Skip to Content

How Do You Field Accredited AI at the Edge?

Published on
Legion’s AI summary

Fielding accredited AI at the edge is an accreditation and procurement problem before it is a capability problem.

  • The gate: For most programs the barrier is the authority to operate (ATO), the authorizing official's decision to authorize operation, and the contract that fields the system, not model capability.
  • Single-contract path: A single-purchase, pre-hardened system with an IL2 through IL6 and FedRAMP High posture and documented HBOM and SBOM can shorten both the procurement and the authorization path. It arrives accreditation-ready, not accredited.
  • Field evidence: At Scarlet Dragon 26-01, Centurion by Legion Intelligence installed to operational capability in one day on a classified IL6 network. That one day measures the install, not the separate and longer timeline an authorizing official takes to grant an ATO.

What gates a program from fielding AI at the tactical edge?

Two gates stand between a working model and a fielded one: the authorization to operate (ATO) an authorizing official issues before a system can run on a given network, and the contract that puts the system in the field. Capability is necessary, but it is not where programs lose time.

A custom build reaches those gates by inventing its own security architecture from scratch. It spends months on identity, permissions, integrations, and auditability before the first workflow runs, and every new environment can become a separate authorization or reciprocity effort. An integrator-led program runs on a single award to the integrator, who subcontracts the hardware, software, and sustainment. Delivery moves at the integrator's pace, and changes route back through the integrator to subcontracted component providers, which adds time. Centurion by Legion Intelligence is the worked example of the other path: a pre-integrated, hardened system with a documented security posture and a known bill of materials, built so the accreditation effort starts from documented ground. Legion calls this a faster path to ATO for that reason, not because the authorization is inherited or skipped. Whether it keeps working when the network drops is a separate question: for that operational problem, see how AI operates in DDIL environments.

What do IL2 through IL6, FedRAMP High, and HBOM/SBOM actually buy a program?

Existing ATOs, an HBOM, and an SBOM give an authorizing official documented evidence to assess, which can shorten a review rather than restart it.

The Impact Levels (IL2 through IL6) categorize information and environments by sensitivity and impact; IL6 covers classified information up to SECRET, the posture required for a classified tactical network rather than an unclassified one. FedRAMP High is a separate authorization that applies only to cloud, setting the federal baseline for high-impact unclassified workloads. The two govern different environments: the Impact Levels apply to DoD networks by classification, while FedRAMP High applies to cloud platforms. They are not two halves of one deployment's coverage.

Beyond the Impact Levels and FedRAMP, three more credentials cut what the authorizing official builds from scratch. NIST 800-53 is the federal control catalog a security review grades a system against, so aligning to it gives the review a shared baseline vocabulary rather than a custom one. SOC 2 Type II adds independent evidence that those controls held over time, and a documented HBOM and SBOM make the supply chain visible and reviewable, so the review starts from a known, bounded system the authorizing official does not characterize from scratch. Air-gapped capability changes the questions further: with no external connectivity, the reach-back and external-connectivity assumptions a cloud-dependent system carries fall away.

This is what accreditation-ready means: the documentation does not bypass the authorization process; it gives the authorizing official a smaller, better-evidenced surface to assess instead of an unvetted asset stack. Centurion is also ready to manage ITAR data, which matters wherever a deployment touches export-controlled defense technical data. Full credential detail sits on the Legion security page.

Why does a single-contract, known-BOM system shorten the path to an authority to operate (ATO)?

A single-contract, known-BOM system shortens the path to an ATO by giving the authorizing process one bounded, documented system to assess instead of several separately procured layers to reconcile, and it collapses the procurement effort into a single award.

Centurion is procured as a single purchase: hardware, software, models, and support in one line item. When those layers are procured separately, each carries its own timeline and security validation, and the authorizing official is left to reconcile layers no single party documented end to end. In an integrated system, the integration-level controls (how software, models, and compute interact) arrive documented and hardened inside the system boundary. They are not written and validated net-new during the program's own assessment, so the surface stays bounded and the supply chain stays documented. Fixed pricing and a clear total cost of ownership remove the forecasting problem usage-metered models carry. For customers with existing accredited edge hardware, Centurion can also be acquired as a software system that lives on their devices.

The four paths differ most on the variables that shape procurement and accreditation effort:

Dimension Centurion Custom build Integrator-led program Cloud-only AI
Procurement Single purchase, one line item Multiple contracts Single award to the integrator, who subcontracts Subscription, usage-metered
Bill of materials Known HBOM and SBOM Assemble and validate yourself Spread across vendors Documented to the vendor's cloud boundary, not a disconnected node
Accreditation evidence Pre-hardened, documented, IL2 through IL6 deployments posture Build your own security architecture and evidence Spread across multiple parties Scoped to the vendor's cloud boundary; does not extend to a disconnected or local tactical network
Total cost of ownership Fixed pricing, clear TCO Variable, often hidden Services-driven Hard to forecast on usage
Deployment to operational capability Weeks, depending on integration Months Slow: changes route back through the integrator to subcontracted providers Fast inside its authorized cloud boundary; not for a disconnected local tactical node

Model currency is part of the same procurement question. The Department of War’s AI-first direction expects fielded systems to run current approved models rather than freezing them at deployment. The accreditation question is whether those updates reach the edge through a validated, documented pathway, including controlled updates to disconnected nodes with validation and rollback, that an authorizing official can review.

What does accreditation-ready look like in the field?

Accreditation-ready in the field does not mean authorized in a day. It means a system can be installed into the target environment with documented components, known dependencies, and controls the authorizing process can assess. Centurion's deployments provide the accreditation evidence needed to bootstrap that process.

At Scarlet Dragon 26-01, the XVIII Airborne Corps G2 field-evaluated Centurion L on the Corps' tactical SIPR network at IL6, and the system installed to operational capability in one day, fully disconnected, with no cloud reach-back. The environment was a classified IL6 network. The install reached operational capability in one day. That one day measures the install only; the authorization timeline is separate and set by the authorizing official. 

At USSOCOM TE 26-02, Centurion ran on government-provided planning data in a disconnected environment, with automatic local model failover when connectivity dropped. 

All of this runs on the same Legion platform that was proven by 20,000+ users across U.S. Special Operations Command.

How do data sovereignty and human authority hold up under accreditation?

Data sovereignty and human authority hold up under accreditation because Legion implements both in ways a review can verify. Data sovereignty is enforced as a data-flow boundary. Human authority is preserved through governed approval points whose actions are attributed and logged, so the review sees them in the audit record rather than as a separate security control. Centurion runs the same governed agent workflows, attribution, and human-authority model as Legion's cloud and on-prem deployments, so what a review covers is what operates in the field.

Customer data stays in the customer's environment and is never used to train external models, which removes the data-egress and external training questions a hosted tool has to answer. Every action is attributed, including agent actions, and audit logging is native to the platform, so a review can see what was done and on whose behalf. Role-based access governs who can do what, and human authority is preserved through policy-defined approval points, each one attributed and logged. For an accreditation package, that governance produces the control evidence a review depends on. The package draws on the role-based access model, attribution logs, the data-flow boundary, NIST 800-53 alignment, a validated model-update pathway, and the HBOM and SBOM.

When is the single-system model not the right fit?

The single-system model is not the right fit when a program already holds a covering authorization inside a stable accreditation boundary. A hosted tool inside that boundary may be sufficient, and a deployable system would add more than the situation requires. If the requirement is one analyst's productivity rather than an organizational capability, a commercial on-device assistant is the cheaper, faster call.

The deciding variable is the accreditation boundary. A program inside a stable, already-authorized boundary has different needs than one standing up AI inside a new or edge boundary, where a pre-hardened, documented system shortens the authorization effort.

Map it against your authorizing process

For a program standing up AI inside a new boundary or tactical edge environment, the next step is to request a Centurion field evaluation. An evaluation maps the system boundary, bill of materials, control evidence, and install path against your own environment and authorizing process.

Frequently asked questions

Does Centurion come with an authority to operate (ATO)?
No. As with any system entering a new accreditation boundary, Centurion is accreditation-ready, not accredited: it ships pre-hardened, with HBOM and SBOM documentation and an IL2 through IL6 and FedRAMP High posture that gives the authorizing process documented evidence to assess. The authorizing official still issues the ATO for the specific environment.
What is the difference between accreditation-ready and accredited?
Accreditation-ready means a system is pre-hardened and documented, with the components, dependencies, and control evidence an authorizing official needs to assess it. Accredited means that official has issued the ATO for a specific environment. Centurion ships accreditation-ready; the authorizing official still grants the ATO.
What is the difference between FedRAMP High and IL6 for Centurion?
FedRAMP High is the federal cloud authorization baseline for high-impact unclassified workloads, so it applies to the cloud platform. IL6 covers classified information up to SECRET, the posture for classified networks. They are complementary, not interchangeable, and they govern different environments. For an edge deployment like Centurion on a classified network, IL6 is the applicable authorization; FedRAMP High belongs to the cloud platform, not the edge.
What are HBOM and SBOM, and why do they matter for an ATO?
An HBOM and SBOM are the hardware and software bills of materials that document every component for supply-chain and security review. Centurion ships with both established, which gives the authorizing process a fixed artifact to assess instead of an unknown set of parts and helps reduce supply-chain and cyber risk by making every dependency visible and reviewable.
Are Centurion configurations TAA-compliant?
TAA-compliant configurations are available for all Centurion configurations. Centurion ships in four configurations, Centurion III, V, X, and L, spanning a single operator to a forward datacenter of up to 350 users, with TAA-compliant options on the X and L models.

Table of Contents

Accredited AI at the edge hinges on the authority to operate and the contract. An IL6, FedRAMP High, single-contract system can shorten both.