Training Governance for Defense AI

Regulatory framework

The governing instruments for defense AI converge on a single structural demand: the training process must be auditable, classification-aware, and demonstrably resistant to adversarial influence. DoDD 3000.09, reissued in January 2023, requires that autonomous and semi-autonomous weapon systems undergo senior-level review before development and again before fielding, and that reviewers be able to verify the system will function as intended across realistic operational conditions. That verification is impossible if the chain from training data to model behavior is opaque. DoDI 5000.97, which establishes policy for AI capabilities in the DoD, makes the acquisition lifecycle responsible for documenting data provenance, training methodology, and validation evidence as part of the program's technical baseline.

The Chief Digital and Artificial Intelligence Office, the successor to the JAIC, operationalizes these directives through the Joint AI Concept and through the DoD profile of the NIST AI Risk Management Framework, which adapts the Govern, Map, Measure, Manage functions to mission contexts where the consequence of an unmitigated training-stage failure is not reputational but kinetic. ISO/IEC 42001, the AI management system standard, supplies the management-system scaffolding that DoD components increasingly require of vendors. CMMC 2.0 governs the cybersecurity posture of the contractors that hold the training corpora; ITAR and EAR govern what cross-border data may enter those corpora at all. DoDM 5200.45 establishes fielding controls for AI capabilities, and AUKUS Pillar II creates an allied envelope inside which jointly trained models must respect each partner's classification regime. The Replicator program's compressed acquisition timelines do not relax any of these constraints; they raise the cost of failing them, because remediation cannot keep pace with fielding cadence.

Architectural requirement

Reading these instruments together yields a precise architectural specification. A defense training pipeline must (a) accept data spanning multiple classification levels and multiple coalition partners without permitting cross-classification leakage into parameters that will be exposed in lower-classification deployment contexts; (b) attach a verifiable provenance record to every gradient update, sufficient that an acquisition reviewer can trace any model behavior back to the specific training examples and governance decisions that produced it; (c) detect and contain adversarial training inputs before their influence is integrated into model parameters; and (d) preserve evidence that the model's capabilities have not silently degraded in previously validated mission domains as new training is applied.

None of these properties can be retrofitted at deployment. A model trained on classified signals intelligence carries that influence in its weights regardless of where it is later hosted. A model trained on poisoned data carries the adversary's chosen behavior regardless of how the inference endpoint is hardened. The architectural locus for compliance is the training loop, and the artifact that satisfies acquisition review is a structural training record, not a post-hoc narrative. The implication for program managers is that the training infrastructure is itself part of the system safety case under DoDD 3000.09, and must be specified, instrumented, and accredited with the same rigor applied to the runtime stack.

The threat surface that this specification must close against is also unusually broad. Training data may originate from coalition partners with different classification regimes, from open-source ingest pipelines vulnerable to upstream poisoning, from synthetic-data generators whose own training history is opaque, and from in-theater telemetry whose authenticity cannot be assumed. Each ingest channel carries a distinct adversarial profile, and the training loop must reconcile them within a single audit substrate. This is the specification the rest of the article responds to.

Why procedural compliance fails

Defense organizations have historically addressed classification during training by maintaining separate pipelines for each classification level. This prevents cross-classification contamination at the cost of preventing the model from learning connections across levels that the analyst, the operator, and the commander all depend on. An intelligence analyst working a target benefits from a model that has learned both the open-source and the classified information landscape; fully isolated pipelines produce models that are knowledgeable inside each silo and blind across them. The procedural workaround is to train two models and let humans bridge them, which reintroduces the fragmentation the AI capability was meant to eliminate.

Documentation-based compliance fails for a different reason. Model cards, datasheets, and system safety cases describe what the training team intends to have done. They are narrative artifacts disconnected from the training loop's actual behavior. A reviewer cannot independently verify that the corpus described in the datasheet is the corpus that actually produced the weights in front of them. Adversarial-data screening performed as a pre-ingest filter cannot detect poisoning crafted to pass that specific filter, and crucially leaves no trace at the gradient level that a later auditor could examine. Red-team exercises run after training reveal failures that already exist in the parameters; they do not prevent the failures from being learned. Each of these procedural mechanisms is necessary but, taken together, insufficient against the threat model that DoDD 3000.09 review boards must actually accept.

What the AQ primitive provides

Adaptive Query training governance treats classification, provenance, and adversarial resistance as gradient-level properties rather than wrapper concerns. Classification-aware gradient routing reads the classification metadata attached to each training example and directs the resulting gradient into a layer band consistent with that classification. Unclassified data influences broadly accessible representational layers; classified data influences layers that are structurally inaccessible in deployment contexts not cleared to the corresponding level. The model learns from the full corpus, but the knowledge is depth-stratified by classification, so deploying a derivative in an unclassified environment does not silently expose classified influence.

Entropy-based adversarial profiling examines each candidate training example against the entropy distribution of its claimed source. Examples whose information content is inconsistent with their provenance assertion are flagged before their gradient is integrated, and the flag itself becomes part of the training record. This converts data poisoning from a quiet contamination into a logged event with a forensic trail. Provenance tracing maintains a structural link from every parameter update back to the example, the classification, the source, and the governance decisions that admitted it, producing the complete training audit trail that acquisition reviewers under DoDI 5000.97 require. Zero-weight prevention ensures that no example is silently discarded; every training input either contributes through governed routing or is excluded with a documented justification, eliminating the silent-drop failure mode where a filter removes inputs whose absence later proves operationally significant. Knowledge-retention monitoring detects regression in previously validated mission capabilities and gates further training when retention thresholds are at risk, supporting the continuous-fielding model that Replicator timelines require without sacrificing the validation already invested in earlier model versions.

Operationally, classification-aware routing changes the deployment calculus. The same set of weights, with classification-stratified depth bands, can support a TS/SCI-cleared analyst working the full corpus and a coalition operator working only the releasable surface, without forking model artifacts across enclaves and without the synchronization debt that fork-and-redact strategies accumulate. This is the property AUKUS Pillar II and similar joint efforts most need: a single trained capability whose visibility is cryptographically and structurally bounded by the cleared context in which it runs.

Compliance mapping

Each governance primitive maps directly onto a regulatory obligation. Classification-aware gradient routing satisfies the cross-domain control posture that DoDM 5200.45 requires for AI fielding and that AUKUS Pillar II requires for jointly trained capabilities, while honoring ITAR and EAR constraints on what training influences may reside in parameters accessible to which audiences. Provenance tracing satisfies the data-lineage and validation-evidence requirements of DoDI 5000.97 and supplies the auditable training record that DoDD 3000.09 senior review boards need to certify autonomous and semi-autonomous capabilities. Entropy-based adversarial profiling and zero-weight prevention together address the Manage and Measure functions of the NIST AI RMF DoD profile and the operational controls expected under ISO/IEC 42001 clauses on data quality and change management. The CMMC 2.0 posture of the contractor environment is reinforced because the governance layer logs every training-data interaction in a tamper-evident form, narrowing the window in which a supply-chain compromise could go unnoticed. Knowledge-retention monitoring and the governed training loop satisfy the continuous-monitoring expectations that the CDAO has built into its Joint AI Concept guidance.

Adoption pathway

The pathway to operational adoption is incremental and survives the constraints of an active program of record. Initial deployment can be scoped to a single training pipeline or even a single fine-tuning task without disturbing the rest of the program's MLOps stack. Because the governance layer operates on the gradient computation, not on the data warehouse or the inference path, it can be introduced behind the existing data-handling controls and inherits their accreditation posture.

A program office adopting AQ training governance begins by annotating its existing training corpus with classification level, source provenance, coalition release authority, and confidence assessment. The governance layer wraps the existing trainer, intercepting the gradient computation and routing each update according to the metadata. No change to the underlying model architecture is required; the routing operates over the standard backward pass. Within the first training cycle, the program produces a structural provenance record that can be exported to the acquisition technical baseline. Within the second cycle, entropy-based profiling has accumulated enough distributional evidence to flag anomalous inputs at meaningful thresholds. Within the third, knowledge-retention monitoring is calibrated against the program's validated mission capabilities, and the governed loop is gating further training against regression. The output is a model that the DoDD 3000.09 review board can certify, the DoDI 5000.97 acquisition path can document, the CDAO can host inside its NIST AI RMF DoD profile reporting, and an AUKUS partner can ingest without violating any of the classification, export-control, or fielding constraints that govern the joint capability. The same lineage substrate also supports the post-fielding monitoring obligations attached to autonomous and semi-autonomous capabilities, allowing operators to evidence continued conformance to the training-time safety case as adversarial conditions evolve.