure and AI defense ties there. Even if a contract is legal, leadership and employee blowback can still change the business case. (nextgov.com) ### So what slows down first? Scaling. Not experimentation — scaling. A flashy demo can happen quickly. Production deployment inside defense procurement is slower because every unanswered question about data lineage, model testing, subcontractor controls, and reporting obligations can stall an award or create future liability. The more powerful the AI system, the less tolerance buyers have for hand-waving. (media.defense.gov) ### Bottom line? Defense AI is still a growth market. But the winners are less likely to be the companies with the coolest model and more likely to be the ones that can prove where the data came from, who touched it, how incidents get reported, and which supplier is on the hook when something breaks. In this market, compliance is becoming the product. (mondaq.com)