Not without structural changes. A scenario-based analysis published June 5 traces a notional AI-enabled program through the DoD’s Software Acquisition Pathway and finds the governance foundation viable for iterative delivery, but AI-specific controls for data provenance, lifecycle management, and human oversight remain scattered across supplemental documents rather than embedded in program-facing mechanisms. Defense Secretary Hegseth has directed SWP as the default acquisition method. The pathway was built for software whose behavior is fixed at delivery. AI systems are not.
What the Software Acquisition Pathway Was Built to Do
The SWP exists to let the Pentagon buy software the way software gets built: iteratively, with frequent releases, rather than through the waterfall-style requirements documents that produced years-late, over-budget systems. George Lamb, director of cloud and software modernization at the Office of the DOD CIO, told SIGNAL Media that Hegseth’s memo, titled “Directing Modern Software Acquisition to Maximize Lethality,” positions DevSecOps and SWP as the default for all future acquisition.
The design assumptions are conventional: requirements are specified, code is built and tested, releases ship on a cadence, and behavior at delivery matches behavior in the field. For deterministic software, that loop holds. The problem arrives when the deployed system includes a model whose outputs shift as inputs, context, or underlying data drift.
The arXiv Scenario Test: Tracing an AI Program Through SWP
Daniel Lugo’s paper, submitted to arXiv on June 5, 2026, takes a notional AI-enabled program through SWP’s planning activities step by step. The finding is not that the pathway rejects AI programs. The governance stack provides what the abstract describes as a “viable foundation” for iterative delivery and AI testing. The issue is that AI-specific governance requirements have no natural home within the pathway’s milestone structure. Controls for data provenance, model lifecycle management, and human oversight are addressed in supplementary documents that sit outside the pathway’s program-facing artifacts. Program offices are left to discover, interpret, and apply those controls independently, with no standardized enforcement mechanism.
Three Gaps: Data Provenance, Lifecycle, Human Oversight
The paper identifies three recurring areas where AI-specific controls lack integration into SWP artifacts.
Data provenance. AI systems depend on training and operational data whose lineage, quality, and handling requirements differ from conventional software inputs. The pathway’s current artifact structure does not embed data-provenance checkpoints at defined milestones.
Lifecycle management. Unlike conventional software where a release is functionally frozen, model behavior shifts post-deployment through data drift, retraining, and context changes. The authors argue the SWP lacks milestone structures for re-validation and re-test of models after initial fielding.
Human oversight. AI-enabled capabilities require ongoing human-in-the-loop or human-on-the-loop governance. The pathway’s current planning activities do not specify when or how oversight mechanisms should be documented and verified as part of acceptance.
The Policy-to-Artifact Disconnect
The structural problem the paper documents is a gap between policy intent and program-facing artifacts. DoD has published AI governance guidance, including responsible AI principles and ethical frameworks. But these exist primarily as supplemental policy documents. A program officer executing SWP milestones works with a specific set of artifacts: requirements documents, test plans, acceptance criteria. AI-specific controls are not embedded in those artifacts. They live elsewhere.
The result, the authors argue, is inconsistency across programs. Different acquisition teams apply different interpretations of AI governance requirements, producing different acceptance criteria and different levels of oversight for functionally similar systems. The paper recommends an AI-supporting sub-path and targeted artifact refinements to bridge the gap, preserving the existing governance foundation rather than building a separate AI acquisition pathway from scratch.
Scale Pressure: AI Ambitions Against One Pathway
The timing sharpens the problem. A January 9, 2026 AI Strategy memorandum sets out measurable pace-setting projects, barrier-removal authorities, and mandated data access. Secretary Hegseth’s January 12 speech described an “AI acceleration strategy” built around execution-speed benchmarks and a dedicated team empowered to waive non-statutory requirements blocking rapid AI deployment. These ambitions presume a pathway that can absorb rapid model iteration without re-running the full validation cycle each time. The current SWP structure has no milestone for that.
Meanwhile, the White House AI Action Plan directs NIST to remove references to misinformation, DEI, and climate change from its AI Risk Management Framework, the same RMF defense deployers rely on for AI governance. The practical effect may narrow the governance tooling available to program officers, increasing the burden on SWP to fill gaps the RMF previously addressed.
Even conventional software adoption has been uneven. Lamb acknowledged that “there haven’t been huge successes in the legacy space,” citing National Background Investigation Services as an early adopter that “deviated, went down some troubling spaces” before being retooled back onto the pathway. If conventional programs struggle with the pathway, AI programs face a harder version of the same problem.
What an AI-Supporting Sub-Path Might Look Like
The paper’s recommendation is a sub-path within SWP rather than a standalone AI acquisition track. This preserves the existing governance infrastructure while adding AI-specific checkpoints at milestones where model validation, data provenance review, and oversight verification would fit. Based on the three gaps the paper identifies, such a sub-path would likely require:
- Embedding data-provenance documentation requirements into existing SWP planning artifacts, rather than requiring separate compliance tracking.
- Adding re-validation milestones triggered by model updates or data drift, distinct from conventional software regression testing.
- Specifying human oversight mechanisms as acceptance criteria in test plans, rather than relying on supplemental responsible-AI policy documents.
A sub-path approach lowers the adoption barrier compared to a new acquisition pathway, since program offices already have SWP infrastructure and training in place. Whether the proposed refinements are specific enough to produce consistent outcomes across programs remains an open question the paper’s abstract does not resolve.
What This Means for Contractors and Acquisition Officers
For defense contractors building AI-enabled systems, the gap documented in the paper translates to execution risk. A program office that interprets AI governance requirements one way may deliver different acceptance criteria than one that interprets them another way, within the same SWP framework. Contractors should expect variability in how data-provenance, model-lifecycle, and oversight requirements are specified during source selection and throughout execution.
For acquisition officers, the paper documents a governance burden the SWP was not designed to carry. As of June 2026, there is no standardized model-evaluation tooling mandated across SWP programs, no milestone trigger for re-testing fielded models, and no single authoritative source for AI-specific compliance requirements within the pathway. The pace-setting projects established under the AI Strategy memo will be among the first AI systems to encounter these gaps as full programs of record.
The Pentagon’s bet on SWP as default is rational for conventional software. The question Lugo’s paper raises is whether that default can stretch to cover AI without a structural upgrade, or whether the pace of the AI Strategy’s flagship projects will expose the gap before the pathway can absorb it.
Frequently Asked Questions
Which specific AI programs will encounter these SWP gaps first?
The January 2026 AI Strategy memo names seven Pace-Setting Projects: Swarm Forge, Agent Network, Ender’s Foundry, Open Arsenal, Project Grant, GenGen.mil, and Enterprise Agents. These are the programs most likely to hit the pathway’s missing AI checkpoints, because they require rapid model iteration under a milestone structure that has no trigger for re-validating a fielded model after a weight update.
How does the 30-day model access mandate clash with current ATO timelines?
The AI Strategy memo requires DoD to secure access to new AI model versions within 30 days of public release, alongside a call to compress Authorization to Operate processing. Traditional ATO cycles run months. If that pace holds, a model could be two or three versions stale by the time it clears authorization, leaving SWP acceptance criteria referencing a system configuration the vendor has already superseded.
What battlefield pressure is driving SWP adoption before these gaps close?
Lamb cited the Russia-Ukraine conflict, where drone warfare moved from experimental to the primary strike vector in under two years, and noted the capability is “mostly done with software.” That combat-cycle compression, not acquisition reform, is the driver behind Hegseth’s memo making SWP the default method. The pathway’s AI governance gaps are being carried into production under operational urgency.
Does the Hegseth memo change what responsible AI means for defense programs?
The memo redefines responsible AI as systems free of “ideological tuning,” a departure from prior DoD frameworks that emphasized fairness auditing and bias testing. For acquisition officers navigating SWP, the supplemental responsible-AI documents Lugo’s paper identifies as disconnected from program artifacts are themselves in policy flux. Governance guidance written under the old framework may no longer reflect current directive language, stacking a second interpretation problem on top of the artifact gap.