← Back to Field Notes

March 29, 2026 · The Bloomfield Team

What Manufacturers Should Know About Data Security and AI

Your quoting history contains your pricing strategy. Your job records reveal your cost structure. Your customer list represents decades of relationship building. Your process knowledge is the accumulated expertise of every machinist, engineer, and estimator who has ever worked in your operation. All of it is a competitive asset, and any AI system you deploy will need access to most of it.

That reality creates a legitimate security question. Where does your data go when it enters an AI system? Who can see it? Can it be used to train models that serve your competitors? The answers depend entirely on how the system is built.

The Three Architectures

AI systems for manufacturing fall into three categories based on where the data lives and how the model processes it.

Public cloud AI (highest risk). Tools like ChatGPT, Claude, and Gemini in their default consumer configurations send your data to shared servers where it may be used for model training. If an estimator pastes quoting data into a public AI chatbot, that data enters a system the manufacturer does not control. For casual questions about general knowledge, this is fine. For proprietary manufacturing data, this is a security failure.

Private cloud deployment (moderate risk, strong controls). A custom AI system deployed on private cloud infrastructure (AWS, Azure, or GCP with proper configuration) keeps your data in an isolated environment. The AI model runs in your account. Your data does not leave your environment. No other customer's data touches your model. This is where most custom manufacturing AI tools operate today. The risk profile is equivalent to running your ERP in the cloud, which most manufacturers already do.

On-premise deployment (lowest risk, highest cost). The AI system runs entirely on hardware inside your facility. Data never leaves your building. This architecture makes sense for ITAR-restricted aerospace work, classified defense manufacturing, and operations where regulatory requirements prohibit any cloud data transfer. The cost is 2 to 4x higher than private cloud because you are buying and maintaining the compute infrastructure yourself.

Five Questions to Ask Any AI Vendor

Before connecting your manufacturing data to any AI system, get clear answers to these five questions.

1. Is my data used to train models that serve other customers? The answer should be no, unambiguously. If the vendor hedges or points to terms of service language about "improving the service," your data may be used to train models that benefit competitors. Custom-built AI tools should use your data exclusively for your model.

2. Where does my data physically reside? You should know the cloud provider, the region, and whether the data stays within the United States. For ITAR-regulated manufacturers, data must remain on U.S. soil and be accessible only by U.S. persons. Get this in writing.

3. Who has access to my data? Technical staff at the AI vendor will likely need access during development and troubleshooting. That access should be documented, logged, and revocable. The number of people with access should be small and named. Background checks should be standard for anyone touching manufacturing data that includes customer information or regulated content.

4. What happens to my data if we terminate the contract? You should retain full ownership and receive a complete data export in a standard format. The vendor should delete your data from their systems within a defined timeframe, typically 30 to 90 days, with written confirmation of deletion.

5. How is data encrypted? Data should be encrypted at rest (AES-256 is the standard) and in transit (TLS 1.2 or higher). If the vendor cannot name the specific encryption standards they use, that tells you enough about their security posture.

What ITAR and Controlled Data Mean for AI

Manufacturers working under International Traffic in Arms Regulations face additional constraints. ITAR-controlled technical data cannot be accessed by non-U.S. persons, which means the AI system, the cloud infrastructure, and every person involved in development and maintenance must be U.S.-based. Cloud providers offer ITAR-compliant environments (AWS GovCloud, Azure Government), but the AI vendor must architect the system to operate within those boundaries.

CMMC (Cybersecurity Maturity Model Certification) adds another layer for defense contractors. AI systems that process Controlled Unclassified Information must meet the access controls, audit logging, and incident response requirements specified by CMMC Level 2 at minimum. This narrows the field of qualified AI vendors considerably.

The Real Risk Most Manufacturers Miss

The security risk most manufacturers should worry about is the one they are already living with. Quoting data in email inboxes with no access controls. Customer pricing in Excel files on shared drives accessible to every employee. Process knowledge in one person's head with no backup and no documentation.

A properly built AI system with role-based access controls, encryption, and audit logging is more secure than the scattered, uncontrolled data environment most manufacturers operate in today. The AI project often becomes the forcing function that gets manufacturing data organized, secured, and governed for the first time.

The question is not whether AI introduces risk. The question is whether the current state, with critical data living in spreadsheets and inboxes, is any less risky. For most operations, it is far more exposed.

A Security Checklist for Your First AI Project

• Confirm data isolation: your data trains only your model
• Verify data residency: know the cloud region and provider
• Review access controls: named individuals with logged access
• Check encryption standards: AES-256 at rest, TLS 1.2+ in transit
• Confirm data ownership: you own it, you can export it, it gets deleted on termination
• Assess compliance requirements: ITAR, CMMC, ISO 27001 where applicable
• Request a security architecture document before signing

Manufacturers who take data security seriously will find that custom AI, built on private infrastructure with proper controls, actually improves their security posture. The data that was scattered across six systems and three people's laptops is now centralized, encrypted, and access-controlled for the first time.