AI Adoption in Defense: CMMC Compliance Risks and Liabilities

Recently I was stunned when an associate in a secure environment had integrated an autonomous AI coding agent. They had connected it to their local files. The first question out of my mouth was about their CMMC posture. They paused. They had not thought about it. That pause should concern everyone in the ISAM and defense community.

These tools run a background daemon on your machine, connect to large language models through cloud APIs, and execute shell commands on your behalf. They read your files. They send your emails. They browse the web. When configured in autonomous mode, they do all of this without asking permission. This is one prompt injection away from disaster. Shodan scans have found hundreds of exposed instances running on the open internet with zero authentication, with API keys, OAuth tokens, and full conversation histories sitting in plaintext for anyone who knows where to look.

Now consider who is adopting these tools. Space operations officers. Defense contractors handling CUI across GovCloud. Engineers working under ITAR restrictions. Professionals in the ISAM community whose work touches satellite servicing, orbital assembly, and technologies that sit squarely on the U.S. Munitions List. The gap between AI adoption speed and CMMC awareness in this community is becoming a liability.

CMMC Phase 1 enforcement went live on November 10, 2025. Every defense contractor handling CUI must comply with 110 NIST 800-171 controls under Level 2. Pasting controlled data into a cloud-based AI tool violates at least six of those controls on contact. Access Control 3.1.1 requires limiting system access to authorized users. Media Protection 3.8.3 requires the ability to sanitize media containing CUI. System and Communications Protection 3.13.1 requires monitoring at external boundaries. A commercial AI chatbot fails all three by design.

The DOJ collected $51.8 million in cybersecurity-related False Claims Act settlements in 2025, a 233 percent increase over 2024. MorseCorp paid $4.6 million after reporting a positive SPRS score when their actual score was negative 142. Raytheon paid $8.4 million for false compliance certifications. Under the CMMC affirmation requirement in 32 C.F.R. 170.22, signing your annual compliance statement while your team uses unauthorized AI tools creates the same FCA exposure. Only 4 percent of defense contractors reported CMMC readiness as of late 2024. Adding autonomous AI agents with shell access to that environment accelerates the risk on a timeline most compliance teams have not modeled.

The aerospace and defense industry needs AI. The productivity gains are real. But onboarding these tools without understanding the compliance boundaries turns every prompt into a potential spillage event and every annual affirmation into a liability. TacNex is working on exactly this problem, helping defense and ISAM organizations adopt AI securely within CMMC Level 1 and Level 2 compliance boundaries.