An employee on your team needs to summarize a long contract document. They use the AI feature built into their PDF reader, get a clean summary back, and move on with their day.
Helpful. Efficient. The kind of small productivity gain AI is genuinely good at.
It may have also just expanded your CMMC assessment boundary.
This is the quiet version of the CMMC AI problem. AI features are showing up across the productivity tools your team already uses, often without anyone choosing to deploy them. The CMMC framework asks you to certify control over your environment. AI has quietly changed what your environment is.
AI used to mean an app someone chose to use. Today, AI features arrive bundled into tools your team already pays for.
Meeting transcription.
Document summarization.
Email assistance.
Code suggestions.
The employee never decided to use AI. The feature was just there.
This shift breaks an assumption CMMC scoping was built on. The framework asks you to map your environment, identify which systems process CUI, and document the data flows. That worked when every tool in your environment was a deliberate procurement decision. Embedded AI changes that. New processing happens inside tools that have been in your environment for years.
The real CMMC AI question isn't whether AI is being used in your organization. It is. The question is whether you can see where. An assessor asking "where is AI deployed in your environment?" is asking something most organizations don't yet have a clean answer to. Not because they're being careless. Because the question changed underneath them.
From here, organizations are choosing between two paths.
The first is to wait. The National Defense Authorization Act (NDAA) for fiscal year 2026 directs the Department of Defense (DoD) to build a specific AI security framework that will bolt onto CMMC. Section 1513 of that act lays out the categories the framework will address. An implementation plan is due to Congress next month, with the actual rules to follow. Some compliance leaders are reasonably asking why solve an unclear problem when more guidance is on the way.
It's a defensible position. The problem is that current CMMC rules already apply to AI tools that process CUI. The scoping work is required today, not just after the new framework arrives.
The future framework also won't solve your visibility problem. No regulation can tell your organization where AI features have shown up inside your specific tools. That's something only your team can map.
The second path is to start mapping your environment now. Find out where AI features already show up in your tools. Note which ones can touch CUI. Track how the data moves. This is the kind of work that matters for current CMMC AI requirements and will still matter when Section 1513's framework arrives.
The choice between paths usually comes down to what you think you're waiting for. Path 1 waits for clearer rules. Path 2 builds a clearer picture of your own environment, which no rule can give you.
The point of mapping your environment isn't to clamp down on AI. It's the opposite.
Organizations that know where AI lives in their tools can use AI on purpose. They can approve certain AI uses for certain kinds of data. They can roll out authorized AI tools inside the right environments. They can say yes to AI in places where it adds real value.
Organizations that don't have that map are stuck with two bad options. Use AI without knowing the risk. Or block AI everywhere, even where it would help.
Visibility is what lets you choose.
Prime contractors are already starting to ask their subs how they govern AI usage. As Section 1513's framework takes shape and shows up in contract language, that question will become standard. Organizations that built the map early will answer it without trouble. The ones that didn't will be playing catch-up.
This is where CMMC AI work stops being a chore and starts being a position you want to be in.
CMMC compliance has always been about knowing your environment well enough to certify it. AI hasn't changed that. It's added a new layer to your environment that doesn't show up on its own.
If mapping AI in your environment feels like the next thing to figure out, we're happy to walk through what that could look like in your specific operation.