Access Control
Who can use it?
The agent honors your existing identity and access model. Only authorized users and systems can reach it, and what each can do is defined and enforced.
Supports the access-control family the controls describe.
Manufacturing · Defense / CMMC
AI that respects your boundary.
For defense manufacturers handling Controlled Unclassified Information, cloud AI is a non-starter. Sovereign agents run inside your assessment boundary — where CUI is supposed to stay.
The Tension
Your supply chain wants AI. Your obligations say be careful.
CMMC and the NIST SP 800-171 controls underneath it assume CUI stays within a defined boundary, with access controlled and actions logged. Most AI tools move data the opposite direction — out, to a cloud you don't control.
Cloud AI with CUI
- CUI leaves your assessment boundary
- Data lands with a provider you can't fully audit
- Prompts may enter a training pipeline
- Access and logging outside your control
- A finding waiting to happen at assessment
Sovereign agents
- Models run on hardware inside your boundary
- CUI never traverses an external network
- You hold the access controls and the keys
- Every action logged within your environment
- Designed to support your existing controls
How It Lines Up
Built the way the controls assume.
Audit & Accountability
What happened?
Every request, action, and escalation is logged inside your environment, so you can reconstruct what the agent did and when.
The audit trail your assessor will ask to see.
Boundary Protection
Where does data go?
Open-weight models run on hardware you own inside your boundary. CUI doesn't transit an external network to be processed.
Keeps protected data where it's supposed to live.
We design around your controls. We don't grade your compliance.
StarGentic is not your C3PAO, your assessor, or your compliance counsel, and we never claim a deployment makes you compliant. We build sovereign systems that support the controls that apply to you, and we route case-specific questions to your assessor, your counsel, and our Compliance and Security Advisor.
Plain Answers
Questions defense suppliers ask
- Does using your agent make us CMMC compliant?
- No. Compliance is determined by your assessment against the applicable level, not by any single tool. A sovereign deployment is designed to support the relevant controls — access control, audit logging, boundary protection — but it is one piece of a broader program your assessor evaluates.
- Where exactly does the AI run?
- On hardware you own, inside your assessment boundary, using open-weight models. CUI is processed locally and does not transit to an external cloud. The architecture document spells out the data flows for your IT and security teams before deployment.
- Can you work with our assessor and IT?
- Yes. We expect to. We provide the architecture and logging documentation your team and assessor need, and we route interpretation of specific requirements to your counsel and assessor rather than guessing.
- We're earlier in our CMMC journey — is this premature?
- Maybe, and we'll tell you if so. The Readiness Assessment includes a go / no-go that accounts for where you are. If the honest answer is 'get your boundary and controls settled first,' that's the recommendation you'll get.
Next Step
Talk through your boundary and your use cases.
A Discovery Session covers where AI could help and how it stays inside your CUI boundary — with your assessor and IT in the room if you like.