CMMC 2.0 and AI Agents: What “Authorized Access” Means for CUI-Touching Workflows

Defense contractors are deploying AI agents across proposal development, program documentation, supply chain management, and technical data workflows. Many of these workflows touch controlled unclassified information. That puts them squarely inside the scope of CMMC 2.0 — not as a future consideration, but as a current compliance obligation that third-party assessors are already evaluating.

CMMC’s access control, audit, and encryption requirements do not contain an exemption for machine-operated systems. Whether a cleared employee or an autonomous AI agent accesses a CUI document, the compliance obligation is identical: access must be authorized, governed by role and context, encrypted with validated cryptography, and captured in an operation-level audit trail linked to a human authorizer. Most AI deployments in the defense industrial base have not been built to satisfy any of these requirements.

This post explains what CMMC 2.0 specifically requires for CUI-touching AI workflows, identifies the compliance gaps assessors will find, and outlines best practices for governing AI agent access to CUI in a way that produces defensible evidence — not explanations — when the C3PAO arrives.

Executive Summary

Main Idea: CMMC 2.0’s access control, audit logging, and encryption practices apply to every system touching CUI, including AI agents. Defense contractors deploying AI against CUI-bearing workflows without authenticated agent identity, ABAC policy enforcement, and operation-level audit logging are accumulating compliance exposure that cannot be retroactively remediated once an assessment begins.

Why You Should Care: CMMC certification is a contract eligibility requirement — organizations that fail assessment lose access to DoD contracts. Assessors evaluate controls at the data access layer, not the model layer. A defense contractor that cannot produce a delegation chain linking every AI agent CUI interaction to a human authorizer, demonstrate minimum necessary access enforcement at the operation level, and show FIPS 140-3 validated encryption across every CUI data path will have material findings. The time to close those gaps is before the C3PAO walks in, not during the assessment.

Key Takeaways

1. CMMC 2.0 applies to AI agents touching CUI without exception. AC.1.001 requires authorized access to CUI regardless of whether the accessor is human or automated. CMMC does not distinguish between a cleared employee and an AI agent processing a technical data package. The controls that govern human CUI access apply directly and fully to agent access.
2. Assessors evaluate controls at the data layer, not the model layer. A C3PAO will not ask which AI model your agents use or how your system prompts are configured. They will ask: which CUI did the agent access, under what authorization, with what encryption, and can you produce an audit trail linking the access to a human authorizer? If the answer to any of those questions is anything other than a documented evidence package, the assessment will produce findings.
3. CUI segregation requirements extend to AI-managed folder structures. CMMC’s access control practices require that CUI be segregated and accessible only to authorized personnel. When AI agents create, move, or restructure folder hierarchies containing CUI, those structures must inherit the same RBAC/ABAC controls as manually provisioned ones. AI-generated folder structures that do not automatically inherit policy controls create segregation gaps.
4. The delegation chain is what connects AI agent actions to human accountability. CMMC’s AC and AU practices require that access to CUI be traceable to an authorized individual. For AI agents, this means the authentication record must link the agent’s identity to the specific human who delegated the workflow — not just to a service account. Without this delegation chain, the audit trail is incomplete by definition.
5. Runtime guardrails and system prompts are not CMMC access controls. Network sandboxing, runtime policy engines, and AI safety filters operate at the model or execution layer. They are meaningful security capabilities, but they do not satisfy CMMC’s data-layer requirements for authorized access, audit logging, or encryption validation. A C3PAO will not accept them as evidence of AC.1.001 or AU.2.042 compliance.

What CMMC 2.0 Requires for CUI-Touching AI Systems

CMMC 2.0 Level 2 maps to NIST SP 800-171‘s 110 security practices across 14 domains. Four are most directly implicated when AI agents access, process, or manage CUI: Access Control (AC), Audit and Accountability (AU), Identification and Authentication (IA), and System and Communications Protection (SC).

Access Control: AC.1.001 and AC.2.006

AC.1.001 requires that access to CUI be limited to authorized users, processes acting on behalf of authorized users, and devices. “Processes acting on behalf of authorized users” explicitly covers AI agents — this is not a gray area. AC.2.006 requires that access be limited to the types of transactions and functions authorized users are permitted to execute. For AI agents, minimum necessary access must be enforced at the operation level: an agent authorized to read a contract folder is not automatically authorized to download all files, move records, or delete content. Each operation requires a separate policy evaluation.

Audit and Accountability: AU.2.042

AU.2.042 requires that the activities of individual users — including processes acting on their behalf — be tracked, recorded, and periodically reviewed. The audit record must capture the agent’s authenticated identity, the human who authorized the workflow, the specific CUI accessed, the operation performed, and the timestamp. A log showing that an API endpoint was called does not satisfy this practice. A log showing which CUI document was accessed, by which agent identity, under which policy, authorized by which human, does.

Identification and Authentication: IA Practices

CMMC’s IA practices require that users and processes be uniquely identified and authenticated before accessing CUI. AI agents operating through shared service accounts or API keys fail this requirement. Each agent must have a unique identity credential tied to the specific workflow and the human authorizer who delegated it. When multiple agents share an identity, or when the authentication record cannot trace access to a specific human decision-maker, the IA practices cannot be satisfied.

System and Communications Protection: SC.3.177

SC.3.177 requires that CUI be encrypted using FIPS-validated cryptography when transmitted across open networks and in storage. For AI agents, this means every data path the agent touches — API calls to CUI repositories, model inference pipelines, temporary file caches, output delivery channels — must use FIPS 140-3 validated cryptographic modules. Standard TLS and AES-256 implementations without confirmed FIPS 140-3 validation do not satisfy SC.3.177. An assessor reviewing an AI deployment will ask for cryptographic module validation certificates, not vendor configuration documentation.

Where AI Deployments Fall Short of CMMC Requirements

The standard architecture for AI agent deployments in the DIB — an agent connected to a document repository via API, governed by a service account and a system prompt — fails CMMC assessment on multiple dimensions simultaneously. These are structural mismatches between how most AI deployments are built and what assessors are required to verify.

No Delegation Chain Means No Accountable Authorizer

When a CMMC assessor reviews a CUI access event and asks who authorized it, the answer must be a specific named individual with documented authority. A service account answers with a system name. An API key answers with a token. Without a delegation chain linking the agent’s action to the human who authorized the workflow, the access event has no accountable authorizer — a direct finding against AC.1.001 and AU.2.042. Crucially, this cannot be fixed retroactively. The delegation chain must be recorded at the time of access or it does not exist in the audit record.

Operation-Level Access Scoping Is Architecturally Absent

Most AI deployments give agents broad repository credentials and rely on system prompts to limit what the agent actually does. CMMC assessors evaluate what the agent was technically permitted to do, not what it was instructed to do. If a service account grants access to 10,000 CUI documents and the agent’s task required three of them, the agent had unauthorized access to 9,997 from an AC.2.006 minimum necessary standpoint — regardless of whether it retrieved them.

AI-Created Folder Structures Carry No Inherited Controls

AI agents increasingly create folder structures for proposal documents, program deliverables, and technical data packages. CMMC requires those folders to inherit CUI access controls automatically. In most deployments, AI-created folder hierarchies have no RBAC or ABAC policy applied unless a human provisions them afterward. Every document placed in an ungoverned AI-created folder is a CUI segregation finding.

Best Practices for CMMC-Compliant AI Agent Access to CUI

1. Establish Agent-Level Identity Credentials Linked to Human Authorizers

Every AI agent accessing CUI must be provisioned with a unique identity credential at the workflow level — not a shared service account. That credential must be linked in the authentication record to the specific individual who authorized the workflow. The delegation chain — human authorizer to agent identity to CUI access event — must be captured in every audit log entry. Shared credentials do not satisfy CMMC’s IA requirements regardless of application-layer scoping.

2. Enforce Operation-Level ABAC for Every CUI Data Request

Implement attribute-based access control that evaluates each CUI request against the agent’s authenticated profile, the CUI classification of the data, the workflow context, and the specific operation. An agent authorized to read a proposal folder is not authorized to download all files, move content, or access adjacent CUI categories. This per-operation evaluation is the mechanism that satisfies AC.2.006’s minimum necessary requirement.

3. Ensure AI-Managed Folder Structures Inherit CUI Controls Automatically

Every folder hierarchy created or modified by an AI agent that contains CUI must inherit RBAC and ABAC controls at the moment of creation — not through subsequent manual provisioning. The governance layer enforcing CUI segregation must be embedded in the folder creation operation itself. Folders without inherited controls are segregation findings regardless of who or what created them.

4. Capture Operation-Level, Tamper-Evident Audit Logs for All Agent CUI Access

Every AI agent CUI interaction must be logged at the operation level: agent identity, human authorizer, specific document or folder accessed, operation type, policy evaluation outcome, and timestamp. The log must be tamper-evident and exportable for C3PAO evidence review and SIEM integration. Session-level API logs do not satisfy AU.2.042 — and this is among the first evidence requests assessors make.

5. Validate FIPS 140-3 Encryption Across Every CUI Data Path

Audit every point at which CUI is transmitted or stored across AI agent workflows — API calls, model hosting, vector databases, temporary agent memory, output files — and confirm FIPS 140-3 validated cryptographic module certification for each. SC.3.177 requires validated cryptography, not merely strong algorithms. An organization that uses AES-256 but cannot produce the FIPS 140-3 module validation certificate has a findings-level gap regardless of encryption strength.

How Kiteworks Enables CMMC-Compliant AI Agent Governance

Governing AI agent access to CUI at the level CMMC assessors require demands a different architecture than most defense contractors have deployed. Service accounts, API keys, and system prompts address the application layer. CMMC assesses the data layer. The Kiteworks Private Data Network — FedRAMP Moderate Authorized and supporting nearly 90% of CMMC 2.0 Level 2 requirements — provides defense contractors with a governance layer that intercepts every AI agent interaction with CUI before it occurs, enforcing the identity verification, access policy, encryption, and audit trail that CMMC assessors will evaluate.

Agent Identity and Delegation Chain for AC.1.001 and AU.2.042

Kiteworks authenticates every AI agent before any CUI access occurs and links that authentication to the human who delegated the workflow. The full delegation chain — authorizer identity, agent identity, operation context, and policy outcome — is preserved in every audit log entry. When a C3PAO asks who authorized this CUI access and what the agent was permitted to do, the answer is a complete, timestamped, tamper-evident record, not a reconstruction from application logs.

Operation-Level ABAC for AC.2.006 Minimum Necessary Enforcement

Kiteworks’ Data Policy Engine evaluates every AI agent CUI request against a multi-dimensional policy: the agent’s authenticated profile, the CUI classification of the requested data, the workflow context, and the specific operation. An agent authorized to read proposal documents in a specific folder cannot download all files, access adjacent CUI categories, or perform operations outside its authorized scope. Minimum necessary access is enforced at the operation level — the requirement AC.2.006 imposes and the one most AI deployments currently cannot demonstrate.

Governed Folder Operations for CUI Segregation

Kiteworks Compliant AI’s Governed Folder Operations Assist allows AI agents to create, rename, move, and organize CUI folder hierarchies using natural language instructions, with every operation enforced by the Data Policy Engine. Folder structures created by AI agents automatically inherit RBAC and ABAC controls, satisfying CMMC’s CUI segregation requirements from the moment of creation. No manual provisioning is required, and no AI-created folder exists outside the governance boundary.

FIPS 140-3 Encryption and Tamper-Evident Audit Trail for SC.3.177 and AU.2.042

All CUI accessed through Kiteworks is protected by FIPS 140-3 Level 1 validated encryption in transit and at rest, satisfying SC.3.177 with validated module certification that can be produced directly to assessors. Every agent CUI interaction is captured in a tamper-evident, operation-level log that feeds into the organization’s SIEM. When the C3PAO requests an evidence package for AU.2.042, the response is an exportable report — not a forensic reconstruction from infrastructure logs that were never designed to capture what CMMC requires.

For defense contractors who want to deploy AI at operational velocity without accumulating CMMC findings, Kiteworks provides the governance infrastructure that makes every AI agent interaction with CUI assessor-ready by design. Learn more about Kiteworks CMMC compliance capabilities or request a demo to see how Kiteworks governs AI agent access to CUI in your environment.

Additional Resources

• Blog Post
  Zero‑Trust Strategies for Affordable AI Privacy Protection
• Blog Post
  How 77% of Organizations Are Failing at AI Data Security
• eBook
  AI Governance Gap: Why 91% of Small Companies Are Playing Russian Roulette with Data Security in 2025
• Blog Post
  There’s No “–dangerously-skip-permissions” for Your Data
• Blog Post
  Regulators Are Done Asking Whether You Have an AI Policy. They Want Proof It Works.