Assessment completed for: Precision Components Vermont (fictional profile — illustrative only)
\\n320 employees · $85M revenue · precision machined components · aerospace and medical device OEM supplier
\\nTop 3 Risks Identified:
\\nRecommended Path:
\\nOn-premises AI deployment (mandatory given ITAR constraints) with three capabilities: production knowledge assistant, supplier document Q&A, and quality records search. Estimated project: $48K build + $4.5K/mo operations retainer.
\\n| Field | Detail |
|---|---|
| Company | Precision Components Vermont (fictional profile — illustrative only) |
| Headcount | 320 employees: CNC machinists (140), QA technicians (28), engineers (42), programmers (18), sales & customer support (24), finance & admin (20), management (12), maintenance (16), logistics (20) |
| Revenue | $85M (FY2025); YoY growth 8% |
| Product Mix | Aerospace structural components (~45%), medical device precision parts (~30%), semiconductor equipment components (~15%), defense subcontracting (~10%) |
| Key Customers (OEMs) | Lockheed Martin, Raytheon, Medtronic, Boston Scientific, Applied Materials — all under strict NDAs and quality agreements |
| Certifications | AS9100D (aerospace), ISO 13485 (medical devices), ITAR registration, Nadcap accreditation |
| IT Infrastructure | On-premise file servers; Microsoft 365 E3; ERP (JobBOSS); CMM inspection software; SharePoint for document control; no AI tools formally deployed |
| Current AI Usage | Personal ChatGPT/Gemini accounts across engineering and programming teams; no formal AI governance; no approved AI tools |
| Key Vulnerability | 14 senior machinists/process engineers age 57+ eligible for retirement within 24 months — tribal knowledge at risk |
AI tools currently in use — all outside IT visibility, none approved through formal procurement or security review.
\\n\\n| Tool | \\nDeployment Type | \\nUsers | \\nVolume Estimate | \\nRisk Flag | \\n
|---|---|---|---|---|
| ChatGPT (free, personal accounts) | \\nConsumer web — no enterprise controls | \\n~55 employees (engineers, programmers, QA) | \\n200–400 queries/day estimated; CAD spec descriptions, process parameters, inspection criteria commonly pasted | \\nCRITICAL — ITAR-controlled data, customer specs, supplier NDA IP | \\n
| Google Gemini (personal accounts) | \\nConsumer web | \\n~25 employees (engineers, programmers) | \\n80–120 queries/day; CNC code review and optimization queries | \\nCRITICAL — Same ITAR exposure as ChatGPT; no visibility | \\n
| Microsoft 365 Copilot | \\nM365 E3 tenant — no formal rollout | \\n~8 engineers (informal trial) | \\nLow — limited awareness of Copilot availability | \\nHIGH — M365 data includes SharePoint engineering docs | \\n
| CAD software built-in AI (Siemens NX, Mastercam) | \\nLicensed on-premise | \\n42 engineers, 18 programmers | \\nModerate — AI features used within CAD environment | \\nMODERATE — Vendor AI; not ITAR exposure but unvetted | \\n
| JobBOSS ERP AI features | \\nLicensed SaaS | \\nProduction planners, sales | \\nLow — scheduling optimization features | \\nHIGH — Production data, job routing, customer PO data in cloud system | \\n
| Quality inspection software (PC-DMIS AI) | \\nLicensed on-premise | \\n28 QA technicians | \\nModerate — defect classification AI in CMM software | \\nMODERATE — Vendor-controlled; part of Nadcap compliance | \\n
Critical finding — Samsung pattern observed: Engineering team is routinely pasting CAD specifications, process parameters (speeds, feeds, tolerances), and technical drawings into ChatGPT to \\\"explain the part\\\" or \\\"generate a process plan.\\\" This is the Samsung Semiconductor incident — employees trying to work faster, not malicious, but creating ITAR exposure that could result in criminal penalties. IT has no visibility and no controls.
\\nClassification of data types by department, with AI tools currently touching each classification. This map forms the foundation for ITAR compliance documentation and supplier NDA governance.
\\n\\n| Department | \\nData Types | \\nAI Tools Touching This Data | \\nClassification | \\nVolume/Week | \\n
|---|---|---|---|---|
| Engineering / Programming | \\nCAD files (.prt, .sldprt, .dxf), process plans, CNC programs (G-code), tolerance specifications, material specs, drawing revisions, ITAR-controlled program documentation | \\nChatGPT (personal), Gemini (personal), M365 Copilot (informal) | \\nCRITICAL — ITAR-controlled export-controlled data / Arms Export Control Act | \\n~800 part programs/week; ~60 contain ITAR-controlled data | \\n
| Quality Assurance | \\nCMM inspection programs, first article inspection reports (FAIR), AS9102 forms, PPAP documentation, customer quality requirements, nonconformance reports, supplier corrective action requests | \\nChatGPT (personal), Gemini (personal) | \\nHIGH — Customer quality specs under NDA; medical device traceability requirements (ISO 13485) | \\n~120 FAIRs/month; 40+ SCARs/month | \\n
| Supply Chain / Purchasing | \\nSupplier quotes (with proprietary process data), RFQ packages, material lead times, tooling specs, supplier capacity data, NDA-covered supplier technical packages | \\nChatGPT (personal) | \\nCRITICAL — Supplier NDA IP; trade secret exposure; customer drawing data in supplier quotes | \\n~200 RFQ responses/month; 85+ supplier relationships | \\n
| Sales & Customer Support | \\nCustomer OEM specifications, program pricing, quote history, delivery schedules, customer NDA-covered technical packages | \\nChatGPT (personal), JobBOSS ERP AI | \\nHIGH — OEM customer specs; NDA-covered program data; competitive quote information | \\n~50 active customer programs; 15+ active NDAs | \\n
| Production / Operations | \\nJob routing, setup sheets, production counts, defect rates, machine utilization data, tribal knowledge (setup parameters, tooling preferences, material behaviors) | \\nNone formally; tacit knowledge in senior machinist heads | \\nHIGH — Proprietary process knowledge; competitive manufacturing intelligence; at risk of loss via retirement | \\nTacit knowledge of 14 senior employees; no formal documentation | \\n
| HR & Admin | \\nEmployee records, payroll, benefits, skills matrix, training records, succession planning data | \\nChatGPT (personal — HR generalist) | \\nMODERATE — PII; skills matrix is proprietary | \\nLow volume; HR generalist only | \\n
International Traffic in Arms Regulations (ITAR) restricts the export of defense articles, technical data, and services. Key findings:
\\nLegal note: The Arms Export Control Act carries criminal penalties up to $1M per violation for knowing violations, and up to $500K per violation for negligent violations. \\\"Knowing\\\" includes deliberate ignorance — not knowing your engineers are sending ITAR data to ChatGPT does not protect you. ITAR compliance programs are not optional for companies with defense subcontracts.
\\nWant the full ITAR/DTSA/NERC CIP breakdown?
This case study references the ITAR deemed export problem, DTSA reasonable measures, and NERC CIP BCSI requirements. Our deep-dive post covers all three — including the 2025 amendments, case law, and the 90-day private AI adoption path.
Read the full post: ITAR, NERC CIP & AI Privacy →How it happens: This is the Samsung Semiconductor scenario in a manufacturing context. The programmer is trying to optimize cycle time — a legitimate work goal. But the G-code and tolerance specification are ITAR-controlled technical data. OpenAI's free tier terms of service disclaim any confidentiality obligation. The technical data may have been retained in OpenAI's training pipeline. A foreign competitor or adversarial nation-state with access to OpenAI's model outputs could theoretically obtain the program.
\\nHow it happens: Supplier NDAs prohibit sharing proprietary process data with third parties. The supplier's EDM parameters are a trade secret. Pasting them into a public AI tool constitutes disclosure to a third party — a potential breach of the NDA that could trigger: (a) supplier contract termination, (b) loss of preferred supplier status, (c) indemnification claim from the supplier against the buyer.
\\nHow it happens: This is not a single incident — it's a compounding organizational risk. 14 senior employees (avg. age 57) have 280 combined years of manufacturing knowledge that exists only in their heads. The company's documented process knowledge covers perhaps 40% of what these employees know. The remaining 60% is tacit — it's in their hands and their judgment, not in any system.
\\nOn-premises deployment is mandatory — ITAR and supplier NDA requirements prohibit any cloud-based AI infrastructure that would transmit controlled data outside the company's network perimeter. Three capabilities are recommended across two phases.
\\n\\n| Component | Description | Implementation |
|---|---|---|
| On-Prem GPU Server | \\nDedicated GPU server (on-premise or in company's own data center closet) running Llama 3.1 70B. No external API calls. Air-gapped from internet. Full ITAR isolation — no data leaves the network perimeter under any circumstance. | \\nOn-premise NVIDIA GPU cluster (A100 or H100); Llama 3.1 70B fine-tuned; VPN-locked access; ITAR compliance boundary established | \\n
| Production Knowledge Assistant | \\nQ&A interface against all documented and captured production knowledge — setup parameters, tooling preferences, material behaviors, job-specific notes. Also used to capture tacit knowledge from senior machinists during Phase 1 onboarding. \\\"Ask the 28-year veteran\\\" becomes possible. | \\nFine-tuned on job history, setup sheets, tooling logs, process plans; RAG against tribal knowledge capture interviews conducted in Phase 1; structured prompts for machinist knowledge capture sessions | \\n
| Supplier Document Q&A Agent | \\nNatural language Q&A against the full supplier document library — RFQs, quotes, technical specs. NDA compliance filter active: if a query would surface data from a document with an active NDA restriction, the system flags it and blocks the response. Supplier IP never leaves the system. | \\nRAG against supplier document store; NDA metadata tag on each document; compliance filter layer rejects queries that would disclose NDA-protected data; audit log of all supplier document queries | \\n
| Quality Records Search | \\nNatural language search across CMM inspection data, FAIR history, NCR log, and SCAR database. Engineer asks: \\\"Show me all NCRs for aluminum 7075-T6 in the last 18 months\\\" — gets structured results from the actual quality database, not from memory. | \\nRAG against quality records database; structured data ingestion from PC-DMIS and AS9102 forms; search results include part number, material, defect type, disposition, and cost | \\n
| Tribal Knowledge Capture Program | \\nStructured process for capturing tacit knowledge from senior machinists — not just the AI system, but a cultural program to document what the 14 retirement-eligible employees know. Interview protocol, knowledge mapping sessions, and systematic capture into the production knowledge store. | \\nConducted by VAS team in Phase 1; structured interview framework; knowledge mapped to job sequences; updates to production knowledge assistant with each capture session | \\n
IT/Compliance note: The existing JobBOSS ERP cloud connection should be reviewed for AI training data provisions in the vendor agreement. Production routing data, job costs, and customer PO data may be subject to the same concerns as other cloud AI vendors. A vendor NDA review should be included in Phase 1.
\\nAssessment: included ($7,500) · Internal resource: ~35 hrs IT, ~20 hrs engineering, ~15 hrs tribal knowledge interviews
\\n| Milestone | Deliverable | Owner | Target |
|---|---|---|---|
| AI tool inventory | Complete list of all AI tools in use by department; ITAR-controlled data mapping | CIO + Engineering Director | Week 2 |
| ITAR AI compliance policy | Formal policy: no ITAR-controlled technical data in any consumer AI tool; employee acknowledgment; disciplinary protocol | CEO + Legal (external) | Week 3 |
| Supplier NDA audit | Review all 85+ active supplier NDAs for AI disclosure clauses; flag suppliers with absolute confidentiality requirements | Procurement Director + Legal | Week 4 |
| On-prem GPU server procurement | Hardware spec finalized; procurement initiated; server room/network infrastructure review | CIO + Engineering Director | Week 4 |
| Tribal knowledge interviews (first cohort) | Structured knowledge capture interviews with 7 of 14 senior employees; knowledge mapped and documented; first upload to knowledge store | Vermont AI Systems + Engineering Director | Weeks 5–8 |
| On-prem AI infrastructure setup | GPU server deployed on-premise; Llama 3.1 70B installed; network isolated; ITAR compliance boundary verified | CIO + VAS team | Weeks 8–10 |
| Production knowledge assistant — first version | Knowledge store populated with first cohort interview data; Q&A interface tested with engineering team; tribal knowledge capture workflow validated | Vermont AI Systems | Weeks 10–12 |
| Phase 1 deliverable | ITAR compliance policy, tribal knowledge baseline (50%+ coverage), on-prem AI infrastructure operational, production knowledge assistant in testing | Vermont AI Systems + CIO | Week 14 |
Build investment: $48K · Internal resource: ~90 hrs IT/engineering, ~30 hrs tribal knowledge interviews (remaining 7 employees)
\\n| Milestone | Deliverable | Target |
|---|---|---|
| Production knowledge assistant — production | Fine-tuned model deployed; full tribal knowledge coverage (all 14 senior employees); capture workflow operational; engineering team trained | Month 4 |
| Supplier doc Q&A agent | Supplier document store ingested; NDA compliance filter calibrated; purchasing team trained; audit log operational | Month 5 |
| Quality records search | PC-DMIS and AS9102 data ingested; CMM history, FAIRs, NCRs searchable; QA team trained | Month 5–6 |
| Supplier NDA compliance — Phase 2 review | Vendor agreement review complete for all AI-adjacent tools (JobBOSS, CAD software AI features); data handling clauses documented | Month 6 |
| ITAR documentation package | AI usage documentation for ITAR compliance program; export classification review of AI outputs; compliance audit | Month 6 |
| Phase 2 deliverable | Three AI capabilities in production; ITAR compliance program documented; tribal knowledge 80%+ captured; full staff training | Month 6 |
Included in operations retainer ($4.5K/mo) · Internal resource: ~20 hrs/quarter IT, ~8 hrs/quarter engineering
\\n| Milestone | Deliverable | Target |
|---|---|---|
| Quarterly knowledge refresh | New tribal knowledge captured each quarter; setup parameter updates from senior machinists documented and uploaded; model retrained on new data | Monthly (retainer) |
| CAD/ERP integration pilot | Integration pilot between production knowledge assistant and Siemens NX CAD environment; JobBOSS ERP data integration for job history search | Month 9 |
| New employee onboarding AI | New machinist onboarding assistant — AI-powered job-specific training based on the tribal knowledge store; accelerates time-to-proficiency from 18 months to ~12 months | Month 9 |
| Medtronic AS9100D / ISO 13485 audit prep | AI system documentation package prepared for AS9100D surveillance audit and ISO 13485 recertification; documented process for AI-assisted decision records | Month 12 |
| Phase 3 deliverable | Knowledge currency maintained; new employee onboarding accelerated; compliance documentation for Nadcap and customer audits | Month 12 |
Already completed for this fictional firm profile as part of the sample illustration.
\\n| Item | Amount |
|---|---|
| AI Readiness Assessment — full engagement | $7,500 |
| Total Assessment | $7,500 |
The $48K fixed-price covers on-premises deployment (mandatory for ITAR), three AI capabilities, tribal knowledge capture program, and ITAR compliance documentation. On-prem hardware costs are included (the GPU server is a material line item — cloud alternatives are not available given ITAR constraints).
\\n| Component | Amount | Notes |
|---|---|---|
| On-prem GPU server (hardware procurement, setup, networking) | $12,000 | Including ITAR-compliant network isolation setup |
| Architecture design & ITAR compliance program | $7,000 | ITAR export classification, compliance documentation, vendor review |
| Tribal knowledge capture program (14 employees, structured interviews) | $6,000 | Interview protocol, knowledge mapping, documentation, Phase 1 upload |
| Production knowledge assistant — fine-tune + RAG + interface | $9,000 | Llama 3.1 fine-tune on job history; RAG against setup sheets and tribal knowledge |
| Supplier document Q&A agent — RAG + NDA compliance filter | $6,500 | NDA metadata tagging; compliance filter; audit log |
| Quality records search — data ingestion + RAG + interface | $5,500 | PC-DMIS data ingestion; FAIR/NCR/CMM history search |
| Testing, QA, ITAR compliance audit | $5,000 | Penetration testing of on-prem network; ITAR compliance validation; QA workflow testing |
| Project management & staff training | $4,000 | Engineering team, purchasing team, QA team training; policy documentation |
| Net Build Cost | $55,000 | |
| Discount (assessment credit + on-prem efficiency) | ($7,000) | |
| Final Build Cost | $48,000 |
| Item | Monthly | Annual |
|---|---|---|
| System monitoring and GPU server maintenance | $1,500 | $18,000 |
| Quarterly model retraining (production knowledge updates) | $900 | $10,800 |
| New tribal knowledge capture sessions (ongoing) | $700 | $8,400 |
| Security patch management and vulnerability scanning | $500 | $6,000 |
| Supplier NDA compliance monitoring | $400 | $4,800 |
| Direct support for engineering/QA team questions | $500 | $6,000 |
| Operations Retainer | $4,500 | $54,000 |
Three-path analysis: On-Prem Private AI Build (mandatory for ITAR compliance) vs. cloud-based alternatives that cannot be used.
\\n\\n| Criteria | \\nOn-Prem Private AI Build Recommended — Required | \\n Microsoft Azure OpenAI (云) | \\nStandard Cloud AI Tools | \\n
|---|---|---|---|
| ITAR compliance | \\n✓ Full isolation — data never leaves the facility | \\n✗ Azure-hosted; ITAR-controlled data cannot be transmitted | \\n✗ No cloud option meets ITAR requirements without specific export license | \\n
| Supplier NDA data handling | \\n✓ NDA compliance filter; no third-party data disclosure | \\n✗ Data processed by Microsoft; NDA compliance uncertain | \\n✗ No cloud vendor guarantees against data disclosure to third parties | \\n
| Tribal knowledge capture | \\n✓ Structured program to capture and preserve tacit knowledge | \\n✗ Cloud tools don't capture tribal knowledge — they just answer questions | \\n✗ Same — no knowledge capture program | \\n
| CAD/process data fine-tuning | \\n✓ Fine-tuned on company's own job history and process data | \\n⚠ Could technically fine-tune on process data, but ITAR violation | \\n✗ Not designed for manufacturing process data | \\n
| Quality records search | \\n✓ RAG against CMM data, FAIRs, NCRs — all on-prem | \\n⚠ Technically possible but ITAR/quality data risk | \\n✗ Not designed for manufacturing quality data | \\n
| Medical device (ISO 13485) compliance | \\n✓ Audit trail, documented process, full traceability | \\n⚠ Audit trail available but supplier data in Microsoft cloud is compliance risk | \\n✗ No ISO 13485 compliance design for AI systems | \\n
| Aerospace (AS9100D) compliance | \\n✓ Documented AI usage; ITAR compliance documentation included | \\n⚠ ITAR prevents use of cloud AI with controlled data | \\n✗ ITAR prevents use | \\n
| Year 1 cost | \\n$109,500 (assessment + build + retainer) | \\nProhibited by ITAR | \\nProhibited by ITAR | \\n
| Year 2+ ongoing cost | \\n$54,000/yr (retainer + server maintenance) | \\nN/A | \\nN/A | \\n
| IP ownership | \\n✓ Company owns model weights and all data on-premises | \\n✗ Microsoft owns the model; no IP | \\n✗ Vendor owns model | \\n
Recommendation: On-Prem Private AI Build — this is not a choice between options, it's a compliance requirement. ITAR prohibits transmitting ITAR-controlled technical data to any foreign person or foreign-owned entity. Cloud AI vendors (Microsoft, Google, OpenAI) are either foreign-owned or have foreign subsidiaries, making ITAR compliance in cloud deployments essentially impossible without a specific export license. On-prem is the only compliant path for companies with defense subcontracts and ITAR registration.
\\nThis is a sample. Your assessment will be different.
\\n Start at /book-audit →\\n\\n Or reach us directly: hello@vermontaisystems.com · (802) 555-0192\\n
\\n