ITAR and CMMC are now two simultaneous lawsuits over AI usage.
Tokto records every model decision, every engineer prompt, every supplier-shared AI use, and every vendor AI integration that touches export-controlled data or CUI, ready for State, Commerce, DCSA, the DoD CIO, the prime, and the AG.
State opens an ITAR enforcement. DCSA opens a parallel CMMC review. The legal team has a SIEM, a clean assessment, and a vendor risk file. None ties a model decision to a contract, a CUI category, an engineer, and the foreign-person designation in force.
- Every model decision tied to a program, a contract, a CUI category, an engineer, a model version, and a designation.
- A complete record for State, Commerce, DCSA, the DoD CIO, the prime, and opposing counsel on the same evidence.
- Policy at the model: no ITAR data past export license, no CUI outside boundary, no classified-adjacent into commercial AI.
- Defensibility under ITAR (AECA), EAR, DFARS 252.204-7012, CMMC 2.0, and AS9100 at the same time.
- ITAR enforcement under the Arms Export Control Act. A clean CMMC assessment provides no shelter. Per-instance fines mount.
- DCSA opens a CMMC review on AI controls. The legal team cannot produce a per-contract, per-CUI record.
- A foreign national contractor accessed a model trained on ITAR data. License violation. State opens enforcement.
- The prime asks for AI evidence at award. The company cannot produce. The next contract goes elsewhere.
Tokto governs the AI surface of the company. Engineering co-pilots, program-management assistants, supplier-shared models, vendor AI agents — all become records at the moment they fire. The record carries the program, the contract, the CUI category, the engineer, the designation, and the policy that applied. The GC controls one trail across CMMC and ITAR.
When State opens an ITAR investigation, when DCSA opens a CMMC review, when the prime asks for AI evidence at audit, the record is the same record. The GC answers in days, not parallel enforcement actions.