TRU Thoughts Blog

The Pentagon’s Warning for Every Police Department Buying AI

Written by Anthony Tassone | Jul 13, 2026 8:01:59 PM

The Pentagon’s Warning for Every Police Department Buying AI

Defense Secretary Pete Hegseth publicly declared that foreign engineers from any country should never be allowed to maintain or access DoD systems, launched a review, and, within weeks, announced that the use of Chinese nationals to service Defense Department cloud environments was over.

In July 2025, ProPublica revealed something that stunned even veteran national security officials: for nearly a decade, Microsoft used engineers based in China to help maintain some of the U.S. Defense Department's most sensitive cloud systems.

The workaround was called a "digital escort" program. Because federal rules require that people handling sensitive government data be U.S. citizens or permanent residents with proper screening, Microsoft's foreign engineers couldn't touch these systems directly. 

So Microsoft hired U.S. citizens with security clearances, some paid as little as $18 an hour, many with little to no coding experience, to sit in the middle. A China-based engineer would dictate technical commands over a Teams call, and the escort would copy and paste them into the federal cloud.

The problem, as ProPublica documented, is that the escorts often had no way to know what they were actually executing. One escort admitted the team was essentially trusting that the commands weren't malicious, because they couldn't tell either way. A former Microsoft engineer who helped build the system conceded that if a script was named something innocuous but did something malicious, the escort would have no idea.

This was a system Microsoft designed deliberately because hiring an all-U.S. workforce to maintain the federal cloud was deemed too expensive. Microsoft later confirmed a similar escorting arrangement was used in its Government Community Cloud (GCC) - the same cloud environment that serves state and local government customers, including law enforcement agencies.

The fallout is still unfolding

Washington's response tells you everything about how serious this was:

In December 2025, the President signed a defense policy law that prohibits individuals based in China, Russia, Iran, and North Korea from having direct or indirect access to Defense Department cloud systems, codifying the ban and closing the escort loophole for good.

Notably, when ProPublica asked other major cloud providers whether they operated similar programs, AWS stated plainly that it does not use personnel in China to support federal contracts.

Why this matters for Law Enforcement

Police departments don't run the Pentagon's cloud, but they face the same core question: when a vendor touches your data, who is actually doing the work, and can they pass the background checks your data requires?

That question sits at the heart of the FBI's CJIS Security Policy. Criminal Justice Information -incident reports, criminal histories, BWC footage, investigative files - is subject to strict personnel screening requirements, including fingerprint-based background checks for anyone with access. Those safeguards only work if you know who's really behind the curtain.

The digital escort scandal proved that a vendor can hold every certification on paper while quietly routing hands-on keyboard work through personnel who could never pass your screening requirements. Microsoft's own security plan submitted to the Defense Department did not refer to its China-based operations at all.

The lesson for agencies evaluating AI and cloud vendors: compliance logos aren't enough. You have to ask where the infrastructure lives, who develops the software, and who provides support, where they are located, and whether they are U.S. citizens.

Where TRULEO stands

We built TRULEO to be the most secure, American-made AI platform for law enforcement from day one.

  • We don't use Microsoft Azure. Period. TRULEO's infrastructure runs entirely in AWS GovCloud - a SOC 2-compliant environment purpose-built for sensitive government workloads.
  • We are fully FBI CJIS-compliant and independently verified. We're routinely audited by state-level agencies, including the Arizona Department of Public Safety, and we're TX-RAMP certified. We don't just claim compliance; we publish the documentation on our security page.
  • 100% U.S. development, 100% U.S. citizens. We do not offshore any development of our product. There is no foreign engineering team behind a curtain, no escort workaround, no ambiguity about who can see your data. Every person who builds and supports TRULEO is a U.S. citizen working on U.S. soil.
  • Encryption that meets the federal bar. All data is encrypted in transit and at rest using FIPS 140-3 validated encryption.

The question every Chief should ask their vendors

The digital escort program survived for nearly a decade across three presidential administrations because nobody asked the right question. Don't let your agency make the same mistake. Before you sign your next technology contract, ask:

  1.  Where is your infrastructure hosted, and is it a government-authorized environment like AWS GovCloud?
  2. Are any of your developers or support personnel located outside the United States?
  3. Can every person who touches our data pass a CJIS fingerprint background check?
  4. Will you put those answers in writing?

TRULEO will answer all four in writing, with audit documentation to back them up.

See our full security posture at truleo.co/security or schedule a presentation to talk with our team.

 

Sources: ProPublica, "A Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers" (July 2025); ProPublica, "Microsoft Used China-Based Support for Multiple U.S. Agencies" (July 2025); ProPublica, "Pentagon Warns Microsoft: Company's Use of China-Based Engineers Was a 'Breach of Trust'" (August 2025); ProPublica, "Trump Signs Bill Banning Use of China-Based Engineers on Pentagon Computers" (December 2025).

 Co