Verillian
Book a demoStart a pilot
PlatformHow it worksSecurity & architecture
Use casesUse casesAI Audit TrailAI Data Loss PreventionShadow AI DiscoveryAI GovernanceIndustriesHealthcareLaw enforcementGovernmentDefense contractorsFinancial servicesEducation
TrustTrust centerCompliance mappings
ResourcesLibraryDocsFAQ
Partners
About
Book a demoStart a pilot
Defense contractors · CMMC 2.0, NIST 800-171, ITAR

Use AI on controlled programs without exporting CUI.

Controlled unclassified information cannot leak into a provider. Verillian enforces policy at the moment of execution and keeps the signing keys on the device, under your control.

Book a demoSee how it works
$1.27MMaximum ITAR civil penalty per violation, or twice the transaction value, and civil liability does not require intent. 22 CFR 127.10, effective 2025. Source

What’s at stake

When an employee pastes ITAR-controlled technical data or CUI into an AI tool, that export leaves your boundary with no record of what was disclosed, to which provider, or by whom. Civil ITAR liability does not require willful intent, so a single negligent disclosure is an enforceable per-violation event, and each transfer can be counted separately.

Use frontier AI. Keep the boundary.

The institutions with the most to gain from these models are the ones least able to adopt them blind. Verillian is the control layer that keeps the record.

Book a demoSee how it works

How Verillian answers

Mapped to CMMC 2.0, NIST 800-171, ITAR. Every regulatory mapping resolves to the compliance center.

Stop CUI before it leaves the device
Sensitive-data detection and redaction run on the device before any request crosses the boundary, so ITAR-controlled technical data and CUI are blocked or redacted rather than exported into a provider.
Policy enforced at execution
A sentinel governs any tool that speaks HTTPS to a provider, with no per-tool integration. Deny by default and fail closed mean that with no valid policy, AI traffic stops, matching NIST 800-171 and CMMC 2.0 access-enforcement expectations.
Tamper-evident evidence, keys on the device
Every interaction is signed on the device and hash-chained into an append-only record for non-repudiation. Signing keys never leave the device, giving defensible proof of what was and was not disclosed.
Self-hosted, key-isolated custody
Built for ITAR-regulated environments. The admin server stores only ciphertext under your own key, and Verillian retains none of your interactions, keeping CUI inside your control boundary.
Download the Defense contractors overviewCompliance mappings

Other regulated sectors

The same control, mapped to the obligations each one answers to.

HealthcareHIPAA, HITRUST, 42 CFR Part 2Law enforcementCJIS 6.0, 28 CFR Part 23GovernmentFedRAMP-aligned, FISMAFinancial servicesGLBA, SOX, SR 11-7EducationFERPA, COPPA

See it on your own traffic

Thirty minutes with your security team. We intercept a live request, decide it at execution, and show you the signed entry land in the chain.

Book a demoStart a pilot