Every defense shop I walk into now has the same problem. The team is using AI all day. Nobody has documented it. Nobody knows what tier they are paying for. Nobody can name where the data went after it left the browser.

That is a NIST 800-171 §3.1.3 finding waiting to happen. In 2026 it is the fastest-moving compliance gap in the defense industrial base.

What the control says

NIST SP 800-171 §3.1.3: "Control the flow of CUI in accordance with approved authorizations."

One sentence. The determination statements unpack it:

  • Information flow control policies and enforcement mechanisms are defined.
  • Designated sources and destinations for CUI flow are identified.
  • Authorizations for controlling CUI flow are defined.
  • Approved authorizations for controlling CUI flow are enforced.

Companion controls: §3.1.4 (separation of duties), §3.13.1 (boundary protection), §3.13.5 (control of communications). 3.1.3 is the upstream rule. It says where your CUI is allowed to go and that something must enforce it.

Why it catches everyone with AI

3.1.3 is commonly read as a data-classification rule. This is wrong. It is a transit rule. It does not care what your team intended to share. It cares where your CUI actually went.

Here is what that looks like on a Tuesday morning in a 30-person defense shop:

  • A PM pastes a contract paragraph into ChatGPT to "just clean up the language."
  • An engineer drops a drawing PDF into Claude to ask about a tolerance.
  • A proposal writer feeds last year's redacted CDRL into Gemini to mimic the style.
  • A finance lead uses Microsoft 365 Copilot in commercial Office to summarize a CUI-marked email.
  • An owner asks a free AI tool to "explain this DD-254."

In each case, the data left the authorization boundary. The question for the assessor is not "did we mean to send it." The question is "where did it go, and what did the receiving system do with it."

The vendor-tier trap

Most defense shops do not realize that the same AI brand has multiple products with very different data-handling guarantees. They pay for "Copilot" and assume that means one thing. It does not.

Here is the landscape that actually matters at audit:

  • Tier 1 - Consumer / Free / Plus. ChatGPT Free, ChatGPT Plus, Claude Free, Claude Pro, Gemini consumer. Inputs may be retained, may be reviewed by humans for safety, and on some tiers may be used for training. No DPA covering CUI. This is the default destination if the user did nothing else. Almost every AI use in a small contractor starts here.
  • Tier 2 - Team / Business. ChatGPT Team, Claude Team, Microsoft 365 Copilot in a commercial tenant. Better retention defaults, no training. Still commercial cloud. Not equivalent to FedRAMP Moderate or High for CUI handling.
  • Tier 3 - Enterprise / API with controls. ChatGPT Enterprise, Claude Enterprise, configured API integrations. Configurable retention, no training, audit logs, SOC 2. Still commercial cloud. Approaches FedRAMP Moderate equivalence on paper in some configurations. Not authorized for CUI without a documented DFARS 252.204-7012 equivalency review.
  • Tier 4 - GovCloud-resident model APIs. AWS Bedrock running in AWS GovCloud, Azure OpenAI in Azure Government, M365 Copilot in GCC High. The substrate is FedRAMP High authorized. CUI-eligible if the architecture, retention, and access controls around it are documented correctly. This is where most CUI-bound AI work needs to live.
  • Tier 5 - On-prem or sovereign. Self-hosted open-weight models (Llama, Mistral, Qwen) running on hardened infrastructure inside your CUI enclave. Data does not leave your boundary by definition. You own the FIPS-validated cryptography and the SSP narrative.

The trap: most shops are using Tier 1 or Tier 2 tools, paying for the brand, and assuming compliance is bundled. Microsoft 365 Copilot in your commercial tenant has nothing to do with Microsoft 365 Copilot in GCC High. The branding is identical. The compliance posture is not.

The abuse-monitoring retention question almost no one asks

Even on Tier 3 and Tier 4, there is a question that almost no one in defense is asking. How long does the platform retain inputs and outputs for trust-and-safety review?

For AWS Bedrock, the default is up to 30 days of input and output retention for abuse monitoring, unless you specifically opt out via an AWS Support case. This is separate from training. It is a holdover from the early-LLM era when cloud providers wanted forensic logs to detect policy violations. OpenAI Enterprise and Anthropic's API have similar 30-day defaults, with zero-data-retention agreements available on Enterprise contracts.

If you are claiming to your assessor that "AWS does not retain my prompts," and you have not actually opted out, that claim is wrong.

The fix is small. A documented opt-out request with the cloud provider, a screenshot of the response, and a paragraph in your SSP describing the configuration. Most contractors have not done it. Most have not even thought to ask.

What "control the flow" actually means

To pass an assessment on AI use, you need to be able to show four things:

  1. An approved-AI-tools list. Tier (1-5 above), data-handling settings, and what the tool is allowed to be used for.
  2. A prohibited-AI-tools list, with the technical control that enforces it. Browser policy. Conditional access. DLP rules that flag classified-marking patterns. Block-by-default categories.
  3. An AUP and training that explicitly cover AI input rules. Not "use good judgment." Specific named tools and specific named data types.
  4. For any AI tool used with CUI: documented architecture, retention configuration, training opt-out evidence, and where the tool sits in your authorization boundary. Including the cloud provider's abuse-monitoring posture.

If your answer to "show me your AI inventory and how you control flow" is a shrug, you do not have 3.1.3.

The 2026 policy trajectory

The direction is set, even if your specific assessor has not asked yet.

  • NDAA FY2026 §1513 directs DoD to fold AI cybersecurity requirements into DFARS and CMMC, with a status report due to Congress on June 16, 2026.
  • Multiple service CIOs (Army, Navy) have issued memos restricting commercial LLM use for CUI.
  • The Navy launched GenAI.mil as the IL5-cleared alternative.
  • Space Force and DHS have publicly paused commercial LLM access on government networks.

The next assessor your prime sends will know all of this. Build the inventory now.

How Tentacle Ops is built around this control

Tentacle Ops is exactly the kind of AI tool §3.1.3 is asking you to scrutinize. We built it knowing that.

  • Per-customer isolated stack. Each customer gets a dedicated instance. No shared multi-tenant control plane reaching across customers.
  • Inside your boundary. The agent operates within your existing CUI enclave. The model layer is matched to your compliance posture: Tier 4 (GovCloud-resident APIs) for FedRAMP High pilots, Tier 5 (on-prem open-weight) for fully air-gapped CUI workloads.
  • Documented interfaces. Every connection the agent makes is named, scoped, and logged so it can be added to your external systems inventory cleanly.
  • Retention and training opt-out documented as a deliverable. When the model layer is a commercial-substrate API, the abuse-monitoring opt-out is part of the onboarding artifact set, not a question the customer has to chase.

The point is not that Tentacle Ops gets you to 3.1.3 by itself. The point is that we are designed to be the easiest AI tool on your inventory to document, not the hardest.

What to do this week

  1. Ask your team what AI tools they used in the last 30 days and what data went in. Do not punish, just inventory.
  2. Match each tool to its tier (1-5 above). Note the data-handling settings.
  3. For each tool: approved, prohibited, or conditional. Write it down.
  4. Update your AUP. Have everyone re-sign. Add AI tools by name.
  5. Where you can, enforce technically: conditional access, browser policy, DLP rules.
  6. For any AI tool you use with CUI: confirm retention is opted out, training is opted out, and the configuration is documented in your SSP.
  7. Put the inventory in your SSP. Review monthly.

3.1.3 is not a network control. It is a control over where your CUI is allowed to go.

Most contractors fail it because they have never written that down. In 2026, the most expensive way to find that out is from a C3PAO.

Tentacle Ops is an autonomous operations agent built for CMMC-bound manufacturers. Learn more at tentacleops.ai.