Manufacturing

Precision Components: Lost Contract, Recovered Posture, CMMC Level 2 Achieved

A 120-employee defense subcontractor lost a $2.4M contract after a senior engineer uploaded ITAR-controlled specs to a consumer AI tool. The Sprint surfaced the full exposure; the Implementation got the firm to CMMC Level 2 in time to rebuild the customer relationship.

Outcome: $2.4M contract loss, Sprint discovery, Implementation through CMMC Level 2, customer relationship restored at 14 months
Editorial photograph: precision-machined titanium component on a dark workbench, lit by a single amber industrial warning light

The firm

Precision Components Inc. is a 120-employee precision machining company with $18 million in annual revenue, based in an industrial corridor of the upper Midwest. The firm specializes in complex components for aerospace and defense contractors — close-tolerance machining, finishing, and assembly of parts that go into airframes, propulsion systems, and ground-vehicle subsystems.

Their work is subject to ITAR (International Traffic in Arms Regulations) for export-controlled items and CUI (Controlled Unclassified Information) handling requirements for the prime contracts they serve. The firm was at CMMC Level 1 self-certification as of the start of 2024, with a CMMC Level 2 third-party assessment scheduled for Q4 2024 as a condition of continued participation in two major prime-contractor supply chains.

The situation

A senior process engineer was working on optimizing a proprietary manufacturing process for a defense subcontract. The process involved high-precision turning of a titanium alloy component with critical tolerance requirements. He was looking for ways to improve cycle time while maintaining surface finish requirements.

He discovered that consumer AI tools could analyze technical specifications and suggest optimization approaches. So he uploaded the technical documentation — including tolerances, process parameters, material specifications, and the part drawings themselves — to ChatGPT. The drawings were marked "ITAR-CONTROLLED — Export Restricted."

The AI provided suggestions. The engineer was impressed with the productivity gain.

He believed he was solving an internal engineering problem. He had not registered that uploading export-controlled technical data to a consumer AI service constituted a deemed export under ITAR § 120.50.

How it was discovered

Three months later, a prime contractor's customer audit team arrived for their annual review ahead of contract renewal. The audit had a new section in 2024:

"Describe your organization's use of AI tools, including any generative AI services, and the controls protecting CUI and ITAR-controlled technical data from AI service exposure."

Precision Components had no AI policy. They had no inventory of AI tools in use. They could not answer the question.

The customer's compliance team opened an investigation. Document review surfaced the engineer's AI usage, the scope of the data uploaded, and the timeline. The prime contractor's response was swift and final.

The immediate fallout

ImpactValue
Contract terminated$2.4M annual contract
Notice period90 days, with all in-flight work to complete to documented quality standards
Reason cited"Data handling controls insufficient for ITAR-classified work"

The customer couldn't risk their own compliance position by continuing with a supplier whose controls didn't satisfy their flow-down requirements. Two pending opportunities at other defense primes — totaling $4.2M in potential revenue — were paused indefinitely pending visible remediation.

Federal export-control matters carry potential criminal liability under ITAR. The firm immediately engaged ITAR counsel for voluntary disclosure and remediation guidance:

  • ITAR voluntary disclosure prepared and filed
  • Documentation of all potential exposures gathered
  • Defense preparation began

Legal fees over 18 months: $180,000. No formal enforcement action followed — the voluntary disclosure, immediate corrective action, and remediation evidence weighed in the firm's favor — but the legal process consumed significant resources during the recovery period.

The firm's cyber insurance policy contained an exclusion clause they hadn't previously examined:

"Exclusions: Claims arising from intentional disclosure of confidential data to third parties."

The engineer's act had not been intended as a violation, but he had intentionally shared the data with an external AI service. The carrier denied coverage for the legal defense costs.

The decision

The CEO, the VP of Operations, and the firm's outside ITAR counsel met two weeks after the contract termination. The CMMC Level 2 assessment was still scheduled for Q4 — eight months out — and remained a hard requirement for the firm's remaining defense work. The customer audit response, on top of CMMC, defined the documentation the firm needed to produce.

Two paths:

Path 1: Treat CMMC and AI governance as separate workstreams. Hire a CMMC consultant for the assessment scope; handle AI governance separately, after.

Path 2: Integrate AI governance into the CMMC remediation timeline. Recognize that the customer audit response and CMMC Level 2 requirements were converging on the same documentation set, and run a single coordinated program.

The CEO picked Path 2. Two reasons:

  1. The customer relationship rebuild required visible, documented action now, not after CMMC concluded. The firm needed an AI governance program with carrier-acceptable evidence ready to share with the prime contractor's compliance team within 90 days.
  2. The CMMC Level 2 framework included controls around AI tools and CUI handling that overlapped substantially with the customer audit gaps. Running them as parallel workstreams would mean rebuilding the same evidence twice.

The firm engaged Shadow AI Labs for the AI Risk Sprint as the discovery phase, with the understanding that a substantial Implementation engagement would follow to integrate with the CMMC Level 2 remediation plan.

Inside the Sprint

Deliverable 01 — AI Tool Discovery (Days 1–4)

Browser telemetry across 120 employees with focus on the engineering and quality groups, anonymous survey, procurement audit, and a manual review of the past six months of file-sharing activity from the engineering workstations. Findings:

  • 18 AI tools in active use across the firm — including the consumer ChatGPT account at the center of the incident
  • Four Chrome extensions with AI capabilities installed on engineering workstations, including one that submitted document text to external servers for summarization
  • Two SaaS tools the firm subscribed to had silently activated AI features in 2024 — one of them ingesting engineering drawings as part of an "AI-assisted versioning" workflow
  • Two additional engineers who admitted in the survey to using consumer AI for technical work, though at substantially lower volume and with less directly-controlled data than the original incident

Critically, none of the AI tools in use had been procured through the firm's controlled-data review process, because no such process existed at the time.

Deliverable 02 — Risk Classification Matrix (Days 3–6)

NIST AI RMF severity mapped against a manufacturing-specific criticality scale (which weights ITAR/CUI exposure as a separate dimension):

SeverityCountPattern
Critical6AI tools with documented or possible ITAR/CUI exposure
High4Tools handling proprietary process or customer specifications
Medium5Productivity tools with limited controlled-data exposure
Low3Sanctioned-eligible tools (already mostly controlled)

The Critical-severity classification included the consumer ChatGPT use at the heart of the incident — and four other tools that posed equivalent risk patterns the firm had not yet recognized.

Deliverable 03 — Customer Audit & CMMC Rider Gap Analysis (Days 5–9)

Side-by-side comparison of customer flow-down requirements + CMMC Level 2 AI-relevant controls + ITAR § 120.50 deemed-export provisions against the firm's current documented state. The deliverable mapped 14 controls across the three regimes:

  • 11 of 14 controls had no documented evidence
  • 2 of 14 had partial documentation (legacy IT security controls that incidentally covered some AI scope)
  • 1 of 14 had complete documentation (physical access controls for the engineering area)

All 14 were addressable before the CMMC assessment if remediation started immediately. The deliverable structured them in dependency order: which controls had to land first to enable others, which could run in parallel.

Deliverable 04 — AUP & Engineering-Specific Controls (Days 6–10)

The AUP was drafted with provisions specifically for a controlled-data manufacturing environment:

  • Data classification. Four tiers (Restricted ITAR, Restricted CUI, Confidential, Internal) with AI-tool eligibility rules for each. ITAR data: no AI tool processing of any kind. CUI: only AI tools under documented procurement review and operating on segregated infrastructure.
  • Engineering workstation restrictions. A specific provision that engineering workstations would have AI tool access restricted by network controls; any exception required CEO + outside ITAR counsel approval in writing.
  • Vendor procurement review. All new tools — including new AI features in existing tools — required review through a documented process that checked ITAR/CUI exposure as part of the standard intake.
  • Customer flow-down compatibility. Each provision included an annotation showing which customer flow-down requirements it satisfied. This let the firm share specific sections of the AUP with customer audit teams as evidence.

Training was outlined as four modules totaling 90 minutes, with engineering staff receiving an additional 30-minute module specifically on ITAR/CUI handling in the AI context.

Deliverable 05 — 12-Month CMMC-Integrated Roadmap (Days 9–13)

Sequenced action plan tied to the CMMC Level 2 assessment date and the customer-relationship rebuild milestones. Highlights:

  • Week 1: Network-level blocks for the 6 Critical-severity tools. AUP distributed firm-wide with required acknowledgment. Customer notified of remediation in flight.
  • Month 1: Engineering workstation hardening complete. Microsoft GCC High deployment for sanctioned AI productivity (separate environment from the firm's commercial Microsoft 365 tenant). Modules 1 and 2 training delivered.
  • Month 3: First evidence package shared with the customer's compliance team. ITAR voluntary disclosure responses prepared.
  • Month 6: CMMC Level 2 self-assessment complete. Pre-assessment with C3PAO scheduled. Module 3 training delivered.
  • Month 9: CMMC Level 2 third-party assessment conducted. Customer relationship rebuild conversations initiated.
  • Month 12: CMMC Level 2 certification received. Customer audit response package finalized.

Deliverable 06 — Executive Readout (Day 14)

A 75-minute readout (extended from the standard 60 minutes given the regulatory complexity) with the CEO, VP of Operations, the firm's outside ITAR counsel, the firm's CMMC consultant, and the engineering manager whose workstation had been at the center of the incident. The 28-page PDF report — including the 18-tool inventory, line-by-line control mapping across customer audit + CMMC + ITAR, and acceptance criteria for each remediation step — was delivered same-day.

Four decisions were made during the meeting:

  1. Establish a formal Compliance Officer role at the operations-leadership level, with documented responsibility for the integrated CMMC + AI governance program.
  2. Commit to a 90-day evidence-package cadence with the prime contractor's compliance team through the customer-relationship rebuild period.
  3. Authorize the AI Governance Implementation engagement to execute the 12-month roadmap, integrated with the CMMC remediation plan.
  4. Initiate conversations with the firm's cyber insurance carrier about the AI exclusion language in the policy and what coverage would look like going forward.

The follow-on

Precision Components engaged Shadow AI Labs for the AI Governance Implementation — $34,000 over twelve weeks, integrated with the CMMC remediation work. The engagement covered:

  • Microsoft GCC High deployment and migration
  • Vendor procurement review process documented and operationalized
  • AUP, training modules, and acknowledgment infrastructure rolled out firm-wide
  • Customer audit response package assembled and delivered

A separate Fractional retainer ($7,500/month) was authorized for ongoing CMMC and AI governance support — quarterly governance committee, customer-facing evidence package cadence, and on-call advisory for any new defense-customer flow-down requirements.

The 14-month outcome

Month 9 — CMMC Level 2 certification achieved at first assessment. The C3PAO assessor noted in the report that the firm's documentation of AI-tool governance "exceeded the baseline expectation for the engagement."

Month 11 — The original prime contractor reopened discussions for a smaller follow-on contract worth approximately $400K annually, with the explicit acknowledgment that the firm's remediation evidence had been "the strongest we've seen from any subcontractor recovery." Two of the previously-paused opportunities at other primes resumed conversations.

Month 14 — Aggregated re-won business reached approximately $1.8M annually — below the original $2.4M baseline but representing a meaningful rebuild. The customer relationship that had originally been terminated remained in active dialogue, with full-volume return contingent on a successful second-year CMMC surveillance assessment.

The numbers

CategoryCost (cumulative)
Lost contract (Year 1 revenue impact)$2,400,000
ITAR legal counsel$180,000
Cyber insurance denial (legal defense)$42,000
AI Risk Sprint$5,500
AI Governance Implementation$34,000
CMMC Level 2 consultant + C3PAO assessment$145,000
Microsoft GCC High deployment + first-year licensing$96,000
Engineering workstation hardening$38,000
Compliance Officer time (0.5 FTE, ops leadership level)~$110,000
Training time (120 × 90 min + engineering supplement)~$32,000
Fractional retainer (12 months Year 2)$90,000
18-month cumulative cost~$3,172,500

Re-won business at 14 months: approximately $1.8M annual run rate, with documented path to baseline restoration contingent on continued evidence cadence.

The counterfactual — no remediation, or remediation without the integrated CMMC + AI governance approach — would have meant permanent loss of the defense subcontract base. Industry estimates put the cost of recovery from a comparable ITAR exposure at 24–36 months when handled reactively; Precision Components compressed the timeline to 14 months by treating AI governance and CMMC as one coordinated program.

The CEO's reflection

"One employee's well-intentioned mistake cost us a contract, almost cost us a partner relationship of fifteen years, and exposed us to a federal export-control matter. The Sprint didn't just give us a plan — it gave us a document we could put in front of our customer's compliance team and say here is what we are doing about this, with names and dates. The Implementation got us through CMMC Level 2 in time to make the customer conversation possible. We treat AI governance now with the same operational seriousness as our quality management system. It is part of how the firm operates, not a side process."

What we'd tell another defense subcontractor

1. The customer audit is the forcing function

Federal regulators are not the most active enforcement risk on AI in controlled-data environments — prime contractors are. Their flow-down requirements are increasingly explicit about AI controls, and their audit teams are asking specific questions. Sufficient evidence for a prime contractor's audit team is usually sufficient evidence for everything else.

2. Integrate AI governance with CMMC, don't run them as separate programs

The controls overlap substantially. The evidence package the assessor wants is similar to the evidence package the customer wants. Running them as parallel programs means twice the documentation effort with worse outcomes.

3. ITAR exposure from AI tools is a known pattern now

The 2024 update to § 120.50 deemed-export interpretation is explicit about technical data transmitted to AI services. If your engineering or quality teams handle export-controlled data, your AI tool inventory and procurement review process need to reflect that. Defaulting to "no AI on engineering workstations" is a reasonable starting position until you have the controls to allow specific exceptions.

4. Cyber insurance gaps for AI are common

Many cyber insurance policies have exclusion language that covers AI-related incidents — sometimes intentionally, sometimes as a side effect of broader exclusions written before the AI tooling landscape existed. Review your policy with your broker before you need to file a claim.

Defense subcontractor facing CMMC, customer audit pressure, or both?

If your AI tool inventory hasn't been documented in a way your prime contractors' audit teams will accept — or if CMMC Level 2 is on your horizon — the Sprint is the fastest path to the evidence package both stakeholders are asking for.

Take our free AI Risk Assessment to see where your firm sits relative to current customer flow-down requirements and CMMC Level 2 controls — or book a Discovery call to talk through your specific assessment timeline.

This case study is a composite based on real-world incidents in the defense supply chain. Firm name, customer names, and specific component details have been modified to protect confidentiality while preserving the educational value of the scenario.

Note: This case study is a composite based on multiple real-world incidents. Details have been modified to protect confidentiality while preserving the educational value of the scenario.

Is your organization at risk?

Identify your shadow AI exposure before it becomes an incident.

Take Free Assessment

More Case Studies

Legal

Harrison & Cole LLP: From Sanctions Order to Documented AI Governance

A 28-attorney regional firm faced a fabricated-citation sanctions order after a junior associate's ChatGPT-drafted brief made it to filing. The Sprint that followed produced the verification protocol and supervision framework the firm should have had before the incident.

Financial Services

Cascade Wealth Partners: Proactive Sprint, Clean SEC Examination

A 35-employee RIA managing $450M in assets decided to get AI governance in place before their next SEC examination. The Sprint discovered 14 tools in use across the firm — and produced the evidence package the SEC examiner specifically asked for nine months later.