32 Design for the Classification System Gen-AI tool integration, SBU data, and classified data networks are inextricable subjects for the DOD. Efforts to integrate Gen-AI are already well underway, and chatbot tools such as NIPRGPT are currently deployed in the organization. Intelligence data takes two forms: finished intelligence which constitutes refined analysis and information, and intelligence traffic, which is the flow of information directly from raw reporting. Industry and the DOD are collaborating to embed Gen-AI tools into major networks housing finished intelligence, such as NIPR, SIPR, and JWICS, which cumulatively house Secret, Top Secret, and Compartmentalized Information, respectively. When looking at the sourcing and processing of intelligence data, the Defense Intelligence Agency is nearing the completion of a years-long development effort to bring Gen-AI into intelligence data pipelines through its Machine- Assisted Analytic Rapid Repository System (MARS). MARS entered its rollout phase this year. For any new tool, however, architecture should involve a thorough technical review of how the tool fits within the DOD’s classified data networks, and communicates with existing tools operating on those networks. While discussing specific engineering solutions for the classification system is beyond the scope of this paper, we will highlight important emerging considerations for integrating Gen-AI tools into classified networks. Compound Information and Misclassification One significant consideration for tools integrated into classified data streams is how compounded data can lead to under classification and overclassification. For example, a satellite image of a field alone may not require classification; however, affiliating the image with a date, time, and location, as well as the imaging satellite’s plane orbitology can compound disparately unclassified data into high levels of classification as a finished product. On the other hand, human errors that lead to overclassification of data can slow down key bureaucratic processes such as approving intelligence sharing with allied nations via the respective Foreign Disclosure Office. This two-sided problem of misclassification can be further complicated by models if implemented poorly, particularly when leveraging RAG tools that chunk non-classified information onto language maps, such as Sensitive But Unclassified (SBU) information. Performing accurate contextual analysis for compound intelligence data involves a complex series of decision-points that accumulate to a high-stakes outcome in which information compilations are classified either correctly or incorrectly. Therefore, while Gen-AI tools can provide significant value to intelligence classification, a human-in-the-loop will always be necessary, and significant testing and evaluation of models should occur to reach an acceptably low margin of error before any implementation. Preference Constraints as a Supporting Mechanism Today’s Gen-AI tools such as LLMs have built-in rule sets called preference constraints to impose limitations on what users can generate for output based on their prompts. Prompts that imply criminal or violent behavior, for example, with unconstrained preferences would cause the LLM to apply approximate retrieval and generate a response on its language map that would aid in potentially nefarious activity. Applying preference constraints—prompts that direct the LLM to retrieve certain word combinations—will trigger the LLM to generate an alternative response, typically stating that the model cannot support the request. Preference constraints, however, are not a perfect guard against data leaks and illicit responses because of the probabilistic nature of approximate retrieval. If a given model is trained on data that incorporated PII, classified information, or other sensitive information, it may base its responses on this data, regardless of whether it recites the information directly. In civilian uses of LLMs, nefarious actors already take advantage of this weakness through prompt manipulation, in which users deliberately adjust prompt language to avoid triggering preference constraints, while generating the desired output. Existing firewalls across NIPR, SIPR, and JWICs already compartmentalize information and restrict access to cleared personnel, so prompt manipulation is less of a concern Generative AI Adoption in the US Military