The Army has blocked the Air Force generative AI chatbot, NIPRGPT, from its networks, citing cybersecurity and data governance and highlighting the challenges the U.S. military faces in assessing risk when adopting cutting-edge technologies like artificial intelligence.
NIPRGPT, developed as an experimental project of by the Air Force Research Laboratory, aims to give military personnel a generative AI Large Language Model (LLM) comparable to OpenAI’s ChatGPT, but free of the security, data protection and privacy concerns posed by consumer AI products.
But the Army flagged the program as risky and on April 17 pulled the plug on it for anyone using Army networks, an unusual decision that exposed a rift between the two military services.
“NIPRGPT was shot dead,” said one Army user who wasn’t authorized to speak to the media.
IT security for the U.S. military is a patchwork—each network or system commander has the power to make their own decisions about what risks to accept. So when one commander makes a risk calculation, others are under no obligation to accept it, meaning tools like NIPRGPT can be allowed in some commands but not others.
The result can impact user trust, tool consistency, and the sharing of capabilities across joint operations—and is also a major stumbling block to the swift adoption of cutting-edge technologies.
‘It Was My Call’
Chief Technology Officer Gabriel Chiulli of the Army’s Enterprise Cloud Management Agency told Air & Space Forces Magazine that the NIPRGPT block was part of a wider move by the Army to transition from experimentation with AI LLMs and launch into full implementation using real Army data.
“The block was focused on getting us to a governance framework for AI used in a production state,” he said. “We were trying to make sure we had the guardrails in place for how we’re doing AI for real.”
So NIPRGPT might have been fine for experimenting, but not for mission requirements.
“It was my decision to make the call,” Chiulli said.
Air Force officials declined to comment.
Weeks after the block was implemented, the Army deployed its Army Enterprise LLM Workspace, a platform that allows users to access locally hosted secure LLMs. It’s powered by Ask Sage, which bills itself as “a LLM agnostic, secure and extensible Generative AI platform,” and was founded by Nick Chaillan, a controversial former Air Force Chief Software Officer.
“I built the entire architecture to be able to run anywhere from a backpack to a cloud, to run air-gapped, to run on classified systems,” Chaillan told Air & Space Forces Magazine. Ask Sage provides a secure interface, or virtual wrapper, around multiple commercial generative AI models, so that data can be loaded once and then used with multiple models without any additional charge, Chaillan said.
“The platform provides a layer between the user and the model which enables data to be identified, tagged and associated with its user … on a very granular basis,” he said. The system tracks access permissions, so that only those entitled to access certain data can get to it.
“We’re the only product that has that kind of zero trust, data centric security stack,” Chaillan said.
Ask Sage has FedRAMP high clearance and is authorized for both Controlled Unclassified Information and Secret and Top Secret classification levels, achievements that Chaillan called “A very heavy lift” including penetration testing and red teaming.
The company announced a $10M deal to expand its military user base last week, extending the Army Enterprise LLM Workspace to the Joint Staff, the Office of the Secretary of Defense (OSD), and all Combatant Commands.
Risk and Reciprocity
Banning NIPRGPT on Army networks highlights a challenge long recognized by software providers: the lack of reciprocity among government users when it comes to the Authorization to Operate (ATO) in government IT systems. An ATO is a prerequisite for any software program or service to run on a government network.
Defense Department policy encourages reciprocity among its myriad agencies and commands, but it doesn’t require system owners to recognize ATOs issued elsewhere in the department, a former technical advisor to the Air Force told Air & Space Forces Magazine. The former advisor asked for anonymity because their current employer had not authorized them to speak to the media about Air Force issues.
“You can, by policy, choose to reject somebody else’s ATO and forbid stuff from your system,” the former technical advisor said.
Within the Air Force, some authorizing officials were “known to be more strict or less strict, or more forward thinking, or more traditional” than others. Still, banning something with an ATO from another service was “a big lever to pull,” the former technical advisor said: Though “not unheard of, it is a little bit out of the ordinary.”
But John Weiler, a long-time advocate for IT modernization and procurement reform in the Pentagon found the block surprising: “I’ve been in this business 35 years and I’ve never heard of anything like this ban,” he said. “It’s unprecedented.”
Data driven decision
Chiulli said a key driver behind his decision was the discovery that Soldiers were using experimental LLM chatbots in ways that created risks to army data.
The Army surveyed personnel about their daily use of NIPRGPT, CamoGPT and other generative AI models in a research study called Project Athena.
Survey respondents “gave us use cases that made me just want to make sure that—if they’re doing those type of things with Army production data … then I want to make sure that I can give them that capability as an Army system provider,” he said.
Guidance given to NIPRGPT users was not clear, Chiulli added. “There’s a lot of different disclaimers on the homepage for NIPRGPT,” he said, “a lot of different Do’s and Don’ts,” which might leave Army personnel confused about “whether they actually are allowed to do that stuff.”
The login page of NIPRGPT is considered “Controlled Unclassified Information” and not accessible to the public. Air & Space Forces Magazine was unable to independently verify this statement.
The Army wanted to ensure there was clarity and consistency in rules about how to use AI, Chiulli said.
“We were worried about duplicative [and divergent] guidance,” he said. “I might give guidance out from an Army perspective, about Army data, and it may be in conflict with Air Force [guidance], right?”
The Army was also concerned “to ensure we have some policies out there for records management,” he said, so that generative AI chatbots could be responsive to FOIA requests and other records retention mandates. “When someone calls up and says, ‘I need to know what someone did [on this issue],’ We need to have all [those records] ready to go.”
Issuing guidance would not have been a sufficient response, Chiulli said, noting “Soldiers will soldier: They’ll go and use stuff that’s useful whether or not they’re supposed to use it, as long as they can get to the website.”
Turning Off the Spigot
Other than security, the biggest factor in the move away from NIPRGPT was cost, Chiulli said.
NIPRGPT was free to the users from every service, but there were doubts that the funding model was sustainable, and concerns about what would happen if and when NIPRGPT had to transition from R&D dollars to sustainment dollars.
The Army feared that the Air Force might pull the rug out from the program.
“I don’t know when that spigot was going to turn off,” he said of the free access to NIPRGPT, “There’s always a bill. We need to be very cognizant of the cost model. Whether it’s free for one year or six months or seven years, at some point, you have to pay.”
More importantly, said Chiulli, Army users needed to understand that—even if they weren’t paying—the service did cost money. “I think there needed to be a general understanding across our users that AI is not free.”
A new cost model
Chiulli said that one of the cost advantages of the Army Enterprise LLM Workspace is the flexible way Ask Sage is billed.
Most Software-as-a-Service offerings, like Ask Sage, are billed by the “seat.” The military service or agency buys a certain number of user licenses—each representing the right of one person to use the service.
But Ask Sage bills by the token—the units that Generative AI puts together to form the sentences it produces. The tokens can be assigned to anyone and reassigned if necessary, Chaillan said. They can also be used at any classification level, so if a customer has bought tokens for an unclassified system and then finds they need classified access, they can use the same tokens. Either way, the costs are born by individual users based on their volume of use.