Strategic Briefing

AUKUS · Five Eyes · 14 Eyes

AUKUS Sovereign Digital Thread

The AUKUS agreement requires structured decision traceability across three nations, three classification levels, and a 40-year programme timeline. Clarity was designed for exactly this.

The decision that started before the programme existed

On 15 September 2021, three nations committed to a 40-year nuclear-powered submarine programme before the requirements analysis was complete, the architecture trade studies had been run, or the option space had been formally evaluated. The most consequential decision in Australian defence acquisition history was made at the strategic level — and the technical chain was constructed around it afterwards.

This is not a failure of governance. It is the normal pattern for every major alliance programme. The political commitment precedes the evidence chain. The mission of programme infrastructure is to construct that evidence chain from the point of entry forward, and backward through the inherited constraints — simultaneously, with full structural discipline.

No existing PLM, ERP, or document management system was designed for this. Clarity was.

Three structural requirements AUKUS creates

AUKUS imposes three requirements on digital engineering infrastructure that determine whether a digital thread is sovereign-capable or sovereignty-theatre.

Time — 40 years

Decisions made today must be defensible to people not yet born.

The engineers designing the first submarine will not be available to explain their decisions in 2065. The programme infrastructure must hold those decisions with their complete evidence chains — without depending on institutional memory, the original tooling, or the original team.

Sovereignty — three jurisdictions

Data sovereignty is necessary. Knowledge sovereignty is required.

AUKUS requires shared decision traceability — not just data sharing. When an Australian supplier makes a design commitment affecting a UK prime's baseline, the decision record must be accessible to both parties under their respective classification controls, in their respective jurisdictions, auditable on both sides.

Classification — entity level

Document-level classification fails at the cross-domain boundary.

A single design record may contain both SECRET and OFFICIAL content. Classification must be enforced at the entity level — every requirement, decision, and baseline entry carrying its own classification claim, independently enforced and transferable at the right granularity.

Why legacy tools cannot meet this requirement

Legacy enterprise systems were built before security was a first-class design requirement. Their security model is a policy layer on top of a single-tenant relational architecture designed for single-jurisdiction, single-classification operation.

Achieving genuine AUKUS sovereignty with legacy PLM or ERP requires separate instances per classification level, custom middleware to enforce cross-domain policies, and policy documents that assert sovereignty — which the code does not enforce.

No incumbent vendor can rebuild to genuine sovereign architecture without discarding the product kernel.

How Clarity works for AUKUS

Sovereign by design. Clarity runs in your AWS account, encrypted with your KMS keys, in your AWS region. For classified deployments: AWS Australia air-gapped regions, no outbound connectivity required. Clarity has zero access to your programme data.

Three independent enforcement layers. IAM inline deny, S3 bucket policy, and schema-level classification enforcement — each independently auditable by ASD or a DISP-qualified assessor without reading application source code. Any two could fail simultaneously and the third would still enforce the boundary.

Diode and Airlock for structured cross-boundary exchange. Diode: one-way ingest, write-back structurally impossible by IAM. Airlock: two-way, joint ownership policy — both nations must approve any exchange, either can suspend instantly, policy enforcer fails closed. CrossDomainTraceLink: bilateral audit record stamped on both sides simultaneously — neither party can forge or deny the exchange.

Entry at any lifecycle point. AUKUS entered the programme chain as a political commitment before the technical analysis existed. Clarity supports full structural discipline from any entry point — building the evidence chain forward from where the programme is and backward through inherited constraints simultaneously.

For Australia’s AUKUS industrial base

The Tier 2 and Tier 3 suppliers entering the AUKUS industrial base have never operated in a classified programme environment. They do not have PLM. They have SharePoint, Excel, and email.

Clarity gives the full industrial base — from prime contractor to Tier 4 specialist manufacturer — the same decision accountability infrastructure:

  • Same-day deployment — no systems integrator, no infrastructure to manage
  • Same data model as the primes — same evidence chain, same classification enforcement
  • Connected to the prime’s Clarity deployment via CrossDomainTraceLink with access controls set by the prime and enforced by architecture
  • Priced for SMB participation — at a fraction of enterprise PLM licensing

Designed for 14 Eyes compliance — by architecture, not by bolt-on

Clarity was not designed as a commercial platform and then hardened for defence. It was designed from first principles for the sovereignty and classification requirements of Five Eyes and 14 Eyes programmes.

Legacy PLM and document management systems were designed in the 1990s and 2000s for single-tenant, single-classification, single-jurisdiction enterprise use. Their AUKUS and sovereignty claims are policy assertions layered on top of architectures that were never built for cross-classification, cross-jurisdiction, or air-gapped operation. Every “secure” feature is a bolt-on — middleware added decades after the product kernel was built. No incumbent vendor can rebuild to genuine sovereign architecture without discarding the product kernel, which is the entire product.

“Auditors read the documentation. Adversaries read the code.”

Clarity’s enforcement is in the architecture — independently verifiable without trusting vendor documentation.

Clarity’s three enforcement layers are not features. They are the architecture itself:

ASD ISM ControlRequirementClarity
ISM-0109Separation of dutiesThree independent enforcement layers — no single administrator can bypass all three
ISM-0141Audit loggingEvery entity mutation: immutable CloudTrail record with author, timestamp, rationale
ISM-0428Cryptographic key managementCustomer-held KMS keys; Clarity holds no key material
ISM-1553Data sovereigntyCustomer AWS account, customer-specified region, customer encryption keys
ISM-1797Network separationAir-gap deployment; no outbound connectivity required

Each layer is independently auditable by ASD or a DISP-qualified assessor without reading application source code. Any two could fail simultaneously and the third would still enforce the boundary. A full ASD ISM controls mapping is available to accreditation authorities and ATO partners on request.

Continue reading

All whitepapers How it works Request a briefing

Controlled early access

Clarity is in controlled early access.

Access is by invitation for defence, sovereign, and regulated sector leaders. No sales process. Speak directly with the founders.

Request a Briefing Read the Whitepapers