Is Your Team's AI Use Putting Your Defense Contracts at Risk?

Most defense contractors have spent the last year focused on the obvious CMMC checklist items: access controls, system security plans, multi-factor authentication, etc. And that work matters.

But a threat is quietly expanding compliance boundaries from the inside, and it’s right on your employees’ desktops.

It’s called AI.

THE PROBLEM NOBODY IS TALKING ABOUT

Here’s a scenario that is playing out across the defense supply chain right now.

An employee is working on a bid response. They’re in a hurry. They open ChatGPT, paste in a section of a contract document, ask it to clean up the language, and hit enter.

That document contains Controlled Unclassified Information (CUI).

In less than five seconds, CUI has been transmitted to a commercial cloud environment that is almost certainly not authorized under your CMMC boundary. That’s not a gray area. That’s a scope violation and potentially a compliance breach that could surface in your next assessment.

According to a piece published this week by AJ Yawn in Washington Technology, AI tools are now one of the most significant and least understood risks in the CMMC landscape. The problem is not that AI is inherently dangerous. The problem is that most organizations have no policy, no visibility, and no controls over how employees use it.

WHY THIS IS A BIGGER DEAL THAN IT LOOKS

Under CMMC Level 2, your compliance boundary covers every system, tool, and environment that touches CUI. If a commercial AI tool is being used to process, draft, summarize, or edit anything that contains controlled information, even informally, that tool now falls inside your boundary.

That means you’re responsible for showing that it meets the security requirements. And commercial AI tools like ChatGPT, Copilot, or Gemini in their standard consumer form? They don’t.

There’s another layer to this. Some organizations are using AI to write their system security plans and compliance documentation. That sounds efficient, but AI-generated content can describe controls that don’t actually exist in your environment. If an assessor finds that your documentation doesn’t match your reality, that’s a significant finding… and it can derail your certification entirely.

THE GOOD NEWS: AI CAN ALSO HELP

This isn’t a story about AI being the enemy of CMMC compliance. Used correctly, AI can actually make your compliance program stronger.

Here’s where it genuinely helps:

• Evidence collection: AI-powered tools can automate the collection of logs, configuration data, and access records, the kind of evidence that compliance teams can take weeks to pull together manually.
• Continuous monitoring: AI can detect anomalies in network behavior in real time, flagging issues before they become audit findings.
• Gap identification: When reviewing draft policies, AI can identify missing implementation descriptions and inconsistencies between the documentation and the actual controls.
• Risk prioritization: With so many controls to implement, AI can help teams figure out which gaps to close first based on real risk data, not guesswork.

The key difference is how the tool is used and where it operates. An enterprise-grade, properly scoped AI tool with documented controls is very different from an employee pasting CUI into a free browser-based AI chat.

WHAT YOU SHOULD DO RIGHT NOW

If you are a defense contractor, or a subcontractor supporting one, here are five steps to take before your next assessment:

1. Audit every AI tool in your environment. This includes browser extensions, productivity tools with embedded AI features, and anything employees might be using informally on work devices.
2. Classify each tool by where it lives. On-premise, private cloud, and commercial cloud all carry different risk profiles under CMMC.
3. Ask whether CUI could reach each tool. If the answer is “maybe,” treat it as “yes.”
4. Create a clear, written AI use policy. Employees need to know what tools are approved, for what purposes, and what they are never allowed to do with controlled information.
5. Work with your MSP to document controls. If your IT partner isn’t already thinking about AI as part of your CMMC boundary, that’s a conversation you need to have immediately.

HOW OPEN APPROACH CAN HELP

Open Approach is a CMMC Level 2 certified MSP. That means we haven’t just studied this framework; we’ve lived it ourselves. We understand what assessors look for, what creates problems during audits, and how to build IT environments that hold up under scrutiny.

We work with defense contractors and DIB subcontractors to assess their current environments, identify hidden risks, such as the AI exposure issue described here, and build compliance programs that are defensible, documented, and sustainable.

If you’re not sure where your organization stands, or if you’ve never had a real conversation about AI and your CMMC boundary, now is the time.

LET’S TALK ABOUT YOUR CMMC PLANS

The window for getting ahead of Phase 2 is closing. C3PAO assessment slots are filling up, and organizations that start late face compressed timelines and higher costs.

We’d love to have a straightforward conversation about where you are, what you need, and what a realistic path forward looks like.

Schedule a conversation with our team.

Join Us at the End of the Month – Free Webinar for Defense Contractors and Subcontractors

On April 30, we’re hosting a free webinar featuring Eide Bailly, designed specifically for DIB contractors and subcontractors who want to understand what CMMC actually means for their business. We’ll cover what’s required, what’s changing, and how to start building a plan that protects your contracts.

Register Here.

We hope to see you there.

Open Approach is a CMMC Level 2 certified, SOC 2 Type II compliant managed IT services provider serving businesses in Vermont, Colorado, and beyond. We specialize in IT support for organizations with security and compliance requirements.