Secure AI for
Defense and Government

Verify. Secure. Enforce. From supply chain to runtime — across connected, on-premises, and air-gapped environments.

Jozu has achieved Awardable status on both the CDAO Tradewinds Solutions Marketplace and the Platform One Solution Marketplace — ensuring our solution has met rigorous qualification measures and is ready for rapid acquisition by DoD and federal customers.

Platform One Awardable badge Tradewinds Awardable badge
Platform One Marketplace Tradewinds Marketplace
THE CHALLENGE

The Agentic AI Governance Gap

The shift from generative AI to agentic AI changes the risk calculus. Models take inputs and produce outputs. Agents take actions — they invoke tools, access data, interact with systems, make decisions, and spend money on behalf of users. Traditional security controls weren't built for autonomous, non-deterministic actors operating at machine speed.

As the ATARC DevSecOps Working Group frames it, organizations are transitioning from "Creator" to "Curator" — moving from writing every line of code to orchestrating squads of autonomous agents. This paradigm shift demands a new defensive architecture grounded in Zero-Trust for machine autonomy.

Ungoverned Agent Sprawl

Agents and MCP servers proliferating across desktops, IDEs, and production environments with no centralized visibility, inventory, or policy enforcement.

Supply Chain Blind Spots

Models, agents, and MCP servers carry threats traditional container scanners miss — serialization attacks, data poisoning, backdoored weights, adversarial susceptibility, and prompt injection.

Runtime Actions Without Guardrails

IAM verifies authorization but cannot verify the agent binary matches what was approved. DLP has no primitives for governing tool invocations, decision chains, or autonomous spending.

Air-Gapped and DDIL Requirements

Governance architectures that depend on a central control plane must choose between failing open (security gap) or failing closed (outage) when connectivity is lost.

THE JOZU SOLUTION

Supply Chain Verification Before Runtime. Policy Enforcement During Runtime.

Most governance tools start at runtime. By then, you're already trusting that the agent, model, or MCP server running is what you approved. Jozu starts earlier, in the development phase, and remains through execution.

Verify Before Execution

Every AI artifact is packaged as an OCI-compliant ModelKit, scanned by five integrated security scanners covering 10+ vulnerability types, and protected by cryptographic signatures and signed attestations. ArtifactPolicy evaluates scan results, signatures, and provenance before any artifact is approved for deployment.

Enforce Before Execution

Agents execute inside a protected runtime (micro-VM or Kata container isolation) where every action is policy-governed. ToolPolicy enforces per-tool, per-agent, per-user access controls at every invocation. GuardrailPolicy inspects prompt content and tool arguments at the semantic level. Human-in-the-loop gates high-risk actions.

Audit Everything

Every policy decision — every admission check, every tool invocation approval or denial, every guardrail evaluation — is logged in a tamper-evident, cryptographically chained audit trail. Logs operate autonomously when disconnected and sync when connectivity is restored.

AI-Specific Security Scanning

Five integrated scanners (ModelScan, LLM Guard, Garak, Promptfoo, ART) assess 10+ vulnerability types including serialization attacks, data poisoning, backdoored weights, adversarial susceptibility, and prompt injection. Scan results are attached as signed attestations on the artifact itself.

Content-Aware Enforcement

Agent Guard doesn't just see where agents connect — it sees what they say and do. Semantic-level inspection of prompt content, completion content, and tool arguments detects threats that infrastructure-level controls (network rules, filesystem access, syscalls) cannot distinguish.

Built for Defense and Government Environments

Designed to operate in the most secure and challenging environments

  • Air-Gapped and DDIL Operations

    Self-verifying artifacts. No external dependencies.

    Policies are distributed as versioned, cryptographically signed OCI artifacts. Policy integrity is verifiable locally without a network call. Agent Guard enforces policy on servers, desktops, edge devices, and air-gapped networks. Self-verifying artifacts carry everything needed to confirm provenance — no external verification service required.

  • Integrates with Your Stack

    Open standards. No proprietary formats.

    ModelKits are OCI artifacts that work with any container registry and Kubernetes cluster. No proprietary formats. No new infrastructure. Same registries, same deployment pipelines, same vulnerability management workflows your teams already operate.

  • Kubernetes-Native

    Deploy anywhere. No Docker prerequisite.

    Jozu Hub deploys on customer infrastructure via Helm. Agent Guard runs as a single binary — server, desktop, edge, IoT. Native support for Kata containers and micro-VM isolation. No Docker prerequisite for Agent Guard.

ZERO-TRUST FOR AI

Zero-Trust for Machine Autonomy

The ATARC DevSecOps Working Group and NIST's Concept Paper on AI Agent Identity both frame agents as Non-Person Entities (NPEs) — high-privilege actors that require governance controls beyond what IAM provides. Jozu operationalizes this framework.

Non-Person Entity Governance

ArtifactPolicy verifies the provenance and integrity of every agent before it loads into the runtime. ToolPolicy re-evaluates permissions at every tool invocation — not just at session start — limiting inherited privilege abuse across delegation chains.

Zones of Intent Scaffolding

Agent Guard's protected runtime physically bounds autonomous reasoning within designated boundaries using micro-VM or Kata container isolation. If an agent is compromised, blast radius is contained.

Reversible Resilience

ToolPolicy triggers human-in-the-loop elicitation for high-risk actions. Approvals are signed attestations. Every action is logged in a tamper-evident audit trail that supports forensic review and rollback traceability.

Fail Closed by Design

Agent Guard denies on missing data or evaluation errors. This is the default behavior, not a configuration option. Architectures that delegate failure behavior to the developer default to fail-open, creating silent security gaps.

How Jozu Maps to the OWASP Agentic AI Top 10

The OWASP Agentic AI Top 10 identifies the critical security risks facing autonomous AI systems. Here is how Jozu addresses each one.

OWASP Risk
Jozu Coverage
ASI01: Agent Goal Hijack
ToolPolicy limits blast radius of hijacked goals. Human-in-the-loop elicitation interrupts before high-risk tool calls complete.
ASI02: Tool Misuse & Exploitation
ToolPolicy enforces per-tool, per-agent, per-user access with argument validation, rate limiting, and destructive operation confirmation. Fail-closed. Cost metering caps abuse.
ASI03: Identity & Privilege Abuse
ToolPolicy re-evaluates permissions at every tool invocation, limiting inherited privilege abuse across delegation chains.
ASI04: Supply Chain Vulnerabilities
Primary Jozu strength. Five scanners, cryptographic signatures, signed attestations, ArtifactPolicy evaluation. MCP servers packaged as signed OCI artifacts. Self-verifying for air-gapped environments.
ASI05: Unexpected Code Execution
Protected runtime isolates execution. ArtifactPolicy blocks unverified artifacts. ToolPolicy restricts tool execution conditions.
ASI06: Memory & Context Poisoning
ArtifactPolicy governs which MCP servers and data sources agents access. Cryptographically chained audit logs support forensic review.
ASI07: Insecure Inter-Agent Communication
GuardrailPolicy inspects agent-to-agent messages. ToolPolicy governs inter-agent tool invocations. MCP registry establishes provenance.
ASI08: Cascading Failures
Fail-closed design prevents silent propagation. Human-in-the-loop gates high-risk actions. Tamper-evident audit logs enable cascade traceability.
ASI09: Human-Agent Trust Exploitation
Human-in-the-loop elicitation requires explicit confirmation for high-risk invocations. Approvals are signed attestations in the audit log.
ASI10: Rogue Agents
Protected runtime contains blast radius. ArtifactPolicy verifies provenance before agent loads. ToolPolicy enforces behavioral constraints. Cryptographic attestations establish identity.

What Tradewinds Evaluators
Recognized

Jozu enables secure packaging, cryptographic signing, automated AI-powered security scanning, supply-chain verification, and policy-enforced deployment, helping ensure that AI agents and models are built securely, tamper-proof when deployed, and easy to audit for mission-critical environments.

The assessment highlighted:

  • Precise problem articulation
    Of defense AI challenges
  • Standardized OCI-compliant ModelKits
    With tamper-evident provenance
  • Simple subscription model
    Well-aligned to secure, multi-cluster DoD deployments
  • Air-gapped environment support
    For disconnected operations

Governance That Scales With Your AI Maturity

Maturity Stage Your Challenge Jozu's Role
Ad-Hoc
(The Researcher)		 Shadow AI proliferating with no visibility or controls Jozu Hub provides centralized inventory. MCP Registry API gives IDE users a curated, security-scanned source for AI tools.
Human-Centric
(The Creator)		 AI-assisted coding with no artifact integrity verification Jozu Hub scans model artifacts and dependencies. SPDX 3 SBOMs track provenance and training lineage.
AI-Assisted
(The Pilot)		 AI integrated into CI/CD with no policy gates on AI-generated artifacts ArtifactPolicy gates promotion. ToolPolicy enforces strict API contracts that fence probabilistic AI behavior.
AI-Agentic
(The Curator)		 Autonomous agents with tool access performing multi-step workflows Full platform: Agent Guard enforces ToolPolicy and GuardrailPolicy at every invocation. Human-in-the-loop for high-risk actions. Tamper-evident audit logs.

Frequently Asked Questions

How does Jozu support our compliance posture?

Jozu provides the technical controls that support your compliance posture. Jozu does not claim certification — Jozu enables compliance.

OMB M-25-21 (Accelerating Federal AI)

Centralized inventory, policy administration, and audit infrastructure for mission-aligned AI scaling.

OMB M-25-22 (AI Acquisition Standards)

Pre-award testing via five-scanner pipeline and ArtifactPolicy gates. Artifact integrity verification protects government data rights.

NIST Cyber AI Profile (IR 8596)

Addresses AI-specific threats (data poisoning, model exfiltration) through supply chain scanning, signed attestations, and runtime policy enforcement. Integrates CSF 2.0 with AI RMF.

NIST AI RMF

Govern (policy administration, registry, audit) · Map (scanning, SBOMs, ArtifactPolicy) · Measure (tamper-evident chained logs) · Manage (ToolPolicy, GuardrailPolicy, human-in-the-loop, fail-closed).

NIST SP 800-53

Supply chain (SR-3/4/9/11) · Audit (AU-2/3/9/10/12) · Access control (AC-3/4/6) · Configuration management (CM-3/7/14) · Supply chain risk (SA-12) · Cryptographic identity (IA-3).

CMMC Level 2/3 · SWFT · SPDX 3

Tamper-evident audit logs, disconnected operation, supply chain scanning, SBOM generation with training lineage and license compliance. Supports SWFT, EO 14028, and FedRAMP requirements.

How is Jozu procured by Government and Defense organizations?

Tradewinds Awardable

CDAO, awarded February 2026. Primary DoD procurement entry point.

Platform One Solution Marketplace

Awardable status achieved April 2026. Jozu provides the "AI Iron Bank" layer for AI models, agents, and MCP servers — OCI-compliant ModelKits with model-specific scanning, signed attestations, and air-gapped enforcement.

FedRAMP 20x

In progress.

Capabilities Statement:

UEI: TU95BNULRWD5 · CAGE: 11YB0 · NAICS: 513210

View on Tradewinds Marketplace Schedule a Briefing

Contact: [email protected]

What other regulated industries does Jozu support?

Healthcare (HIPAA, FDA, 21 CFR Part 11)

ToolPolicy governs which agents access patient data. GuardrailPolicy detects PII and PHI in prompts and completions. Tamper-evident audit trails provide cryptographic record integrity for GxP compliance.

Financial Services (SOX, Basel, SR 11-7)

Tamper-evident versioning and artifact diffing support model risk management. ArtifactPolicy promotion gates enforce validation before production deployment. Audit trails provide non-repudiation for regulatory examination.

CUI-Handling Organizations

Air-gapped operation and local policy enforcement ensure Controlled Unclassified Information never leaves the designated security boundary — even when agents perform autonomous actions.

What organizations have adopted Jozu/KitOps?

Jozu and KitOps have been adopted by organizations that require the highest levels of security and compliance.

U.S. Government & Defense

Active engagements with DoD, federal civilian agencies, and national laboratories.

European Government

Adopted by government organizations requiring on-premises governance and compliance with EU frameworks.

Global Regulated Enterprise

Healthcare, financial services, and organizations handling CUI — wherever AI governance, supply chain verification, and audit trails are required.