Table of Contents

Reach SOC 2 Compliance in 6 Weeks or Less.

  / ,

  / CMMC Encryption Requirements: A Complete Guide for Defense Contractors

CMMC Encryption Requirements: A Complete Guide for Defense Contractors

The CMMC is vast in coverage and can easily become overwhelming. It includes 110 security controls for each level, excluding level 1, which has only 15, with many encryption controls required throughout.

This guide breaks down exactly what the four core encryption controls demand, how they apply across certification levels, and where assessors consistently find gaps that could have been caught months earlier.

Whilst most of these controls are straightforward, one stands out on the Defense Industrial Base Cybersecurity Assessment Center’s list of most commonly failed controls: SC.L2-3.13.11, which mandates FIPS-validated cryptography for protecting Controlled Unclassified Information (CUI).

This is not because it is technically complex. It is because most contractors misunderstand what it truly requires.

The mistake is almost always the same: assuming that using AES-256 is enough. It is not. CMMC encryption requirements are about validated modules, not algorithms, and that distinction is what fails organisations that believed they were ready.

 

What Are the CMMC Encryption Requirements?

CMMC 2.0 is the Department of Defense’s framework for verifying that contractors protect sensitive defense information. It operates on three certification levels:

  • Level 1, Basic protection of Federal Contract Information (FCI)
  • Level 2, Protection of CUI in alignment with NIST SP 800-171
  • Level 3, Protection of the most sensitive CUI against advanced persistent threats

Encryption requirements live primarily at Level 2 and above. With CMMC, the requirement for FIPS 140 validation now applies to every member of the Defense Industrial Base (DIB), an estimated 215,000 companies, that handles CUI. Every system that performs encryption and touches CUI must use FIPS-validated cryptography. That is a significant shift: previously, FIPS validation was largely reserved for vendors selling directly to federal agencies.

The timeline is active. The CMMC Acquisition Rule became effective November 10, 2025, with Phase 2, mandatory C3PAO assessments for Level 2 contracts, beginning November 10, 2026.

The 4 Core CMMC Encryption Controls Explained

Three controls form the backbone of CMMC’s encryption requirements. Understanding each one separately matters, because failing any of them has direct consequences on your assessment score.

ControlNameWhat It RequiresApplies To
SC.L2-3.13.11FIPS-Validated CryptographyCryptographic modules must hold a valid NIST CMVP certificateAny system that handles CUI
SC.L2-3.13.8CUI in TransitCryptographic mechanisms must protect CUI across all transmission channelsNetworks, email, file transfers, APIs
SC.L2-3.13.16CUI at RestCUI stored on any system must be encryptedServers, workstations, databases, backups
SC.L2-3.13.10Cryptographic Key ManagementKeys must be generated, stored, and revoked in a controlled, documented processAll systems using encryption to protect CUI
MP.L2-3.8.7.CUI on MediaEncryption must extend to physical and removable mediaUSB drives, external disks, backup tapes, laptops

 

SC.L2-3.13.11: Employ FIPS-Validated Cryptography to Protect CUI

This is the headline control and the most misunderstood. A common mistake is confusing cryptographic algorithms with cryptographic modules. The CMMC requirement is about the module, not just the algorithm.

You can run AES-256 across your entire environment. If the module implementing it has not been validated through NIST’s Cryptographic Module Validation Program (CMVP), you are not compliant. The algorithm is not the certificate.

Pro Tip

During an assessment, you will be asked to provide the FIPS certificate number for each product that handles CUI, not a vendor’s claim that they “support AES-256.” Have those certificate numbers documented before the assessment starts.

SC.L2-3.13.8 and SC.L2-3.13.16: CUI in Transit and at Rest

SC.L2-3.13.8 requires cryptographic mechanisms to protect CUI during transmission, covering all communication channels: network connections, email, file transfers, and API communications. SC.L2-3.13.16 requires protection of CUI at rest. Neither control names a specific algorithm, but the FIPS validation requirement from 3.13.11 applies across both.

SC.L2-3.13.10: Establish and Manage Cryptographic Keys

Encryption without key management is security theatre. This control requires that keys be generated, stored, and revoked in a controlled, documented way. A compromised key renders all your encryption irrelevant regardless of algorithm strength.

MP.L2-3.8.7: Control Access to CUI on Media

This control extends encryption requirements to physical and removable media. CUI stored on a USB drive, an external hard disk, or a backup tape must be protected. Contractors who focus on network-level encryption and forget about the laptop bag sitting in a car park consistently fail this one.

Reach SOC 2 Compliance in 6 Weeks or Less

Schedule Your Free SOC 2 Assessment Today

CMMC Encryption Requirements by Certification Level

Level 1 covers organisations handling only FCI. The controls are foundational and do not explicitly mandate encryption, though it remains a recommended practice. This changes sharply at Level 2.

Under the CMMC scoring methodology:

  • 5 points deducted if no cryptography is employed
  • 3 points deducted if cryptography is present but not FIPS-validated
  • Maximum score: 110 | Minimum passing threshold: 88

Getting SC.L2-3.13.11 wrong costs points you cannot afford to lose.

Level 3 introduces additional requirements aligned with NIST SP 800-172, including enhanced key management controls, stricter access controls on cryptographic infrastructure, and greater scrutiny of the supply chain around cryptographic tools.

 

Pro Tip

According to research by Merrill Research and CyberSheath, only 4% of defense contractors are fully prepared for CMMC certification based on third-party assessment criteria, while 75% believe they are compliant based on self-assessment. The gap is widest in technical controls, with encryption and key management among the most common failure points.

What Is FIPS-Validated Cryptography and Why Does It Matter?

FIPS stands for Federal Information Processing Standards. FIPS 140, developed by NIST, sets the benchmark for cryptographic modules intended to protect sensitive information. It requires that cryptographic modules be tested by accredited third-party laboratories and certified by NIST, a process managed through the Cryptographic Module Validation Program (CMVP).

FIPS 140-2 vs. FIPS 140-3

FIPS 140-3 is the newer standard, published March 22, 2019, and aligns with the international ISO/IEC 19790:2012(E) standard. Both remain acceptable under current CMMC requirements. FIPS 140-3 introduces stricter requirements around physical security, key management, and testing methodologies, and will likely become the primary standard as the framework evolves.

If your vendor holds a current FIPS 140-2 certificate and that module remains on NIST’s active modules list, you are covered for now, but plan your migration path.

Acceptable Encryption Standards Under CMMC

AES-256 is the most widely deployed algorithm in CMMC-compliant environments, and it satisfies cryptographic strength requirements when implemented through a FIPS-validated module. For data in transit, TLS 1.2 and TLS 1.3 support AES-256 cipher suites that meet the requirement. TLS 1.3 is the current best practice and should be your target configuration.

Pro Tip

Before your assessment, pull the FIPS certificate numbers for every product in your environment that touches CUI, your email platform, endpoint encryption, VPN, and cloud storage. Your assessor will ask for them. Having a documented inventory with certificate numbers and their active or historical status saves hours during evidence review.

Encrypting CUI at Rest for CMMC Compliance

Endpoints, Laptops, and Local Storage

Every device that stores CUI must have full-disk or file-level encryption enabled through a FIPS-validated module. In Windows environments, BitLocker is commonly used, but BitLocker in default mode is not FIPS-compliant. You must enable FIPS mode explicitly through Group Policy, and you must verify it is active, not just configured. Assessors will check both.

Removable Media and Hardware-Encrypted Devices

Removable media is one of the most consistent failure points across the DIB. A contractor can have bulletproof endpoint encryption and still fail this control because an employee transferred a CUI document to a personal USB drive. Hardware-encrypted USB devices with FIPS 140-2 Level 3 validation exist for this purpose. Controlling their use through both policy and technical enforcement is as important as choosing the right device.

Cloud Storage and FedRAMP-Authorised Infrastructure

FedRAMP Moderate and High authorisations include FIPS-validated cryptography by design. Microsoft 365 GCC High, AWS GovCloud, and Azure Government are the most commonly used platforms that meet this bar. Standard commercial tiers of the same platforms do not.

Note: Many contractors use a FedRAMP-authorised cloud platform and assume the encryption requirement is fully satisfied. It covers the provider’s infrastructure, not how users access it, what they download from it, or how they share files outside of it. The environment is FedRAMP-covered; the behaviour around it often isn’t.

Encrypting CUI in Transit for CMMC Compliance

Email Transmission of CUI

Standard email is not encrypted end-to-end. Your email might travel over a TLS-encrypted connection between mail servers, but that protects the transport pipe, not the message content. Secure email solutions that apply encryption to message content provide the protection CMMC requires for email containing CUI. Microsoft 365 GCC High with S/MIME or Office Message Encryption configured for CUI use cases addresses this. Standard Office 365 does not.

File Transfers and Collaboration Tools

SFTP and FTPS both support encrypted transmission, but implementations must use FIPS-validated cryptographic modules. Consumer file-sharing tools, even those marketed with encryption enabled, are almost never FIPS-validated. Dropbox, standard-tier Google Drive, and similar services are not acceptable for CUI transmission regardless of their encryption claims.

Remote Access and VPN Encryption

All remote access sessions that could expose CUI must use FIPS-validated encryption. Configure your VPN to enforce TLS 1.2 at minimum, disable older protocol versions, and document the configuration explicitly. When CUI leaves your physically controlled environment, cryptography is the primary protection mechanism, and that is precisely when FIPS validation becomes non-negotiable.

Encryption Key Management Under CMMC

Key Generation and Storage Requirements

Keys must be generated using approved random number generators within FIPS-validated modules and stored in a way that prevents unauthorised access. Hardware Security Modules (HSMs) are the gold standard. Software-based key stores within FIPS-validated environments are acceptable at Level 2, but your documentation must demonstrate the approach clearly.

Key Rotation and Revocation Best Practices

Define rotation intervals in your key management policy, and actually follow them. Rotate encryption keys when staff with key access leave the organisation. Have a tested revocation process. A policy that says “we rotate annually” but has never been executed will not survive an assessor interview.

Pro Tip

Document your key management lifecycle in your System Security Plan (SSP). Assessors are not just looking for functioning encryption, they are looking for documented, repeatable processes. A gap between what your SSP says and what you actually do is a finding, even if the technical controls are otherwise correct.

Common CMMC Encryption Deficiencies Found During Assessments

The Subcontractor Flow-Down Gap

Prime contractors invest heavily in their own encrypted environments, then allow subcontractors to access CUI through portals that lack proper encryption controls. Per 32 CFR Part 170, CMMC requirements flow down to subcontractors based on the type of data they process, store, or transmit. If your subcontractor downloads CUI to an unencrypted device, that exposure is your problem as much as theirs.

The Affirmation Window Vulnerability

Certified organisations must complete annual affirmations confirming ongoing compliance. Encryption configurations drift between assessments. A patch can disable FIPS mode. A new device can be deployed without the correct policy applied. Without continuous monitoring, the gap between your affirmed posture and your actual posture grows quietly, until the next assessor walks in.

Sensitive Bid Preparation Risks

CUI often flows early in a contract cycle, during proposal preparation and technical review, before formal compliance processes kick in. Contractors receive technical documents marked CUI, open them on standard workstations, email sections to colleagues, and store drafts on unencrypted shared drives. This is one of the most common real-world exposure scenarios, and it almost never appears in System Security Plans.

What a CMMC Assessor Will Look for on Assessment Day

Assessors examine documentation, configuration evidence, and staff interviews. For encryption specifically, expect requests for:

  • FIPS certificate numbers for each product handling CUI
  • Live demonstration that FIPS mode is active
  • Data flow diagrams showing how CUI moves through your environment and what encrypts it at each step
  • Key management logs showing actual rotation history, not just policy documents

Important: If minor gaps are identified during an assessment, organisations may address deficiencies within 180 days through a Plan of Action and Milestones (POA&M). Major issues require full reassessment. Encryption deficiencies attract close scrutiny and will affect your SPRS score for the duration of any POA&M period.

How to Remediate CMMC Encryption Gaps

Conducting an Encryption Gap Analysis

Map every location where CUI is stored, processed, or transmitted. For each data flow, identify the encryption method in use and verify whether the underlying module appears on the NIST CMVP active modules list. Document what is compliant, what requires remediation, and what requires a structural decision, some legacy systems need compensating controls or architectural changes rather than a direct fix.

A structured Encryption Gap Analysis is the most reliable way to surface these issues before an assessor does.

Implementing Per-File Encryption to Close Compliance Gaps

When full-disk encryption is not feasible, legacy embedded systems, manufacturing equipment, isolated lab environments, per-file encryption applied at the point of CUI creation or receipt can serve as a compensating control. The file travels encrypted regardless of where it is stored or how it is transmitted. This approach requires clear staff training and disciplined execution to be effective.

What CMMC Encryption Does Not Require

FIPS-validated modules are required when cryptography serves as your primary method of protecting CUI confidentiality, mainly when CUI leaves your physical control. When CUI stays within a physically secured boundary and physical controls provide the confidentiality protection, FIPS validation for internal network infrastructure is not mandated.

You do not need FIPS-validated switches, routers, or internal firewalls just because they carry traffic on a network that also carries CUI. This is a common and expensive misconception that sends contractors chasing requirements that do not apply to them.

 

Final Thoughts

Ready to find out where your encryption posture stands before an assessor does? Axipro works with defense contractors across the DIB to conduct pre-assessment gap analyses, identify FIPS compliance deficiencies, and build a remediation plan that holds up on assessment day. Get in touch to start the conversation.

What encryption algorithm is required for CMMC compliance?

CMMC does not mandate a specific algorithm by name. It requires FIPS-validated cryptography, and AES-256 is the most widely implemented algorithm that satisfies this requirement. The critical point: the cryptographic module implementing the algorithm must hold a current FIPS certificate.

Yes. Controls SC.L2-3.13.16 and SC.L2-3.13.8 address at-rest and in-transit CUI respectively, and both apply at Level 2.

AES-256 through a FIPS-validated module is sufficient. AES-256 through a non-validated implementation is not. The distinction matters enormously on assessment day.

FIPS 140-3, published in 2019, introduces updated testing methodologies aligned with ISO/IEC 19790. Both are currently acceptable under CMMC. FIPS 140-3 will likely become the primary standard as the framework evolves.

Yes. CMMC requirements flow down through the supply chain. If a subcontractor processes, stores, or transmits CUI, they must meet the same encryption requirements as the prime contractor for that data.

It satisfies encryption requirements for data within that provider’s authorised boundary. It does not address how users access, download, or share that data outside the boundary.

Unmet encryption controls result in score deductions and a finding in your assessment report. Minor gaps can be addressed through a POA&M within 180 days. Significant gaps may prevent certification until remediated, blocking contract eligibility during that period.

Axipro Author

Picture of Pedro Dias

Pedro Dias

Pedro has been writing online for over 10 years. With experience in all things programming, cyber security, and compliance, he is our editor-in-chief at Axipro.

Blog Highlights

Explore More Articles

One in five organizations has already suffered a breach traced back to shadow AI. Meanwhile, 63% of breached organizations either have no AI governance policy at all or are still drafting one. Below is a complete, copy-ready shadow AI policy template with twelve sections, plus guidance on adapting it for your company size, your industry, and the regulatory frameworks you answer to. The template assumes one hard truth up front: your employees are already using unapproved AI tools. A policy that pretends adoption hasn’t started yet fails on day one, so this one starts from the assumption that it has. What Is a Shadow AI Policy? A shadow AI policy is a formal document that defines how your organization discovers, evaluates, approves, and governs AI tools that employees adopt outside official IT channels. The term borrows from shadow IT, the older problem of unsanctioned software and hardware, but the AI version carries sharper risks: data pasted into a public model may be retained, used for training, or exposed in ways the organization can’t reverse. The policy does three jobs: it separates approved use from unapproved use, gives employees a fast and visible way to request new tools so the sanctioned route beats the workaround, and spells out what happens when someone crosses the line, including how the organization detects it and responds. Shadow AI Policy vs. General AI Acceptable Use Policy Many organizations already have an AI acceptable use policy (AUP) and assume it covers shadow AI. It usually doesn’t. An AUP tells employees how to behave inside approved tools. A shadow AI policy governs the tools themselves: which ones exist in your environment, which ones are allowed, and what happens with the rest. You need both. The AUP handles conduct; the shadow AI policy handles inventory and control. If you only have room for one document, fold the AUP’s data-handling rules into Section 6 of the template below. Let Axipro help you build a business continuity plan that’s practical, compliant, and audit-ready. Strengthen Your Business Continuity Strategy​ Schedule A Consultation The Shadow AI Policy Template (Download Link and Copy-Ready Sections) We’ve created a compliance safe template for Shadow AI Policy, use the link below to create a copy and customize for your company: Download The Shadow AI Policy Template → Copy the sections below into your policy management system and replace the bracketed placeholders. The language is plain on purpose. Legalese gets skimmed. Section 1: Purpose and Scope This policy governs the acquisition, approval, and use of artificial intelligence tools, features, and services at [Company]. It applies to all employees, contractors, interns, and third parties with access to [Company] systems or data. It covers standalone AI applications, AI features embedded in existing software, browser extensions, AI agents, APIs, and personal AI accounts used for work purposes, on both corporate and personal devices. The purpose of this policy is to enable productive AI use while protecting [Company] data, customers, and legal obligations. This policy does not prohibit AI. It prohibits ungoverned AI. That last sentence matters. Employees read the purpose statement first, and it decides whether they see the policy as an enabler or a blocker. Section 2: Definitions and Terminology Shadow AI: any AI tool, feature, agent, or service used for work purposes without formal approval under this policy. Approved AI Tool: an AI tool listed in the Approved AI Tools Registry (Section 4) and used under a [Company]-managed account. Personal AI Account: an account on any AI service registered to a personal email address or paid for personally. AI Feature: AI functionality embedded within otherwise approved software (e.g., an AI assistant added to a project management tool), which requires separate evaluation. Sensitive Data: data classified as [Confidential] or [Restricted] under [Company]‘s data classification policy, including the prohibited data classes in Section 6. Define “AI feature” explicitly. Vendors now ship AI additions into already-approved SaaS products every month, and without this definition, those features inherit approval they never earned. Section 3: Roles and Responsibilities The CISO (or designated security lead) owns this policy, maintains the Approved AI Tools Registry, and runs the approval workflow. Department heads ensure their teams know the policy and surface tool requests rather than suppressing them. Legal and Compliance review tools that touch regulated data or fall under the EU AI Act, GDPR, HIPAA, or client contractual restrictions. IT operates detection and monitoring controls (Section 9). Every employee is responsible for using only approved tools for work, reporting unapproved AI use they discover, and requesting new tools through the workflow in Section 7 rather than adopting them directly. Insider Note: In organizations under roughly 200 people, the “CISO” in this section is often the same overworked IT lead who manages laptops. Name a real person, not a title that doesn’t exist yet. A policy that assigns duties to a phantom role is unenforceable, and auditors notice. Section 4: Approved AI Tools Registry [Company] maintains a registry of approved AI tools at [location/URL]. For each tool, the registry records: tool name and vendor, approved use cases, prohibited use cases, permitted data classes, account type (enterprise/team/individual), data retention and training settings, risk tier (Section 5), approval date, and next review date. Only tools listed in the registry may be used for work. Tools not listed are unapproved by default. The registry is reviewed [quarterly]. Keep the registry somewhere employees actually look, such as your intranet homepage or IT help center, not buried in a GRC platform they can’t access. An invisible registry recreates the problem the policy exists to fix. Section 5: Risk Tier Classification (Low, Medium, High) Each tool in the registry is assigned a risk tier. Low: the tool processes only public or internal non-sensitive data, runs under an enterprise agreement with training opt-out, and produces output that a human reviews before use. Approval by IT Security alone. Medium: the tool processes internal business data or connects to [Company] systems via API or integration. Approval by IT Security plus the data owner. High: the

Legacy threat modeling frameworks such as STRIDE were designed for software that behaves the same way over and over again. Agentic AI does no such thing. It can rewrite its own plan mid-task, call external tools, negotiate with other agents, and produce a different output from identical input. MAESTRO exists because none of the legacy threat modeling frameworks were built to handle that. MAESTRO stands for Multi-Agent Environment, Security, Threat, Risk, and Outcome. It is a seven-layer threat modeling framework created specifically for agentic AI systems, and it has become the closest thing the industry has to a standard method for reasoning about agent security. Understanding MAESTRO in the Context of Agentic AI What MAESTRO Stands For Each word in the acronym carries meaning. Multi-Agent Environment signals that the framework models entire ecosystems of interacting agents, not a single model behind an API. Security, Threat, Risk covers the core discipline: identifying attack surfaces, cataloging threats, and assessing likelihood and impact. Outcome is the part most frameworks skip. MAESTRO asks what an attack actually produces in the real world, because an autonomous agent with tool access turns a compromised prompt into a compromised action. The Origin of MAESTRO (Cloud Security Alliance) The Cloud Security Alliance published MAESTRO in February 2025. Its creator is Ken Huang, Co-Chair of the CSA AI Safety Working Groups and CEO of DistributedApps.ai. The CSA has since applied the framework publicly to real systems, including OpenAI’s Responses API and Google’s A2A protocol, which gives practitioners worked examples rather than just theory. The framework is openly published, and the CSA maintains an official companion tool, the MAESTRO Threat Analyzer, on GitHub. SOC 2, ISO 27001 and HIPAA done for you. Fixed fee, 100% audit pass rate. Audit-ready in 6 weeks. Not 6 months. Schedule Free Assessment Why Traditional Frameworks Fall Short for Agentic AI STRIDE, PASTA, LINDDUN, and OCTAVE all share a founding assumption: the system under analysis follows predictable logic with clearly defined boundaries. You draw the data flow diagram, mark the trust boundaries, and enumerate threats against components that behave deterministically. Agentic AI breaks every part of that assumption. Unique Security Challenges of Autonomous Agents Agents introduce three properties that legacy models cannot express. Non-determinism means the same input can produce different behavior, so you cannot enumerate execution paths in advance. Autonomy means the agent makes decisions and takes actions without a human approving each step, which collapses the usual assumption that a person sits between intent and execution. And in multi-agent systems there is often no stable trust boundary: agents delegate to other agents, consume tool outputs from external servers via protocols like the Model Context Protocol (MCP), and update their own memory and goals at runtime. The Gap Between Legacy Frameworks and Agent-Based Systems The practical consequence is coverage gaps. STRIDE has no category for goal manipulation, where an attacker gradually steers what an agent is trying to achieve. PASTA assumes attacker objectives and data flows are fixed, which fails for systems that learn and adapt during operation. LINDDUN addresses privacy but says nothing about agent collusion or memory poisoning. A threat model built purely on these frameworks will pass review and still miss the attacks that matter most in an agentic deployment. How MAESTRO Addresses Agentic-Specific Risks MAESTRO does not discard the older frameworks. It extends them with a layered reference architecture, an AI-specific threat catalog for each layer, and, critically, explicit analysis of how threats propagate between layers. That cross-layer lens is the framework’s real contribution, because most serious agentic incidents are chains: poisoned data influences a model, the model misleads an agent, and the agent takes an unauthorized action three layers away from where the attack started. The Seven Layers of the MAESTRO Framework MAESTRO decomposes any agentic system into seven layers, each with its own threat landscape. Layer 1: Foundation Models The core LLMs or other models the agents reason with. Threats here include adversarial examples, model extraction, backdoored weights, and jailbreaks that bypass safety training. If the model is a third-party API, supply chain risk lives at this layer too. Layer 2: Data Operations Everything the agent ingests, stores, and retrieves: training data, RAG pipelines, vector databases, and agent memory. Data poisoning and memory tampering are the signature threats at this layer, and they are especially dangerous because a poisoned memory persists across sessions and keeps shaping future decisions long after the initial attack. Layer 3: Agent Frameworks The orchestration software that turns a model into an agent: LangChain, CrewAI, AutoGen, custom planners, and tool-calling logic. Threats include prompt injection through tool outputs, insecure tool definitions, and manipulation of the planning loop itself. Layer 4: Deployment Infrastructure The servers, containers, and cloud services the agents run on. The CSA’s threat catalog here reads like traditional cloud security with an agentic twist: compromised container images carrying malicious agent code, Kubernetes orchestration attacks, denial of service against agent runtimes, and tampering with Infrastructure-as-Code templates that provision agent resources. Layer 5: Evaluation and Observability The systems that monitor, evaluate, and debug agent behavior. This layer is often forgotten, and attackers know it. The CSA specifically flags poisoning observability data: manipulating the telemetry fed to monitoring systems so that incidents stay hidden from security teams while malicious activity continues. Layer 6: Security and Compliance MAESTRO treats this as a vertical layer that cuts across all others: identity and access management, guardrails, policy enforcement, and compliance controls. Threats include permission escalation, guardrail bypass, and compromise of the security agents themselves in architectures where AI enforces policy on other AI. Layer 7: Agent Ecosystem The environment where agents interact with users, other agents, and marketplaces. This is where the genuinely novel threats live: agent impersonation, misleading agent capability cards, tool squatting, and collusion between agents to achieve outcomes no single agent was authorized to pursue. Insider Note: In real assessments, Layers 5 and 6 expose the maturity gap fastest. Most teams’ shipping agents can describe their model and their orchestration framework in detail, then

EU AI Act Hiring Map

AXIPRO STUDY New Study: Europe is hiring AI builders faster than AI governance professionals Axipro analyzed 3,519 AI-related job postings across eight EU countries. For every professional hired to keep AI lawful, safe and accountable, nearly seven were hired to build more of it, and the gap is widest exactly where you’d least expect. Take EU AI ACT READINESS QUIZZ 16 AI Builders : 1 AI Governors Sweden — Europe’s widest AI governance gap 3,519 Job Postings Analyzed 8 EU Countries 2 Role Categories: Builders vs Governors July 2026 Date of Job Postings Analyzed The findings Finding 1: Sweden hires 16 AI builders for every 1 person to govern them Throughout our data-set we found the same pattern across all eight countries: the more a nation hires to build AI, the less it hires to govern it. France runs eleven builders to every governor. Even Ireland, the most balanced in Europe, looks responsible mainly because the US tech giants headquartered there import global-governance discipline under overlapping DORA and AI Act pressure.  3.5→16 builders hired per governor, Europe’s most balanced country to its least. Ireland 3.5 Germany 5.7 Spain 6.0 Italy 7.1 Netherlands 7.2 Belgium 7.9 France 11.4 Sweden 16:1 0 4 8 12 16 Builders hired per AI governor Source: Axipro, 2026 Sweden has one of the strongest engineering cultures in Europe. It also carries the widest governance gap we measured: sixteen AI builders hired for every person hired to govern them. France sits close behind at eleven to one. The most balanced country, Ireland at 3.5 to one, looks responsible for a reason that has little to do with virtue. The US tech giants headquartered in Dublin import global governance discipline, and they do it under the combined weight of the AI Act and DORA, the EU financial-sector resilience regime in force since January 2025. Engineering strength does nothing to close a governance gap, and it may widen it. A country that ships AI faster produces more systems that fall under the Act’s scope and, on this evidence, fewer people positioned to document, monitor, and defend them. Being good at building AI offers no protection against governing it badly. The countries most confident in their technical talent are running the largest deficit against the law. Explore AI governance hiring by country Click any country to see how many AI builders it hires for every governance professional, and where it ranks against the rest of Europe. Germany — 5.7 builders per governorDE France — 11.4 builders per governorFR Spain — 6.0 builders per governorES Italy — 7.1 builders per governorIT Netherlands — 7.2 builders per governorNL Belgium — 7.9 builders per governorBE Ireland — 3.5 builders per governorIE Sweden — 16 builders per governorSE 3.5 — balanced 16 — widest gap Source: Axipro, 2026 Sweden 16builders for every governance professional Rank 1 of 8 · 20 governance roles vs 319 builder roles posted Only 30% of the AI governance roles name the AI Act Share this Embed this map Copy & paste — links back to Axipro Copy embed code Branded, one paste, backlink included. × Share this country insight Share this AI governance gap X / Twitter LinkedIn Facebook WhatsApp Bluesky Email Copy link Choose a platform or copy the link. A view of the same country-level dataset behind the interactive map: governance roles, builder roles, builder-to-governance ratio, and the share of governance postings that name the EU AI Act. AI governance jobs Europe statistics by country: governance roles, builder roles, builder-to-governance ratio and AI Act mention percentage. Country Governance roles Builder roles Builder-to-governance ratio AI Act mention % Sweden 20 319 16.0:1 30.0% France 39 443 11.4:1 38.5% Belgium 38 299 7.9:1 39.5% Netherlands 61 439 7.2:1 31.1% Italy 40 284 7.1:1 45.0% Spain 64 384 6.0:1 28.1% Germany 88 501 5.7:1 27.3% Ireland 96 335 3.5:1 14.6% Source: Axipro analysis of AI builder, governance and compliance job postings across eight European countries. “AI Act mention %” is the share of governance postings that explicitly name the EU AI Act. Finding 2: The law nobody names. Most AI governance jobs still do not mention the EU AI Act Europe spent years drafting the AI Act. It cleared the European Parliament, survived the Digital Omnibus revisions, and now carries penalties that reach €35 million or 7% of global turnover for the most serious breaches, a ceiling that makes GDPR fines look modest. Yet fewer than three in ten of the governance roles created to handle it actually name the law in the job description. Among builder roles, the figure collapses to one in twenty-five. More than 7 in 10 Governance job descriptions do not mention the EU AI Act. This number rises to 9 in 10 for all AI job descriptions. Despite hiring for governance, risk, privacy, and compliance roles, most employers are not yet translating the EU AI Act into explicit job requirements. That disconnect should stop you. The people being hired to make Europe compliant are, for the most part, not being hired against the Act by name. They are titled around adjacent ideas: risk, ethics, model validation, data protection. Some of that work will map onto the Act’s requirements. Much of it will not, because a role written without the regulation in view rarely produces the conformity assessments, technical documentation, and human-oversight structures the Act specifically demands. Readiness is even thinner than the headcount suggests. Simply counting governance hires overstates how many people are actually working the law. What job descriptions actually name The EU AI Act is visible in governance roles — but still absent from most job ads. Across the laws and frameworks most relevant to AI governance hiring, the EU AI Act appears in fewer than three in ten governance postings, and only 4% of builder postings. Law or framework Governance roles naming it Builder roles naming it All roles naming it Governance mentions EU AI Act 28.5% 4.0% 7.6% 127 GDPR 26.9% 5.7% 9.6% 120 ISO 27001 11.4% 1.3% 2.8% 51