Back to picker Back
Security & Technology · Aerospace & Defense

ITAR is the AI control plane now, not the policy memo.

Tokto puts every prompt your engineers, program managers, supplier-shared teams, and embedded vendor AI agents run, every model output that touches export-controlled data, CUI, or classified-adjacent content, under one auditable trail DCSA, the DoD CIO, State, and the prime contractor can read.

What keeps you up at night

An engineer pastes export-controlled technical data into a public LLM to clean up a memo. It is a per-instance ITAR violation. State has notified the program office. The prime is on a call. The clearance review has begun.

What you get
  • Every prompt and model output tied to a program, a contract, a CUI category, a model version, and a foreign-person access designation.
  • A single audit log that satisfies DCSA, the DoD CIO, State (ITAR), Commerce (EAR), and the prime on the same evidence.
  • Policy at the prompt: ITAR-controlled tech data, CUI, classified-adjacent content, and foreign-person access blocked before tokens leave the boundary.
  • Air-gapped, sovereign deployment. GCC-High ready. Raw program data never reaches commercial AI.
What can go wrong without it
  • An engineer pastes ITAR-controlled tech data into ChatGPT. Per-instance State Department enforcement on top of CMMC findings.
  • A vendor AI agent in a contract data system retains CUI past the boundary. CamoLeak-class loss with classified-adjacent content.
  • A foreign national contractor is granted model access through a vendor SaaS. License violation per query.
  • An AI co-pilot in the engineering pipeline produces an output trained on rival-program data. Cross-contamination on classified-adjacent material.
How it works for you

Tokto sits at the AI control plane of the program. Every engineering co-pilot, every program-management assistant, every supplier-shared model, every embedded vendor AI agent becomes a record at the moment of output. The record carries the program, the contract, the CUI category, the model version, the foreign-person designation, and the policy in force.

When DCSA asks how CUI was governed across an AI integration, when State asks how ITAR-controlled data reached an external model, when the prime asks for AI evidence at award, the answer is one query against the system of record. The CISO unifies CMMC and ITAR enforcement under one trail.

Book a working session