Call Dynamics & What Dan Expects
Dan Caulfield is the executive sponsor running this call. He's not the technical lead — he's the translator between IT and the AI vendor (you). Here's the structure he's set up and what he wants out of this call.
Dan Caulfield — Executive Sponsor
Dan is driving this initiative. He'll open the call and frame the three objectives. He's a momentum protector — his priority is making sure nothing blocks progress. He will push until he gets clear answers on what can start immediately.
Carlos — IT / Microsoft Architecture
Carlos is responsible for the Microsoft environment that will house Regal's AI platform. He'll describe the Azure architecture he's planning and his timeline. You need to understand what he's building and when it'll be ready.
Danny (You) — AI Implementation
You're the AI vendor. Dan expects you to bring implementation experience, explain how you start projects in regulated environments before final infrastructure exists, and define what data you need first.
Florian — Will Review Combined Proposal
Florian and Dan will review the combined proposal after this call. Whatever you learn from Carlos and the project discussions gets incorporated into the architecture proposal you deliver.
The Three Things Dan Wants Aligned
Dan will open the call with these three objectives. Be ready to speak to all of them:
- What environment will realistically be available — and when? (Directed at Carlos)
- What work can start immediately without waiting for that environment? (Directed at you)
- How do the projects we run now help define Regal's long-term AI architecture? (Collaborative)
The Key Principle Dan Will Push
"Infrastructure and AI projects should move in parallel, not sequentially." Dan is explicitly trying to prevent a scenario where everyone waits months for infrastructure before any AI work begins. He wants you to show that real project work can start now — using sandboxes, synthetic data, masked data, or non-CUI datasets — while Carlos builds the final Microsoft environment.
The Two Projects: Scott & Stella
There are two named projects on the table. Understanding which touches controlled data — and which doesn't — is the key to unlocking immediate work.
Scott Project — Engineering / Manufacturing
This is the engineering and manufacturing-related project. It may involve CUI (Controlled Unclassified Information) and potentially ITAR data depending on the programs involved.
- Likely touches engineering specs, manufacturing processes, test data
- May require the full Azure Government environment before production
- Can still begin with masked/synthetic data or non-CUI subsets
- Ask Carlos: which components of the Scott project require CUI access?
Stella Project — Accounting
This is an accounting problem. It likely does not involve CUI or ITAR-controlled data, which means it can begin immediately without waiting for the Microsoft Government environment.
- Finance and accounting data is typically not CUI or ITAR
- Can begin in a sandbox or development Azure environment now
- Real work produces real learnings that inform the architecture
- This is your strongest argument for starting immediately
"Which of the projects we're discussing actually touch controlled data? If the Stella project doesn't involve CUI or ITAR data, we can begin work on it immediately — in a sandbox environment — while Carlos finalizes the Microsoft architecture. The learnings from Stella directly inform how we build the production platform."
Talking point — use this to unlock the parallel work strategyThe Parallel Strategy You Must Advocate
Dan is counting on you to make the case for parallel work. Here's the contrast:
- Sequential (bad): Build infrastructure → wait months → then start projects
- Parallel (good): Start projects → learn from real data → build infrastructure informed by real use cases
The projects you run now should become the blueprint for Regal's AI architecture. Architecture does not delay projects — projects inform architecture.
Questions Dan Will Ask You Directly
Dan has these questions scripted for you specifically. Have clear, confident answers ready.
Questions Directed at Danny (You)
"In regulated environments like defense manufacturing, how do you typically start projects before the final infrastructure exists?"
Dan wants to hear that you've done this before and have a proven approach.
"What type of sandbox or development environment do you usually work in early?"
Be specific about what you need to get started.
"What data would you want access to first in order to understand Regal's operations?"
This is your chance to define the first concrete step.
"What work can begin immediately without waiting for the Microsoft environment?"
Dan will push hard on this. Have a clear, itemized answer.
Regal's Data Sources You Need to Understand
Dan wants to make sure you hear about Regal's data systems on this call. These are the systems that will eventually feed the AI platform — ask about each one.
ERP — Enterprise Resource Planning
The backbone of their operations. Tracks orders, inventory, procurement, financials. The Stella accounting project likely pulls from here. Ask which ERP system they use (SAP, Oracle, Epicor, etc.).
PLM — Product Lifecycle Management
Manages engineering data: CAD files, BOMs (bills of materials), engineering change orders, revision history. The Scott engineering project likely lives here. This is where CUI data is most likely to reside.
MES — Manufacturing Execution System
Tracks real-time manufacturing operations: work orders, process steps, quality checks, production data. AI can optimize workflows, predict defects, and analyze yield data from here.
Test Equipment Data & Finance Systems
Test results, inspection data, measurement logs from manufacturing. Plus accounting and finance systems for the Stella project. These may or may not involve CUI — confirm on the call.
"What systems would eventually feed Regal's AI platform? I want to understand the full data landscape — ERP, PLM, MES, test equipment, finance — so we can design the ingestion architecture now, even before we connect to the production systems."
Ask this on the call — Dan specifically wants you to hear thisWho Is Regal Technology Partners?
Before you get on the call, here's what you need to know about Regal, their industry, and why their requirements are uniquely strict.
Defense Electronics Manufacturer
Regal designs and manufactures electronic systems — cables, circuit card assemblies (CCAs), and box builds — for military applications. They operate across Space, Air, Land, and Sea defense segments with 30+ years of experience.
Prime Contractor Partnerships
They work directly with defense primes like Raytheon (RTX). The Raytheon NDA references the F-35 DMS-R program (Diminishing Manufacturing Sources and Redesign) — one of the most sensitive programs in defense.
CUI & ITAR-Controlled Data
Their work involves Controlled Unclassified Information (CUI) and likely ITAR-controlled technical data. This means strict rules on who can access data, where it's stored, and how it's processed — including by AI systems.
Why They Need Their Own Platform
They can't use commercial AI tools (ChatGPT, Copilot, etc.) with their data. They need an AI platform they own and control, running in an environment that meets federal cybersecurity mandates — and that's exactly what we build.
Key Context for the Call
Regal is a Tier 2/3 defense supplier — they make components and sub-assemblies for the primes (Raytheon, Lockheed, Northrop, etc.). These suppliers are under enormous pressure to adopt CMMC (Cybersecurity Maturity Model Certification), protect CUI, and now increasingly need AI capabilities — but they're terrified of violating their NDAs or losing their prime contracts. Your pitch is: we build the platform inside their security perimeter so they get AI without risk.
The Government Rules You Need to Know
Defense suppliers like Regal operate under a web of cybersecurity and data handling regulations. Here's the cheat sheet on what matters and what to reference on the call.
CMMC Level 2
Cybersecurity Maturity Model Certification — Required for any contractor handling CUI. Mandates 110 security controls from NIST SP 800-171. Regal almost certainly needs CMMC Level 2 to keep their prime contracts. Azure Government Cloud meets these requirements natively.
NIST SP 800-171
The actual technical control framework behind CMMC Level 2. Covers access control, audit logging, encryption, incident response, and system integrity. Our Azure architecture maps directly to these 110 controls.
DFARS 252.204-7012
Defense Federal Acquisition Regulation Supplement — The contractual clause that requires defense contractors to protect CUI and report cyber incidents within 72 hours. Mandates "adequate security" per NIST 800-171.
ITAR / EAR
International Traffic in Arms Regulations — Controls export of defense articles and technical data. If Regal handles ITAR data, it cannot be processed on servers outside the US or accessed by non-US persons. Azure Government Cloud provides ITAR-compliant regions.
AS9100 — Aerospace Quality
Aerospace Quality Management System — The quality standard for aviation, space, and defense manufacturing. Regal holds this certification for their manufacturing operations. Our AI platform must respect their AS9100 quality processes and documentation requirements.
FedRAMP High
Federal Risk and Authorization Management Program — Azure Government is FedRAMP High authorized, meaning it's cleared for the most sensitive unclassified federal data. This is the foundation for DoD Impact Level 4/5 compliance.
Critical Distinction: Not All Regal Data Is Controlled
This is important for the parallel work strategy. Not all of Regal's data is CUI or ITAR-controlled. Some projects — like the Stella accounting project — can run immediately using:
- Non-CUI datasets — financial data, accounting records, general business documents
- Masked data — real data structure with sensitive fields anonymized
- Synthetic data — artificially generated data that mirrors real patterns
- Isolated development systems — sandbox environments with no CUI
"We're building this on Azure Government Cloud — FedRAMP High authorized, DoD IL4/IL5 compliant. It meets all 110 NIST 800-171 controls out of the box. Your platform lives in a US-only sovereign environment with no data egress."
Talking point for the callThe Raytheon NDA & AI Usage Rules
This is the most nuanced part of the conversation. The NDA doesn't ban AI — it bans AI usage that violates confidentiality rules. Here's exactly how to frame it.
Section 3.1.6 — The Key Clause
The recipient must "not use or incorporate the disclosing party's proprietary information with any artificial intelligence or machine learning system in a manner that does not comply with the use and disclosure restrictions of this Agreement."
- This does NOT outright prohibit AI use
- It prohibits AI use that violates the NDA's confidentiality rules
- CMMC compliance alone doesn't authorize AI usage — it addresses security, not usage rights
AI Use Case Risk Matrix
Use this on the call to explain what's in bounds and what's out of bounds:
| AI Use Case | Risk Level | Notes |
|---|---|---|
| AI summarizing internal documents | Low Risk | Read-only, no data retention, internal only |
| AI-powered document search (RAG) | Low Risk | Retrieval only, no model training, vector embeddings stay in enclave |
| AI assisting engineering review | Low Risk | Tool-based usage within controlled environment |
| AI coding assistant on proprietary data | Medium Risk | Acceptable if model is internal and code doesn't leave enclave |
| Training an ML model using proprietary data | High Risk | Creates derivative work — likely violates NDA purpose restriction |
| Uploading data to external AI service | Prohibited | Data leaves enclave, third party receives proprietary info |
| Building reusable ML model from their data | Prohibited | Incorporates proprietary info into system beyond permitted purpose |
The Key Distinction: AI as a Tool vs. AI as Training Data
Defense primes (Raytheon, Lockheed, etc.) generally interpret these clauses as:
- AI as a Tool = Allowed — Using AI to search, summarize, analyze, or assist with documents inside a controlled environment
- AI as Training Data = Prohibited — Using proprietary data to train, fine-tune, or improve an AI model that could be used elsewhere
"Our architecture uses Azure OpenAI Service with data processing guarantees — Microsoft contractually commits that your data is not used to train their models. Combined with Azure Government's isolated infrastructure, your proprietary information never leaves your security boundary and is never incorporated into any reusable model."
Talking point for the callRecommended Clarification Language for Primes
Many defense suppliers send a proactive clarification to their primes. Here's the standard language Regal could use:
This removes ambiguity and gives Regal a paper trail. Suggest they send this to Raytheon's contracts team.
The Microsoft Azure Stack We'll Build
Here's the complete architecture for Regal's secure AI platform on Azure. Every component runs inside Azure Government Cloud — FedRAMP High, DoD IL4/IL5 compliant, US-only data residency.
Azure Government Cloud + Network Isolation
All services run in Azure Government regions (US Gov Virginia / US Gov Arizona). Data never leaves US sovereign boundaries. Private endpoints, VNet isolation, and zero internet-facing surfaces for the AI pipeline.
Azure OpenAI Service (Government)
GPT-5 and other models deployed in Azure Government. Microsoft's data processing addendum guarantees: your prompts and data are not used to train models, not shared with OpenAI, and not accessible to other customers. Models run on isolated infrastructure.
Azure AI Search + Azure Cosmos DB (Vector)
This is the RAG (Retrieval-Augmented Generation) layer. Documents are chunked, embedded into vectors, and stored in a vector database. When a user asks a question, the system searches the vector DB for relevant context and feeds it to the LLM — the model never "learns" the data, it just reads it at query time.
Azure App Service + Azure Functions
The web application and API layer. Users interact through a secure web portal. Backend services orchestrate document ingestion, search queries, and AI responses. All hosted on Azure App Service with managed identity — no API keys stored in code.
Microsoft Entra ID (Azure AD) + RBAC
Role-based access control with MFA enforcement. Every user action is logged. Document-level permissions ensure engineers only see data they're cleared for. Conditional Access policies restrict access by device, location, and compliance status.
Azure Monitor + Microsoft Sentinel + Defender for Cloud
Full audit logging, SIEM integration, and compliance dashboards. Every AI query, document access, and user action is logged with tamper-proof audit trails. Continuous compliance monitoring against NIST 800-171 controls.
"The platform runs entirely on Azure Government Cloud. Regal owns the subscription, controls all access, and we build it inside their security perimeter. When we're done, they own every line of code and every configuration. No vendor lock-in, no data leaving their environment, no model training on their data."
Talking point for the callHow the Vector Database & RAG Architecture Works
They'll likely ask about the vector database. Here's how to explain it in plain language — and why it's NDA-compliant.
Document Ingestion
Regal uploads their internal documents — engineering specs, datasheets, procedures, standards. These stay in Azure Blob Storage inside the Government Cloud.
Azure Blob StorageChunking & Embedding
Documents are split into meaningful chunks and converted into vector embeddings — mathematical representations that capture semantic meaning. This is not model training. It's like creating a smart index of their documents.
Embedding Model (text-embedding-3-large)Vector Storage
These embeddings are stored in a vector database inside the enclave. The database enables semantic search — finding documents by meaning, not just keywords. All vectors stay within the Azure Government boundary.
Azure AI Search / Cosmos DBUser Asks a Question (RAG)
When an engineer asks "What are the thermal requirements for the DMS-R connector?" — the system searches the vector database for relevant document chunks, retrieves them, and passes them as context to the AI model.
Retrieval-Augmented GenerationAI Generates Answer (No Learning)
The AI reads the retrieved context and generates a response. Critically: the model doesn't retain or learn from this interaction. Each query is stateless. The model doesn't get "smarter" from their data — it just reads and responds.
NDA-Compliant: No TrainingThe Key Point for the NDA
RAG architecture is fundamentally different from model training. The AI model never changes, never learns from their data, and never retains information between queries. It's like having an extremely fast reader who looks at a document, answers your question, then forgets everything. The documents stay in their controlled environment, and the model stays generic.
Questions to Ask on the Call
Organized by topic. You don't need to ask all of them — pick the ones that feel most relevant as the conversation flows.
For Carlos — Microsoft Architecture & Timeline
- Carlos, can you describe the Microsoft architecture you're planning and what timeline you expect before it's operational? This is Dan's first scripted question. Get a clear picture of what Carlos is building.
- Which components must exist before AI development can begin, and which are only required before production deployment? This is critical — separate what you need for dev/sandbox vs. what's needed for production CUI processing.
- Are there development environments we can use before the final infrastructure is complete?
- Are you planning Azure Government Cloud, or starting with commercial Azure and migrating later?
- What Microsoft 365 / Entra ID setup is already in place? Do you have Azure Active Directory configured?
- Do you have a SIEM/SOC in place today, or is that part of what you're building?
Data Sources & Systems
- What ERP system does Regal use? SAP, Oracle, Epicor, or something else? This feeds the Stella accounting project and eventually the broader platform.
- What PLM system manages your engineering data — Windchill, Teamcenter, Arena, or another? This is where engineering specs, BOMs, and change orders live — likely CUI territory.
- Do you have a Manufacturing Execution System (MES)? If so, which one?
- What does your test equipment data pipeline look like? Are test results digitized and stored in a central system?
- For the Stella accounting project specifically — what financial systems and data formats are involved?
- What tools or systems are you currently using for document management? SharePoint? Network drives? A dedicated DMS?
The Critical Question — What Starts Now?
- Which of the projects we're discussing actually touch controlled data? Dan will push this. The answer determines what starts immediately vs. what waits for infrastructure.
- Can we get masked or de-identified ERP exports for the Stella accounting project to begin working immediately?
- For the Scott project, are there non-CUI subsets of engineering data we could start with?
- Is there a sandbox or isolated development environment available today that we could use?
- Can we access sample documents — even redacted ones — to design the AI ingestion pipeline while infrastructure is built?
AI Use Cases & Requirements
- What are the top 3 things you'd want an AI platform to help your team do? Document search? Summarization? Quality analysis? Let them prioritize — we'll build the MVP around their highest-value use case.
- Who are the primary users? Engineers? Quality team? Program managers? All of the above?
- How many users would need access in the first phase? Are we talking 10 people or 200? This affects Azure SKU sizing and cost estimates.
- Are there specific programs or contracts where this would be used first? Or is it company-wide?
- Do you need the platform to handle drawings, schematics, or CAD files? Or primarily text-based documents like specs and procedures? Image/CAD handling requires Azure AI Document Intelligence and multimodal models.
- Would you need AI assistance with any manufacturing processes? Quality inspection data? Test results analysis?
NDA & Legal Boundaries
- Beyond Raytheon, do you have similar NDA restrictions with other primes? Lockheed Martin, Northrop Grumman, L3Harris? If all primes have similar clauses, you need one architecture that satisfies all of them.
- Has your legal team reviewed the AI clause (Section 3.1.6) and formed a position on what "compliant use" means?
- Have you considered sending a clarification letter to Raytheon's contracts team to formalize the approved AI use cases? This is the best practice — proactively define what's allowed rather than guess.
- Do you need to segregate data by program? For example, F-35 data accessible only to F-35-cleared personnel?
- Are there specific data types that are absolutely off-limits for any AI processing, even internally?
Ownership, Control & Deployment
- When you say you want to "own and control" the platform — does that mean you want it in your Azure subscription, managed by your IT team? Clarify if they want full ownership or a managed service model where we operate it in their subscription.
- Do you have internal development or IT staff who would maintain the platform after we build it? Or would you need ongoing support?
- What's your budget range for the Azure infrastructure? Azure Government is roughly 20-40% more expensive than commercial Azure. A typical setup with Azure OpenAI, AI Search, App Service, and monitoring runs $3K-8K/month depending on usage.
- Do you have a timeline in mind? Is there a compliance deadline or a program milestone driving urgency?
- Would you want us to provide the source code, or would you prefer a turnkey platform with a support agreement?
Key Messages to Deliver on the Call
These are the critical points you want to land. Each one addresses a concern or fear that defense suppliers typically have about AI.
Your Core Talking Points
"Your Data Never Leaves Your Environment"
Everything runs inside Azure Government Cloud in US sovereign regions. Private endpoints, VNet isolation, and no internet egress for the AI pipeline. Their data stays in their subscription, under their control, period.
"The AI Doesn't Learn From Your Data"
RAG architecture means the model reads documents at query time but never retains or learns from them. This is the critical NDA distinction — AI as a tool, not AI as training data.
"This Satisfies CMMC and DFARS — By Design"
Azure Government Cloud provides the infrastructure compliance. We build the application layer to complete the control implementation — access control, audit logging, encryption, incident response workflows.
"You Own Everything"
The platform lives in their subscription, the code is theirs, and they can bring their own team to manage it. No vendor lock-in.
"Every Action Is Auditable"
Full audit trails on every AI query, every document access, every user login. SIEM integration for real-time monitoring. This is what defense compliance auditors want to see.
"We Don't Wait — We Start Now and Build in Parallel"
This is the message Dan wants to hear. Show that you understand the parallel work principle and have a plan to deliver value immediately.
If They Push Back — How to Respond
Defense companies are cautious by nature. Here are the objections you're likely to hear and how to address them.
"How do we know Microsoft doesn't see our data?"
Azure OpenAI Service in Government Cloud comes with a Data Processing Addendum (DPA) that contractually guarantees:
- Your data is NOT used to train or improve Microsoft/OpenAI models
- Your data is NOT accessible to other customers
- Your data is processed only in the regions you select
- Microsoft personnel access requires explicit customer consent
"What about the vector embeddings — don't those contain our data?"
Vector embeddings are mathematical representations, not human-readable content. However, they stay in your enclave regardless:
- Embeddings are stored in your Azure AI Search or Cosmos DB instance
- They never leave your VNet or Azure Government boundary
- Even if extracted, embeddings cannot be reverse-engineered into the original text
- All vector data is encrypted at rest (AES-256) and in transit (TLS 1.3)
"Our legal team says we can't use AI at all."
The NDA clause restricts AI use that violates confidentiality — not all AI use. Suggest this approach:
- Point to Section 3.1.6's actual language: "in a manner that does not comply"
- Offer to present the architecture to their legal team
- Propose sending the clarification language to Raytheon contracts
- Reference that other Tier 2/3 suppliers are already using this approach
"Azure Government is expensive. What will this cost?"
Rough monthly estimates for a mid-sized deployment:
- Azure OpenAI Service: $1,500–3,000/mo (depends on query volume)
- Azure AI Search: $500–1,500/mo (depends on index size)
- App Service + Functions: $300–800/mo
- Storage + Networking + Monitoring: $200–500/mo
- Total: Roughly $3,000–6,000/mo for 25–50 users
How Dan Will Close — And Your Next Steps
Dan will close with a summary. Here's his planned closing and the concrete next steps that follow.
"The goal today was making sure infrastructure planning and project work move in parallel. Danny will incorporate what he learned from Carlos into the architecture proposal. We'll do the same with Scott and Stella, then Florian and I will review the combined proposal."
Dan's planned closing statementArchitecture Proposal (Incorporating Carlos's Input)
Take everything you learn from Carlos about the Microsoft environment — timeline, existing infrastructure, constraints — and produce a detailed architecture proposal that maps AI capabilities to their real infrastructure timeline.
Danny Delivers — 48-72 HoursBegin Stella Project Immediately
If confirmed as non-CUI, start the Stella accounting project in a sandbox environment. Request masked ERP exports or sample financial data. Show progress within the first week.
Parallel Track — Start This WeekScott Project Scoping & Data Assessment
Determine which parts of the Scott engineering project can begin with non-CUI or masked data, and which require the full Government Cloud environment. Scope the phased approach.
Parallel Track — Week 1-2Combined Proposal Review with Dan & Florian
Dan and Florian will review the combined proposal covering both projects, the architecture, and the infrastructure timeline. This is the decision gate for the full engagement.
Milestone — Week 2-3Production Environment Migration
When Carlos's Microsoft Government infrastructure is ready, migrate proven sandbox work into the secure enclave. The architecture is already validated — this is deployment, not development.
When Infrastructure ReadyAcronyms & Terms You Might Need
| Term | What It Means |
|---|---|
| CMMC | Cybersecurity Maturity Model Certification — DoD's required cyber framework for all defense contractors |
| CUI | Controlled Unclassified Information — Sensitive government data that isn't classified but still requires protection |
| ITAR | International Traffic in Arms Regulations — Controls export of defense articles; US persons only for access |
| DFARS 7012 | The contract clause requiring defense contractors to protect CUI and report cyber incidents |
| NIST 800-171 | The 110 security controls that CMMC Level 2 is based on |
| FedRAMP | Federal Risk and Authorization Management Program — Cloud security authorization program |
| IL4 / IL5 | DoD Impact Levels — Classification of cloud environments by data sensitivity |
| RAG | Retrieval-Augmented Generation — AI architecture that searches documents to generate answers without model training |
| Vector DB | Database that stores mathematical representations of text for semantic (meaning-based) search |
| DMS-R | Diminishing Manufacturing Sources and Redesign — F-35 program to address obsolete component replacement |
| SCIF | Sensitive Compartmented Information Facility — Physically secure room for handling classified data |
| DPA | Data Processing Addendum — Microsoft's contractual commitment on how they handle your data |
| VNet | Azure Virtual Network — Isolated network environment with no public internet exposure |
| Enclave | A secure, isolated computing environment where sensitive data is processed |
| CCA | Circuit Card Assembly — Regal's core product: manufactured electronic circuit boards for defense systems |
| AS9100 | Aerospace Quality Management System — Quality standard for aviation, space, and defense manufacturing |
| ERP | Enterprise Resource Planning — Core business system for orders, inventory, procurement, and financials |
| PLM | Product Lifecycle Management — Manages engineering data: CAD files, BOMs, change orders, revision history |
| MES | Manufacturing Execution System — Tracks real-time manufacturing: work orders, quality checks, production data |
| BOM | Bill of Materials — Complete list of parts, components, and quantities needed to manufacture a product |
You're Ready for This Call
You know their industry, their constraints, the technology stack, and the compliance landscape. Lead with confidence — you're building exactly what they need.