Guide · Architecture choice
EnclavAI vs Claude on AWS Gov / Claude for Government
Both are legitimate paths for defense contractors working under CMMC and DFARS 252.204-7012. They are complementary, not interchangeable — the question is where your CUI is allowed to run, not which model is “smarter.”
Can I use ChatGPT or Claude with CUI?
Commercial ChatGPT / Claude: No for CUI — data leaves your assessment boundary onto commercial infrastructure not authorized for that processing.
Claude on Amazon Bedrock (GovCloud) / Claude for Government: Yes when configured inside an authorized enclave — Anthropic and AWS publish FedRAMP High and DoD IL4/5 paths for government workloads. You inherit cloud provider controls; your team still must scope CUI correctly, document the system in your SSP, and operate it within your CMMC boundary.
EnclavAI: Yes for teams that need the model inside their own boundary — local open-weight inference (Ollama), zero egress by design, human approve/reject on every artifact, deterministic destructive-command gating, and tamper-evident signed evidence export. Nothing is sent to Anthropic, OpenAI, or any cloud LLM API.
Side-by-side (STIG / POA&M / DevSecOps focus)
| Dimension | Claude Gov / Bedrock (authorized cloud) | EnclavAI (in-boundary local) |
|---|---|---|
| Where inference runs | AWS / Anthropic operated Gov cloud (in your configured enclave) | Your VM, GovCloud EC2, Azure Gov VM, or air-gapped host — Docker Compose |
| Model | Claude (frontier, managed) | Open-weight local model (e.g. Qwen2.5-Coder 7B) — you control the artifact |
| Data egress | Prompts/responses traverse authorized cloud paths (must be in scope) | App + optional network-layer egress lock; no cloud LLM calls |
| Architecture pattern | Often single-agent or sequential workflows on Claude (Anthropic’s recommended pattern for high-control domains) | Sequential governed loop: ingest → draft → Evidence & Risk Scan → human approve → audit export |
| STIG remediation | Custom build on Claude API / Bedrock + your tools & guardrails | Built-in STIG agent, destructive scanner, .ckl round-trip, batch remediation UI |
| Evidence for assessors | You design logging, retention, and export (CloudTrail, your app) | HMAC-signed evidence packages, per-artifact audit, offline verify script |
| Best when | You already standardized on AWS Gov + Bedrock; want frontier model; cloud enclave is approved | Air-gap, strict zero-egress policy, on-prem metal, or “no vendor LLM API” requirement |
| Partnership | Anthropic + AWS ecosystem (Partner Network, SI implementers) | Self-hosted product — no Anthropic dependency |
Which should we choose?
Use this decision tree — many organizations use both in different enclaves:
- Choose Claude Gov / Bedrock if your security team has already approved AWS Gov Bedrock or Claude for Government for CUI in a documented enclave, you want frontier-model quality, and your SI/cloud team can implement MCP tools and logging to your SSP.
- Choose EnclavAI if policy or contract language requires no external LLM API, you need air-gap or hard zero-egress, you want STIG/POA&M/SSP agents and C3PAO-style evidence out of the box, or you’re a sub without a Bedrock landing zone yet.
- Start with neither’s production path — score your checklist first with the free in-browser STIG scorer (nothing uploads): enclavai.io/tools/stig-scorer.
How this relates to Anthropic’s agent architecture guide
Anthropic’s Building Effective AI Agents framework recommends single-agent or sequential workflows for high-control domains (compliance, financial, safety-critical) — not autonomous multi-agent swarms. EnclavAI implements that discipline with a local model: sequential draft → scan → human gate → signed export. Different runtime than Claude; same architectural instinct.
See also
Evaluating OpenAI instead? EnclavAI vs ChatGPT FedRAMP / ChatGPT Gov / Azure OpenAI — same complementary framing for the Microsoft/OpenAI path.
Try before you commit
We’re onboarding our first 1–2 design partners free (white-glove install in your sub, testimonial + short case study). Paid pilots resume after the first reference.