Securing the next Moon Age: Automated compliance powers the next giant leap

Artemis 2 has a simple question at its core.

Is it safe to fly?

Behind that question sits one of the most complex safety and mission assurance challenges NASA has ever faced. Thousands of data sources. Hazards. Nonconformances. Probabilistic risk models. Supplier inputs. Structured spreadsheets and unstructured documents. All feeding into a flight readiness decision that carries the weight of human life.

NASA does not ask that question lightly. Apollo 1. Challenger. Columbia. Each mission reminds us that safety reviews are written in history, not abstraction.

At Chainguard Assemble 2026, I shared how MRI Technologies partnered with Chainguard to deliver a secure, continuously compliant software foundation for NASA’s Artemis and Habitable Worlds Observatory missions. You can watch the full recording below.

The Artemis 2 moment

In September 2025, the Moon to Mars Safety and Mission Assurance team assembled something that had never existed in one place before: a unified view across the entire Artemis supplier ecosystem. It was multi-format by necessity: XLS files, CSV exports, PDFs, slide decks, and Markdown.

The ask was straightforward: Can AI help interrogate this data?

The stakes were not abstract compliance metrics. They were crew survival. NASA operates as an integrator across a complex partner landscape. Every signal matters. Every discrepancy must be reconciled.

We had to move from raw data to actionable insight under flight deadlines.

The technical journey

Our first instinct was to use retrieval-augmented generation within Luna, NASA JSC’s GCP-centric AI, identity, and data platform. The massive XLS files lost what made them so valuable, their structure, when they were processed into embeddings well. The embedding pipelines required for deeply structured safety data would have needed to be purpose-built and added to the data orchestration infrastructure.

We experimented with an MCP-to-XLS approach. The outputs were compelling, but the user experience and scalability were limiting factors.

Meanwhile, ChatGSFC, a thriving AI project out of NASA's Goddard Space Center, had already solved the adoption problem. Its LibreChat interface had strong uptake. Mission teams were starting to trust it and use it daily. However, both solutions were yet to solve the challenge of data fidelity and traceability. In a safety context, an answer that appears correct but can't be traced to authoritative data isn't just wrong; it's dangerous.

The path forward was a combination of Luna's data access rigor and identity infrastructure, paired with ChatGSFC's conversational front end. Connect structured data to a trusted interface. Deliver Luna AI agents as an MCP server.

The result was the Artemis SMA AI Agent. It enabled natural-language exploration of complex datasets, generated traceable briefing documents, reconciled discrepancies in BigQuery, and materialized new insights into structured tables with Google Gemini. Outputs were grounded and auditable.

Safety Board meetings that once required days or weeks of analysis began seeing results in minutes.

That capability did not emerge in isolation. It was built on platform engineering work that preceded the AI layer.

Two dimensions of platform value

When we talk about platform in high-compliance environments, we are not talking about clusters and pipelines only. We are talking about a compliance force multiplier.

Platform is not infrastructure for its own sake. In federal environments, platform is the mechanism that reduces activation energy for mission teams while absorbing regulatory burden on their behalf.

Dimension 1: Operational enablement

Time to deployment must be measured in hours, even in regulated environments. For Artemis, that meant brokered cloud services, standardized interconnection patterns, identity federation with highly compliant providers, and container supply chain management embedded into GitOps workflows. Luna had Gemini ITAR authorized through Vertex AI, and Luna’s Identity Platform, along with OAuth patterns between systems, were pre-established. The first authenticated ITAR-rated MCP server deployment happened quickly because the groundwork had already been laid.

For the team, that meant GCP BigQuery & Kubernetes environments provisioned in hours, not weeks, and a secure MCP server stood up without reopening ITAR and access control debates. Platform constraints became accelerators.

Dimension 2: Authorization inheritance

FISMA Moderate plus NASA overlays represent more than 400 controls. The platform absorbs the bulk of those controls on behalf of tenant workloads. Artemis teams did not have to individually account for network security, multi-tenant isolation, authentication infrastructure, or container hardening. Operational enablement generates control inheritance.

That is how we moved from whiteboard to agency-level flight readiness review in four months.

This is what return on platform investment looks like. When the mission arrives, you are not negotiating controls. You are executing.

Continuous ATO and the container supply chain

Continuous authorization to operate requires securing the software supply chain from source to runtime. Zero CVE at pull time does not mean zero CVE tomorrow. Images age. Vulnerabilities emerge.

We operate fleets of clusters full of containers. Early attempts to automate CVE remediation burned significant engineering time with little measurable progress. Tens of thousands of vulnerabilities remained.

Two tools emerged from operational necessity. The first continuously keeps Chainguard’s continuously updating container images up to date across environments, embedded in GitLab pipelines and running as a Kubernetes operator, with all the human-in-the-loop controls required for high-compliance environments. The second integrates security scan findings directly into issue tracking with severity-based due dates. Issues auto-close on remediation and reopen if a vulnerability reappears. Every system owner has clear accountability.

These tools were not built as abstract research projects. They were responses to real operational pressure. Platform investment turned toil into reusable capability.

Partnering with Chainguard strengthened that foundation. Zero CVE base images, continuous patch delivery, and trusted source-to-runtime supply chain practices reduced the attack surface and simplified compliance reporting.

Zero CVE everywhere is an aspiration. Zero CVE continuously, with accountability, is a discipline.

So is it safe to fly?

On April 10, 2026, Artemis II answered the question. Wiseman, Glover, Koch, and Hansen splashed down safely in the Pacific after a nearly 10-day journey that took them farther from Earth than any humans have ever traveled. They came home. That outcome belongs to the thousands of people across NASA, its contractors, and its mission partners who designed it, analyzed it, and stood behind every decision that brought the mission to completion.

The platform did not fly the mission. It enabled one of many efforts to be more effective at enabling those who do fly the mission.

The work we did for Artemis now extends beyond a single program. The patterns are replicable. Continuous ATO is achievable.

For platform builders, the lesson is to invest in the unglamorous layers: identity, interconnection, control mapping, and supply chain integrity. Design for missions you cannot yet predict.

For mission teams, platform constraints are not a source of friction. They are guardrails that allow you to move faster when it matters most.

For leadership, platform value becomes invisible until you need it. Artemis is what platform ROI looks like under real-world deadlines.

AI made the analysis conversational. The platform made it compliant. Continuous delivery made it sustainable. Together, they turned months into minutes.

Catch all the sessions from Assemble on-demand here.