When the Senate voted to approve the National Defense Authorization Act on December 17, 2025, it did more than authorize a year of defense spending. It quietly handed the Department of War a deadline that will shape how every defense prime, aerospace OEM, and cleared subcontractor talks about AI for the next four years. The cross-functional team that NDAA Section 1533 stands up has to be operational by June 1, 2026 — and the framework it produces has to cover every major DoD AI system by January 1, 2028.
The clock is running. So is the misunderstanding about what that framework can and cannot do.
What Section 1533 actually does
Section 1533 directs DoD to establish a cross-functional team, led by the Chief Digital and AI Officer (CDAO), to create a standardized, Department-wide framework for assessing, governing, and approving the development, testing, and deployment of AI models. The legal recap from Akin Gump's December 10 alert spells out the timeline:
The team must be operational by June 1, 2026; complete system assessments by January 1, 2028; brief Congress on progress and transition its duties to a successor organization before sunset in 2030.
WilmerHale's December 19 client alert further notes that the assessment framework, to be completed by June 2027, must include standards for performance of AI models, testing procedures, security requirements, and principles for the ethical use of AI.
In other words: Section 1533 governs the models the Department procures, develops, tests, and fields. It tells contractors that if they want to sell a model into a covered DoD program, the model itself has to clear an oversight framework with measurable performance, testing, security, and ethical-use standards. That's a meaningful tightening of the supplier side, and it's the most concrete piece of AI procurement architecture Congress has put on the books since the original CDAO charter.
What Section 1533 doesn't reach
Section 1533 is built around one assumption — that the AI capability in question is a system the Department is procuring or developing. The CDAO-led team's mandate is to govern those systems and the contractors building them.
That leaves an entire category of AI exposure inside the Department's own footprint that the framework, by construction, was not written to handle: the consumer-grade chatbot a cleared engineer has open in a personal browser tab while they're working on a CUI program. Claude, ChatGPT, Gemini, Copilot, Grok, Perplexity — none of these enter the procurement framework because the user never procured them. They typed claude.ai into a tab.
Three other NDAA AI sections edge into this territory, but none of them closes the gap:
- Section 1512 requires the Pentagon, in coordination with other agencies, to establish a comprehensive cybersecurity and governance policy for all AI and machine learning systems used within the Pentagon within 180 days of enactment, addressing risks such as adversarial attacks, data poisoning, and unauthorized access. That's a policy mandate, not a runtime enforcement mechanism.
- Section 1513 directs the creation of a risk-based framework detailing cybersecurity and physical security standards for AI and machine learning technologies procured by the department — again, procured, leaning on the NIST SP 800-series and the Cybersecurity Maturity Model Certification (CMMC) framework.
- Section 1532 prohibits the Pentagon and its contractors from using or acquiring AI systems domiciled in covered nations — covering DeepSeek and High Flyer by name, with waivers limited to specific national-security-research scenarios.
Notice the shape of the policy stack. Sections 1532, 1533, and 1513 govern the supply side of AI: which models are allowed, how they're assessed, how they're procured, and what cybersecurity baseline applies to them. Section 1512 tells the Department to write a department-wide policy. None of them, as drafted, governs the keystroke layer — the point in time when a cleared user makes a decision about what to paste into a model the procurement framework never touched.
The boundary the framework leaves to the deployer
If you're a defense prime, an aerospace OEM, an FFRDC, or an intel-adjacent integrator, this matters operationally. Your CMMC examiner is going to ask you, in 2027 and 2028 and beyond, to demonstrate where Controlled Unclassified Information was processed and what controls governed it. "We bought our AI from a model that cleared the Section 1533 framework" answers the procurement-pathway question. It does not answer the question that NIST SP 800-171's audit-and-accountability and system-and-information-integrity control families actually ask.
The examiner will want to know: when an engineer on a covered program had a thought about a controlled assembly and dropped a paragraph into the consumer chatbot to clean it up, what control governed that flow? At the point the data left the cleared user's machine, before any model — covered or not — saw it, who decided that movement was authorized?
The Section 1533 framework is silent on that question by design. It governs models. The browser layer is where data crosses the LLM boundary, and that boundary is built into the user's workstation, not into the contracting officer's procurement file.
Two complementary policy layers
The honest read of the NDAA's AI title is that Congress has done useful work on the supply side and left the data-boundary side to deployers. The Cloud Security Alliance's AI Agent Resource Management (AARM) workgroup has been pushing in the same direction — a two-layer model where agent-and-model governance is a different layer from data-boundary enforcement, and the two are explicitly separable concerns. Containment.AI is aligned with — and working toward Core conformance with — that AARM pattern as it stabilizes; an Agent Governance Toolkit (AGT) adapter is in design.
Where Sections 1532 / 1533 / 1513 / 1512 will tell a contractor what models they can buy and what oversight those models need, the browser-and-prompt boundary tells a contractor what content is allowed to cross from a cleared workstation into any LLM at all — covered or commercial, procured or shadow. That boundary is what Containment.AI's browser extension and policy proxy are built to enforce: inspect the prompt before it leaves the user's machine, evaluate it against the customer's policy (NIST SP 800-171 controls, CMMC L2 CUI controls, FedRAMP boundary scope, internal CDI tags), and allow, redact, or block the data movement in real time. Both layers produce audit trails that survive an examiner's question eighteen months later. Neither one alone answers every question regulators are asking.
What to do before June 1, 2026
If your organization is going to be on the supply side or the customer side of a Section 1533 assessment in the next 18 months, three concrete steps before the CDAO team becomes operational:
- Separate the procurement-side and deployment-side policy layers in your AI governance documentation. Section 1533 covers what models you can develop, test, and field for the Department. It does not cover what cleared users paste into commercial chatbots. Treat them as two distinct programs with separate audit-evidence requirements; the controls, the tooling, and the people who own each are different.
- Inventory your consumer-browser AI surface across cleared programs. For each program with CUI exposure, count how many cleared users have personal browsers logged into commercial LLM consumer surfaces. That number is your Section 1533–uncovered exposure, and in the deployments we see, it's almost always larger than the program-office estimate.
- Match the evidence you can produce to the regulatory regime that will examine you. CMMC L2, NIST SP 800-171, FedRAMP High, and the eventual Section 1533 framework will each ask different questions. The boundary the examiner cares about is where the data crossed, not which framework the model cleared on its way in.
The NDAA gave the Department a clean June 2026 deadline to govern the AI models it procures. The deadline for governing what cleared engineers type into the AI models the Department doesn't procure has been here for a while. That deadline is set by NIST SP 800-171 and CMMC, and it doesn't move when a new Pentagon framework lands.