Direction from the White House and the Department of Defense is clear: move faster, adopt modern technology, and get capability into the field.
That push is accelerating the adoption of commercial off-the-shelf (COTS) software and embedding AI directly into mission systems.
What remains less clear is how to do that securely, and that gap is now the risk.
The Risk Gap
Agencies are accelerating adoption with limited practical guidance on managing the risks that come with COTS software and AI at scale.
In too many cases, organizations are deploying software and AI features without full visibility into what is inside them, where they came from, or how they are maintained. Compliance processes are expected to catch up later. They won’t.
This shift has brought a new challenge into focus: governing the digital supply chain behind these technologies.
Recent mandates, including the FY26 National Defense Authorization Act’s push to streamline procurement, emphasize speed to mission. But faster procurement without guardrails doesn’t reduce risk; it redistributes it.
And that redistribution is not theoretical. It pushes uncertainty onto mission owners and operators — onto the aircraft, ships, networks, and intelligence systems that must perform reliably under adversarial pressure.
Meanwhile, compliance regimes have not kept pace. Frameworks like the Risk Management Framework and Authorities to Operate were designed for slower, more static environments.
The Pentagon’s Software Fast Track Initiative helps accelerate initial approvals, but it does not solve the deeper problem of continuous monitoring, long-term assurance, or the unique risks introduced by AI-enabled systems.
This creates a fundamental tension. Move fast without managing risk, and you invite vulnerabilities. Remain locked in legacy compliance models, and innovation slows to a crawl. The answer is not choosing between speed and security. It is governing risk differently.
If the defense department cannot reliably answer what software and AI it is fielding, where it came from, and where it is deployed, then “moving faster” quickly becomes “failing faster.”
Legacy Tools Aren’t Enough
Legacy cybersecurity tools are not built for this problem. Capabilities such as Assured Compliance Assessment Solution (ACAS) remain important, but they provide point-in-time, perimeter-focused assessments.
Modern risk increasingly resides inside software composition, third-party dependencies, and AI model lineage.
Adversaries do not need to breach the perimeter if they can compromise what is installed, inherited, or updated through vendors.
That is why software bills of materials (SBOMs) and AI bills of materials (AIBOMs) are becoming foundational.
SBOMs provide structured inventories of software components and dependencies. Without them, agencies are left reacting after vulnerabilities are disclosed, unsure where exposure exists.
AIBOMs extend this principle to AI systems by documenting models, datasets, pipelines, dependencies, and licenses — the evidence base required for meaningful AI governance.
Today, the Pentagon lacks consistent visibility into the AI models being deployed across its environments. Vendors are shipping AI-enabled features without disclosing the models, datasets, or licenses behind them. If AI can be integrated into mission systems without that transparency, the Department of Defense is accepting risk it cannot bound.
Practical Steps Forward
There are three practical steps that can be taken now.
First, SBOM and AIBOM requirements must be embedded directly into procurement. Transparency should be a condition of award and acceptance, not optional documentation requested after deployment. If a vendor cannot provide component-level visibility, the capability should not be fielded.
Second, agencies need an authoritative inventory of deployed software components and AI models. There must be a reliable way to answer what is deployed, where, and under whose authority. Without that baseline, exposure cannot be managed and modernization cannot be sustained.
Third, SBOM and AIBOM data must feed continuous monitoring and change control workflows. Continuous delivery demands continuous assurance. Named owners must be accountable for risk acceptance and remediation across acquisition, security, and mission teams. When accountability is fragmented, risk decisions become accidental rather than deliberate.
Innovation With Discipline
AI and COTS adoption will continue to accelerate. That momentum is unlikely to reverse, nor should it. Commercial innovation is essential to maintaining technological advantage. But advantage requires control, and point-in-time assessments and traditional vulnerability scans are insufficient.
Agencies need component-level visibility that shows what is inside systems, how those components change, and where they are deployed.
Pairing innovation with discipline — vendor transparency, continuous evidence, and explicit ownership — is how America can move fast without losing control.
Erich Huwar is Defense and Intelligence Strategist at Manifest.
The views and opinions expressed here are those of the author and do not necessarily reflect the editorial position of Military AI.
