This environment exists so our team can develop, test, and validate AI-assisted capabilities against synthetic data before those capabilities touch a client system. It is not a production platform. It is the place where good ideas become proven ones.
Kearney has spent decades helping federal clients close the gap between their financial operations and the security posture those operations require. The work is rigorous by necessity. Every system we build or advise on carries compliance obligations, audit trails, and accreditation requirements that exist for good reason.
That same rigor can slow us down when we are trying to determine whether a new idea is worth pursuing. Waiting for a production environment to validate an AI-assisted detection approach, or a new log normalization technique, costs weeks we do not have when a client needs a solution.
The sandbox solves that problem. It gives our cybersecurity and technology teams a dedicated AWS environment, built to the same encryption and access-control standards as our production infrastructure, where we can work with approved synthetic data and move quickly. When something works here, a defined process carries it through internal review, accreditation, and client deployment.
One requirement is not negotiable: no real client data, no live government records, and nothing classified or CUI enters this environment. The full data policy is on this page, and it applies to everyone with credentials without exception.
Test detection algorithms, normalization logic, and AI-assisted analysis against realistic synthetic records before the work requires formal accreditation. Prove the approach, then carry it forward.
All training and test data is publicly sourced or artificially generated to reflect real financial record structures. The data behaves like production data. None of it is production data.
Validated capabilities move from the sandbox through internal Customer Zero review, then formal accreditation, then client deployment. This environment is the first gate, not the last.
All AI provider access runs through AskSage (DoD IL5 authorized) or through scoped Amazon Bedrock access limited to non-prohibited model families. Provider selection is not discretionary for DoD-scoped work.
Six capabilities are available to every provisioned user. You do not need to set up any infrastructure. Everything below is ready when you log in. Click any card for a step-by-step walkthrough written for non-technical users.
Turn a rough idea into a structured, production-ready AI prompt in seconds. Describe what you want in plain English. The assistant fills in the gaps, identifies ambiguities, and returns a prompt you can paste directly into ChatGPT or Gemini. No technical background required.
Live on this pageAskSage is the required AI gateway for all DoD-scoped work at Kearney. It is authorized at DoD Impact Level 5 and provides access to GPT-4o, o-series reasoning models, and Gemini under a single secure credential. Use it for any analysis that will touch a federal client deliverable.
AskSage IL5Your personal cloud notebook environment. Think of it as a secure, pre-configured workspace where you can write Python, run data analysis, and experiment with AI models, all within the Kearney AWS environment. No installation, no local setup. Open a browser and start working.
SageMaker StudioA library of AI models available directly through AWS for non-DoD experimentation. Includes Amazon Nova, Titan, Meta Llama, Mistral, and Cohere. Useful for testing approaches, building internal prototypes, and running analysis on synthetic data before moving to a client context.
Bedrock / Non-DoD OnlyRun a complete end-to-end test of an AI-assisted anomaly detection workflow with a single command. The pipeline generates synthetic federal financial records, normalizes them, scores them for anomalies, and produces an evaluation report, automatically. Used to validate detection approaches before presenting them internally.
Step FunctionsWatch synthetic financial system logs flow through the deployed Security Orchestration, Automation, and Response pipeline end-to-end. From S3 ingest through OCSF normalization, IsolationForest scoring, MSSP notification, and ServiceNow ticket creation. Captured from a live AWS run and replayed step-by-step.
Lambda + S3 + SNSSee the live health of every resource in the sandbox: Lambda functions, API endpoints, SageMaker, S3 storage, and Secrets Manager. Updated in real time each time you load the page. If something is not working, this is the first place to check before contacting the sandbox team.
Live Health Check| Tier | Provider | Available Models | Access Method | When to Use |
|---|---|---|---|---|
| Primary Required for DoD | AskSage | GPT-4o, o1, o3, Gemini | asksageclient SDK API key in Secrets Manager |
All DoD-scoped work. Any engagement with federal end users. |
| Secondary Approved | Amazon Bedrock | Nova, Titan, Llama, Mistral, Cohere | IAM-native, scoped policy | AWS-integrated experimentation, embeddings, and internal prototypes not scoped to DoD. |
| Optional Contracts Approval Required | Direct OpenAI / Gemini | Vendor-specific features | Secret shells provisioned, unpopulated |
Only after contracts and security approval. Do not populate without sign-off. |
Describe what you want to accomplish in plain language. The assistant will interpret your intent and return a structured, production-ready prompt you can paste directly into ChatGPT or Gemini.
Your refined prompt will appear here.
Analyzing intent...
Click Open in ChatGPT ↗. A new tab opens with your prompt already loaded and submitted. No copy-paste needed. Sign into ChatGPT if prompted.
chatgpt.comClick Open in Gemini ↗. Your prompt is copied to the clipboard and Gemini opens in a new tab. Click the message box and press Ctrl+V (Windows) or Cmd+V (Mac) to paste, then send.
gemini.google.comRead the output carefully. AI tools work best when you treat the first response as a draft. Ask follow-up questions or request adjustments in the same conversation thread.
Follow upIf the result missed the mark, come back here and adjust your original idea based on what you learned. Two or three iterations typically produces a better result.
IterateThe Kearney AI Sandbox operates under a synthetic-data-only mandate consistent with Kearney's AI Use Policy and CMMC obligations. No client records, no Kearney proprietary data, no personally identifiable information, and no non-public government data may be uploaded, processed, or stored in this environment under any circumstances, including on a temporary basis.
This is a firm governance requirement binding on all personnel with sandbox credentials. If you are unsure whether a dataset is permitted, stop and ask before uploading. Violations will result in immediate access revocation and may trigger obligations under FAR, CMMC, and applicable federal requirements.
USASpending.gov public records. AI-generated synthetic PBIS and STARS-FL financial records. Public policy documents including DoD FMR 7000.14-R, DON FMPM, and the GAO Red Book. Test fixtures created entirely from scratch with no real data as input.
Kearney proprietary data of any kind, including contracts, HR records, and internal financial data. Real client records or deliverables. Personally identifiable information. Classified materials or CUI-designated documents. Any data whose use in an AI environment would violate Kearney's AI Use Policy or CMMC obligations.
All data is encrypted at rest and in transit using a dedicated KMS CMK. The sandbox runs in an isolated AWS account, separate from any production or client-facing environment. Credentials are personal and non-transferable.
Every action in this environment, including file uploads, model invocations, and API calls, is captured in CloudTrail and retained for 90 days. Logs are immutable. Do not assume any action in this environment is unobserved.
Effective February 27, 2026, Anthropic was designated a supply chain risk for DoD work. All Anthropic model ARNs have been removed from the sandbox Bedrock IAM policies. Do not re-add them. If you find Claude references in existing code or notebooks, replace them with an approved AskSage or Bedrock model and notify your team lead. FAR 52.204-30 reporting obligations apply. Contact the contracts team with any questions.
Code, models, and pipelines developed here must complete internal review and formal accreditation before touching any client environment. Do not copy sandbox outputs to production systems directly. The sequence is: Sandbox, internal Customer Zero review, accreditation, then client deployment.
Access is provisioned by the DevOps team using a controlled onboarding script. Submit your request to your team lead or directly to the sandbox team. You will receive a temporary AWS console password and an access key pair by secure channel. Credentials are never sent over email.
On first login you will be required to set a new password and configure MFA. Your SageMaker Studio profile is created during provisioning and is available immediately. Select Open Studio from the SageMaker console to begin.
Each team member requires individual credentials. Do not share access keys or console passwords with colleagues. Contact sandbox-support@kearneyco.com with any questions.
Request Access