Standard Operating Procedure:
Expert-Driven AI-Assisted Development

1. Purpose and Scope

Purpose

This Standard Operating Procedure establishes the framework, governance, and workflow for AI-assisted tool development by subject-matter experts within Department of War organizations. Expert-Driven Development enables domain experts to build, document, and sustain institutional tools using AI as a development accelerator -- without requiring a background in software engineering, contracting, or formal IT acquisition.

EDD IS / EDD ISN'T

Scope

This SOP covers the complete lifecycle of AI-assisted tool development: from problem identification and compliance review through prototyping, testing, documentation, deployment, and sustainment. It applies to tools built on approved platforms using approved AI assistants that handle unclassified data only.

Applicability

This SOP applies to all personnel who develop, review, supervise, or maintain tools built using the Expert-Driven Development framework. It is designed for adoption at the unit level and can be tailored to organization-specific requirements while maintaining compliance with DoW-wide cybersecurity and privacy directives.

2. The Four-Layer Framework

Expert-Driven Development operates through four interdependent layers. Each layer builds on the previous one, and all four must be present for the framework to produce sustainable results.

Layer 1: Direct Tool Development

Subject-matter experts use AI to build tools that solve real problems in their organizations. The expert provides domain knowledge -- the understanding of the problem, the workflow, the users, and the requirements. AI provides the development capability -- translating that domain knowledge into working code, interfaces, and automation.

Layer 2: Process Liberation

By removing the dependency on contractors, acquisition timelines, and IT development queues, EDD liberates the development process. Personnel can identify a problem and begin building a solution within the same week -- not the same fiscal year. This layer addresses the structural bottleneck that prevents organizations from responding to their own needs.

Layer 3: Capability Cultivation

Each build develops the builder. The five-course training curriculum and the 201-level skills framework cultivate six core competencies: Context Assembly, Quality Judgment, Task Decomposition, Iterative Refinement, Workflow Integration, and Frontier Recognition. Personnel who complete EDD projects gain transferable skills in AI-assisted development, systems thinking, user-centered design, and technical documentation. These capabilities persist after the specific tool is deployed and compound across subsequent projects.

Layer 4: Documentation and Replication

Every tool built under EDD is documented to a standard that enables another person to understand, maintain, modify, and replicate the tool without the original builder present. This layer ensures that institutional knowledge does not walk out the door when personnel transfer. Documentation is not an afterthought -- it is a core deliverable of every project.

3. The Creator Mindset

EDD requires a fundamental shift in how personnel interact with AI tools. Most users operate as consumers -- they use AI to get answers, summarize text, or draft emails. EDD trains personnel to operate as creators -- using AI to build things that other people use.

Consumer vs Creator

The Artifact Test

The simplest way to determine whether someone is operating as a consumer or a creator:

Does your AI interaction produce an artifact that someone else can use?

If the answer is yes -- a tool, an application, a system, a workflow -- you are creating. If the answer is no -- a summary, an email draft, a personal answer -- you are consuming. Both are valid. EDD focuses on creating.

4. Compliance and Security

All development under this SOP must comply with existing DoW cybersecurity, privacy, OPSEC, and records management requirements. AI-assisted development does not create new exceptions to these requirements -- it operates within them.

Data Classification

EDD tools handle unclassified data only. The following data types are prohibited from use in AI-assisted development:

Privacy Requirements

Tools that collect, store, process, or display information about individuals must comply with DoW privacy directives. The following apply:

Privacy Impact Assessment (PIA)

Required for any tool that collects or maintains PII. A PIA threshold analysis must be completed during the Compliance Review phase (Phase 2) to determine whether a full PIA is required.

System of Records Notice (SORN)

If the tool creates a new system of records retrievable by a personal identifier, a SORN must be published in the Federal Register before the tool goes into production use.

Appeals and Redress

Any tool that makes decisions affecting individuals must include a mechanism for individuals to review, contest, and correct information about themselves.

Cybersecurity

Approved AI Tools

The following AI tools are approved for use in EDD development. Authorization levels indicate the scope of approved use:

Approved Platforms

Tools built under EDD must be deployed on approved platforms:

When an ATO Is Required

An Authority to Operate (ATO) is required when a tool:

• Connects to or operates on the DoW Information Network (DoWIN)
• Processes, stores, or transmits CUI
• Integrates with other authorized information systems
• Operates outside the inherited authorization boundary of its host platform

Tools built entirely within the inherited authorization boundary of an approved platform (e.g., a Power App within DoW M365) typically do not require a separate ATO but must still comply with the platform's security controls.

Security Controls

All tools must implement security controls appropriate to their data sensitivity and deployment environment, including:

• Authentication via CAC or enterprise identity provider
• Role-based access control (RBAC) where applicable
• Audit logging of user actions and data access
• Input validation and output encoding
• Encryption of data in transit (TLS 1.2+) and at rest

OPSEC

Developers must apply OPSEC principles throughout the development lifecycle. Do not include operational details, unit-specific procedures, force structure information, or vulnerability assessments in AI prompts, tool documentation, or publicly accessible code repositories. When in doubt, consult your organization's OPSEC officer before proceeding.

Records Management

Development artifacts (documentation packages, source code, deployment records) are official records and must be managed in accordance with DoW records management directives. Retain all project documentation for the duration specified by the applicable records schedule. The documentation package produced in Phase 5 serves as the primary record of each development effort.

Incident Response

If a security incident occurs involving an EDD tool (data breach, unauthorized access, malware, or compromise of an AI tool), personnel must:

1. Immediately cease use of the affected tool
2. Report the incident to the organization's Cybersecurity Office within 1 hour
3. Preserve all logs, artifacts, and evidence related to the incident
4. Notify the chain of command and the EDD Program Coordinator
5. Cooperate with the incident response investigation
6. Do not attempt to remediate the vulnerability without authorization

5. Development Prerequisites

Required

• Completed EDD training (minimum: AI Fluency Fundamentals)
• Supervisor approval for the specific development project
• Access to at least one approved AI tool
• Access to at least one approved deployment platform
• A defined problem that meets the criteria in Phase 1
• Completed Problem Definition Template

Not Required

• A background in software engineering or computer science
• Prior programming experience
• A contract, funding, or acquisition document
• An IT service request or development ticket
• Permission from a centralized IT authority (unless ATO is required)

Obtaining Access

Microsoft 365

Most DoW personnel already have M365 accounts. Power Platform access may require a license assignment through your organization's M365 administrator. Contact your local IT support to verify your license includes Power Apps, Power Automate, and Copilot Studio.

AI Tools

The following table provides recommendations for obtaining access to approved AI tools:

6. Development Workflow

The EDD development workflow consists of eight phases. Each phase has defined inputs, outputs, and time estimates. Phases are sequential, but iteration between adjacent phases is expected and encouraged.

7. Roles and Responsibilities

Developer

The individual who builds the tool. Responsible for completing all eight phases of the development workflow, maintaining compliance with this SOP, producing the documentation package, and sustaining the tool through its operational lifecycle. Any personnel member who has completed the required training and received supervisor approval may serve as a developer.

QA Reviewer

The individual who reviews the tool and documentation in Phase 6. The QA Reviewer must be a different person from the developer. Designation criteria:

• Has completed EDD training (minimum: AI Fluency Fundamentals)
• Has built at least one tool under EDD, or has been designated by the Program Coordinator
• Is familiar with the compliance requirements in Section 4
• Has no conflict of interest with the tool being reviewed

Supervisor

The developer's direct supervisor. Responsible for approving the development project, allocating duty time for development, and ensuring the tool meets organizational needs. Supervisors are required to complete the Supervisor Orientation before approving their first EDD project. This orientation ensures supervisors understand the framework, can evaluate proposals, and know what good AI-assisted output looks like.

Program Coordinator

The individual responsible for managing the EDD program at the organizational level. Maintains the Tool Registry, designates QA Reviewers, coordinates training, tracks program metrics, and reports program status to leadership. The Program Coordinator may also serve as a developer or QA Reviewer.

Cybersecurity Office

The organization's cybersecurity team. Provides guidance on security controls, reviews ATO requirements, responds to security incidents involving EDD tools, and validates that tools comply with cybersecurity directives. Consulted during Phase 2 (Compliance Review) for any tool that connects to the network or processes sensitive data.

Privacy Officer

The organization's designated privacy official. Reviews PIA threshold analyses, advises on SORN requirements, and ensures tools that handle PII comply with DoW privacy directives. Consulted during Phase 2 for any tool that collects, stores, or displays information about individuals.

8. Training Requirements

The v5 curriculum comprises five courses organized by audience and prerequisite chain.

Required

The following course is the universal prerequisite and must be completed before beginning any EDD activity:

Recommended for Builders

The following courses are recommended/elective for personnel who will build tools:

Recommended for Leadership

The following course is recommended for supervisors and leadership personnel:

Six 201-Level Skills

The training curriculum develops six core competencies defined in the 201-level skills framework. These skills represent the capabilities that separate effective AI-assisted builders from casual AI users:

1. Context Assembly -- The ability to gather and structure the right information so AI can produce useful output.
2. Quality Judgment -- The ability to evaluate AI-generated output for correctness, completeness, and fitness for purpose.
3. Task Decomposition -- The ability to break complex problems into discrete, AI-addressable tasks.
4. Iterative Refinement -- The ability to systematically improve AI output through structured feedback cycles.
5. Workflow Integration -- The ability to embed AI-assisted processes into existing organizational workflows.
6. Frontier Recognition -- The ability to identify where AI capability boundaries lie and adjust approach accordingly.

Instructor Certification

Instructors for each course must meet the following certification requirements:

Certification process: Complete course as student → Build/deploy tool → Shadow instructor → Co-teach → Certification from Program Coordinator.

9. Metrics and Assessment

Metrics serve two purposes: demonstrating the value of individual tools and assessing the health of the overall EDD program. All metrics should be collected consistently and reported to leadership quarterly.

Tool-Level Metrics

Collected for each deployed tool:

Program-Level Metrics

Collected across all EDD activity within the organization:

10. Scaling and Adoption

90-Day Pilot Model

Organizations adopting EDD should begin with a 90-day pilot. The pilot provides a controlled environment to validate the framework, train initial personnel, produce the first tools, and establish organizational processes before expanding.

Assessment guidance: The Assessment phase should include a review of individual tool and program metrics with a candid recommendation to leadership. Full compliance across all criteria on day one is rare; the recommendation should identify what is working, what needs remediation, and what adjustments are required before expansion. Leadership decisions should be based on trajectory and demonstrated value, not perfection.

Success / Failure Criteria

Tool Registry

The Tool Registry is a centralized record of all tools built under EDD within the organization. Every deployed tool must have an entry. The registry tracks:

• Tool name and description
• Developer and current maintainer
• Deployment platform and URL
• Data classification
• User count and status (active, deprecated, retired)
• Documentation package location
• Date deployed and last updated

The Program Coordinator maintains the Tool Registry and reviews it monthly to identify tools that need updates, lack a maintainer, or should be retired.

Expansion Model

After a successful pilot, expansion follows a train-the-trainer model:

1. Pilot developers become QA Reviewers and mentors for the next cohort
2. Each cohort is 2-4 new developers with defined projects
3. New cohorts begin every 60-90 days
4. The Program Coordinator scales training, QA capacity, and registry management as the program grows
5. Cross-organizational sharing is encouraged through the Tool Registry and documentation standards

11. References

Policy and Regulatory References

• DoW Directive 8140.01 -- Cyberspace Workforce Management
• DoW Instruction 5000.87 -- Operation of the Software Acquisition Pathway
• DoW Instruction 5200.48 -- Controlled Unclassified Information (CUI)
• DoW Instruction 5400.11 -- DoW Privacy and Civil Liberties Programs
• DoW Instruction 8500.01 -- Cybersecurity
• DoW Instruction 8510.01 -- Risk Management Framework (RMF) for DoW Systems
• DoW Instruction 8582.01 -- Security of Non-DoW Information Systems
• DoW Directive 3020.26 -- Department of War Continuity Policy
• DoWM 5200.01 -- DoW Information Security Program
• SECNAV M-5210.1 -- Department of the Navy Records Management Program
• NIST SP 800-53 Rev. 5 -- Security and Privacy Controls for Information Systems and Organizations
• OMB Circular A-130 -- Managing Information as a Strategic Resource
• Executive Order 14179 -- Removing Barriers to American Leadership in Artificial Intelligence (January 2025)
• DoW AI Strategy, January 2026

Research Foundation

• Dell'Acqua, F., et al. (2023). "Navigating the Jagged Technological Frontier." Harvard Business School / BCG. Study of 758 consultants demonstrating the jagged frontier of AI capability.
• Brynjolfsson, E., Li, D., & Raymond, L. (2025). "Generative AI at Work." Stanford / MIT. Study of 5,172 customer-support agents demonstrating skill-leveling effects of AI assistance.
• Mollick, E. (2026). "Management as AI Superpower." Wharton School. Research on the delegation equation and management capabilities in AI-assisted work.
• OpenAI (2025). "GDPval: Measuring Economic Value of AI." Study of 1,320 tasks establishing expert parity benchmarks.
• UK Government Digital Services (2025). AI-assisted development deployment across 20,000 employees, demonstrating government-scale deployment patterns.
• Microsoft Work Trend Index. Study of 300,000+ employees identifying 80% tool abandonment rate without structured training.
• Stanford Digital Economy Lab. Research on the apprenticeship crisis and implications for AI-assisted skill development.

12. Appendices

The following templates are used throughout the EDD development workflow. Download each template and complete it during the appropriate phase.