Chapter 1: The Government AI Landscape in 2026
Government AI in 2026 is operating at two speeds simultaneously. At the federal level, a comprehensive regulatory and procurement stack has crystallized through 2024-2026 around the NIST AI Risk Management Framework, executive orders, congressional appropriations, and the Center for AI Standards and Innovation. At the state level, fifty separate jurisdictions are passing varying AI laws, creating a patchwork that complicates national deployment. Beneath the regulatory layer, federal agencies are rapidly scaling AI deployment for citizen services, internal operations, defense, and intelligence — with an estimated $30-50 billion in annual federal AI spending by 2027 across procurement, internal development, and contracted services.
This eguide is the operational playbook for AI in government as it actually works in mid-2026. The audience is federal agency AI leaders evaluating deployment, state and local government technology leaders navigating procurement, government contractors building AI offerings for the public sector, defense industrial base companies, and consultants advising public sector clients. The remaining 13 chapters walk through the regulatory stack, the procurement landscape, the deployment patterns, the vendor ecosystem, the workforce considerations, and the realistic 2027-2028 outlook.
What changed between 2023 and 2026
Three substantial shifts produced the current landscape. First, executive action consolidated. President Biden’s October 2023 Executive Order 14110 established the foundational federal AI policy framework — agency reporting requirements, the Bletchley Park-aligned safety commitments, the foundation for what became CAISI. The Trump administration’s January 2025 Executive Order revoked parts of EO 14110 but kept much of the procurement and security infrastructure intact. The 2026 federal AI policy landscape is thus a hybrid: the safety and evaluation infrastructure built under the Biden EO continues operating, while the regulatory mandates have been substantially loosened.
Second, agency-level adoption accelerated. The federal AI use case inventory now lists over 1,200 documented agency AI deployments, up from approximately 700 in 2023. The mix has shifted from research and pilot deployments toward production citizen services and internal automation. Major recent deployments include the Department of Veterans Affairs’ AI claims processing, the IRS’s AI-augmented audit selection, the Social Security Administration’s AI-driven document handling, the State Department’s AI passport processing, and dozens of smaller agency-specific applications.
Third, the state-level patchwork has become operationally consequential. California’s SB 942 (AI disclosure for digital replicas), Colorado’s AI Act (impact assessments for high-risk AI), New York City’s Local Law 144 (automated employment decision tool audits), and similar laws in Illinois, Texas, and a growing list of states have created a compliance landscape that any vendor selling AI to government — or selling to private companies operating in government-regulated industries — must navigate carefully.
What success looks like in government AI in 2026
Successful government AI deployments in 2026 share several characteristics. They focus on specific, measurable outcomes (claims processed faster, documents reviewed more thoroughly, citizens served better) rather than vague AI transformation goals. They use established AI tools (Claude, GPT-5.5, Gemini, plus authorized open-source) rather than experimental research models. They have strong human oversight built into the workflow rather than treating AI as fully autonomous. They satisfy the relevant compliance requirements (NIST AI RMF documentation, FedRAMP authorization, state-law alignment) before production deployment rather than retrofitting compliance.
Failed government AI deployments share their own pattern. They rush through procurement compliance and then have to halt for compliance review. They deploy AI in high-stakes, citizen-facing applications without adequate human oversight and produce visible failures. They underinvest in the workforce training and change management needed for deployed AI to produce real value. They lock into vendor relationships that don’t scale with the agency’s actual needs over time.
What this playbook covers
The remaining 13 chapters work through government AI systematically. Chapter 2 covers the federal regulatory stack — NIST AI RMF, the executive order landscape, OMB memoranda. Chapter 3 covers CAISI and pre-release model evaluation. Chapter 4 covers federal AI procurement — GSA, FedRAMP, Schedule 70. Chapter 5 covers the major state AI laws. Chapter 6 covers defense and intelligence community AI. Chapter 7 covers public-facing citizen service AI. Chapter 8 covers internal government AI. Chapter 9 covers the AI vendor landscape approved for federal use. Chapter 10 covers compliance and audit frameworks. Chapter 11 covers workforce and training. Chapter 12 covers real case studies. Chapter 13 covers common pitfalls. Chapter 14 covers the 2027-2028 outlook.
For broader context, the Cybersecurity AI 2026 playbook covers government-relevant cybersecurity applications. The Financial Services AI Playbook 2026 covers regulated-industry parallels that government AI can learn from. The AI Learning Guides Free Library has the full complement of free deep-dives. This playbook stays focused on government deployment specifically.
Chapter 2: The Federal AI Regulatory Stack
Federal AI policy in 2026 operates through a multi-layered stack of executive orders, agency regulations, congressional appropriations directives, and standards body documents. This chapter walks through the major components.
The NIST AI Risk Management Framework
The NIST AI Risk Management Framework (AI RMF), first published in January 2023 and continuously updated since, is the foundational document for federal AI risk assessment. The framework defines four high-level functions — Govern, Map, Measure, Manage — that organizations should structure their AI risk management around. Federal agencies are required to align their AI deployments with the AI RMF; many state and local governments and private sector organizations have voluntarily adopted it as well.
The practical implications: every federal AI deployment requires documentation that maps to the AI RMF functions. The Govern function covers AI governance policies and accountability structures. Map covers documentation of the AI system’s purpose, intended use, and risk classification. Measure covers ongoing monitoring and evaluation. Manage covers risk response and mitigation. The documentation isn’t optional — it’s a precondition for AI deployment in most federal contexts.
Executive Order 14110 and its successors
President Biden’s Executive Order 14110 of October 2023 established comprehensive federal AI policy. The EO directed agencies to develop AI safety and security standards, established the CAISI program, set procurement requirements, addressed civil rights implications of AI, and addressed federal workforce considerations. Many of the EO’s provisions cascaded into agency-level regulations and standards through 2024-2025.
President Trump’s executive orders of January 2025 revoked parts of EO 14110 — particularly provisions that the new administration viewed as overreach — but retained much of the procurement and security infrastructure. The 2026 federal AI policy landscape is thus a hybrid. The compliance and procurement frameworks that took two years to build remain operative; the broader regulatory mandates around AI bias, civil rights impacts, and worker protections have been substantially loosened.
OMB Memorandum M-24-10 and updates
The Office of Management and Budget’s M-24-10 memorandum from March 2024 directed federal agencies to designate Chief AI Officers, develop AI strategies, and inventory their AI uses. Subsequent OMB memoranda updated the requirements through 2025-2026. The 2026 OMB framework requires every federal agency to maintain a public AI use case inventory, designate AI governance officials, and submit annual AI compliance reports.
The practical compliance requirement: every federal agency AI deployment is documented in a public inventory at AI.gov, with risk classification, vendor information, and oversight arrangements visible to the public. The transparency requirement has been a significant change — federal AI deployments are now subject to scrutiny that private sector deployments aren’t.
Congressional action
Congress has been more cautious about comprehensive AI legislation than the executive branch. The 2026 congressional landscape includes the AI Accountability Act (passed 2025, focused on transparency and disclosure), the Federal AI Research and Development Act, various appropriations directives funding AI work at specific agencies, and ongoing committee work on potential broader AI regulation. The 2026 Republican-controlled Congress has emphasized lighter-touch regulation than what was anticipated under the prior administration.
Standards bodies and voluntary frameworks
Beyond government action, several standards bodies have developed voluntary frameworks that federal agencies adopt. NIST publishes ongoing AI standards work beyond the AI RMF — the Generative AI Profile, the AI Test, Evaluation, Validation, and Verification (TEVV) framework, and various other documents. The IEEE has published standards on AI ethics and governance. The ISO has published standards on AI quality management.
How the layers interact
For a federal agency deploying AI, the stack typically operates as follows. The agency’s AI strategy aligns with OMB requirements. Specific AI deployments are documented per the AI RMF and the agency’s AI inventory. CAISI evaluation may be required for certain frontier model uses. Procurement aligns with FedRAMP and other security requirements. Civil-rights considerations align with civil rights laws (less aggressive than the original EO 14110 mandates but still operative). The compliance burden is substantial but tractable for agencies with mature governance.
Chapter 3: CAISI and Pre-Release Model Evaluation
The Center for AI Standards and Innovation (CAISI) is the federal government’s primary mechanism for evaluating frontier AI models before they reach the market. Originally established under Executive Order 14110 as the AI Safety Institute, the program was renamed and restructured under the Trump administration but retained its core function. This chapter walks through CAISI’s role, scope, and practical operations.
What CAISI does
CAISI evaluates AI models for “demonstrable risks” related to national security, public safety, and critical infrastructure. The evaluation focuses on specific risk categories: cybersecurity (can the model be used to find and exploit vulnerabilities at scale), biosecurity (can the model help create biological weapons), chemical weapons (parallel concern for chemicals), and critical infrastructure attacks. The CAISI evaluation does not address every possible AI risk — it focuses on the catastrophic and national-security-relevant categories.
The participating organizations are the major frontier AI labs: OpenAI, Anthropic, Google DeepMind, Microsoft, xAI. These organizations agreed to provide CAISI with pre-release access to their frontier models, allowing CAISI to evaluate the models before public release. The agreements are voluntary and contractual rather than statutory; participating labs receive feedback and CAISI receives early access to capability assessments.
The evaluation process
CAISI’s evaluation typically operates over weeks before a major model release. The frontier lab provides API access, model weights (where applicable), and documentation. CAISI’s evaluation team — combining federal scientists with contracted external evaluators — runs structured tests against the model’s capabilities in the focused risk categories. Results are reported to the lab and inform release decisions; CAISI does not have unilateral authority to block a release but its findings can affect the lab’s voluntary mitigations.
The process has produced operational findings that inform broader policy. CAISI has noted that frontier models in 2025-2026 have meaningful (if limited) capability in cybersecurity vulnerability discovery, that biosecurity uplift is real but smaller than initially feared, and that chemical and critical infrastructure attack capabilities remain largely the province of specialized expertise that frontier models don’t yet substantially uplift.
The DeepSeek and Chinese model evaluations
CAISI has extended its evaluation work to non-US frontier labs. The early 2026 evaluation of DeepSeek V4 Pro produced the public finding that the Chinese model lagged the US frontier by approximately 8 months on the evaluated capabilities. The evaluation methodology has been extended to other Chinese frontier models (Moonshot Kimi K2.6, Alibaba Qwen 3). The findings have informed US policy discussions about Chinese AI competitiveness and export control considerations.
Implications for AI vendors
For AI vendors, CAISI participation has become a baseline expectation for frontier-tier models. Labs that don’t participate face questions about why they’re avoiding evaluation. Labs that participate gain a degree of legitimacy that helps with federal procurement and with public sentiment. The 2026 norm is participation; the question for new entrants is when, not whether.
The DOE national labs partnership
CAISI’s evaluation work happens partly in partnership with the Department of Energy’s national laboratories — particularly Oak Ridge, Argonne, and Lawrence Berkeley. The labs provide the high-performance computing resources needed for large-scale model evaluation, plus the deep technical expertise in the specific risk domains (Oak Ridge’s role in cybersecurity, Argonne’s role in nuclear-adjacent risks). The partnership extends CAISI’s capacity beyond what the federal civilian workforce alone could provide.
Chapter 4: Federal AI Procurement
Federal AI procurement in 2026 operates through the established federal procurement system — GSA Schedule, FedRAMP authorization, Department-specific contract vehicles — adapted for AI-specific considerations. This chapter walks through how AI gets procured at the federal level.
The procurement vehicles
GSA Schedule (formerly Schedule 70) is the main procurement vehicle for AI products and services. GSA Schedule offers pre-negotiated pricing and terms that any federal agency can use without separate procurement processes. Most major AI vendors — including all of the frontier labs through their enterprise plans — are on GSA Schedule. The GSA AI category has expanded substantially through 2024-2026 as AI procurement has accelerated.
Department-specific vehicles include Department of Defense Other Transaction Authorities (OTAs), the General Services Administration’s STARS (Small Business STARS), the SEWP (Solutions for Enterprise-Wide Procurement) program for IT, and various agency-specific BPAs (Blanket Purchase Agreements). Different vehicles have different acquisition rules; the right choice depends on the specific agency, the contract size, and the urgency.
The FedRAMP program authorizes cloud services for federal use. AI services delivered through cloud APIs (which is most production AI) require FedRAMP authorization for federal deployment. The FedRAMP authorization process is substantial — typically 6-18 months for new offerings — but produces a security baseline that allows broad federal use once achieved.
FedRAMP for AI services
FedRAMP authorization for AI services has been one of the major procurement bottlenecks. Major AI services that have achieved FedRAMP authorization in 2024-2026: AWS Bedrock with Claude (FedRAMP High via AWS GovCloud), Microsoft Azure OpenAI Service (FedRAMP High via Azure Government), Google Vertex AI with Gemini (FedRAMP Moderate, with High in process), and several specialized providers. Frontier labs typically don’t operate their own FedRAMP-authorized infrastructure — they reach federal customers through the cloud providers’ authorized environments.
The FedRAMP boundary matters for what data can flow through which AI service. Agency data classified as Controlled Unclassified Information (CUI) requires at minimum FedRAMP Moderate. Defense and intelligence applications often require FedRAMP High plus additional accreditations (DoD IL5, IC ITE compliance). Classified applications require dedicated infrastructure outside the FedRAMP framework entirely.
Sample procurement workflow
A federal agency procuring AI capability typically goes through:
- Identify the use case and align with agency AI strategy and OMB requirements.
- Document the system in the agency’s AI use case inventory.
- Determine data classification and required FedRAMP level.
- Identify candidate vendors with appropriate FedRAMP authorization on GSA Schedule.
- Issue an RFP or RFQ, solicit responses, evaluate.
- Award contract, negotiate task orders, deploy.
- Maintain ongoing compliance and reporting.
The total timeline from initial use case identification to deployment can range from 3-18 months depending on complexity, FedRAMP requirements, and the procurement vehicle.
Sample procurement code structure
For federal agencies building internal procurement automation, here’s the basic structure of a procurement evaluation tool that uses AI to assist (note: such tools must themselves be procured through compliant processes):
from anthropic import AnthropicBedrock
import boto3
# Use AWS Bedrock GovCloud for FedRAMP High
client = AnthropicBedrock(
aws_region="us-gov-west-1", # GovCloud
aws_secret_key=os.environ["AWS_GOV_SECRET"],
aws_access_key=os.environ["AWS_GOV_KEY"],
)
def evaluate_proposal(rfp_text, proposal_text, evaluation_criteria):
response = client.messages.create(
model="anthropic.claude-opus-4-7-v1:0",
max_tokens=4096,
system=(
"You are evaluating a federal procurement proposal. Score the proposal "
"against each evaluation criterion. Output structured JSON with: "
"score (0-100), reasoning, strengths, weaknesses, compliance issues. "
"Reference FAR (Federal Acquisition Regulation) where relevant. "
"Note: Final award decisions remain with contracting officers."
),
messages=[{"role": "user", "content": (
f"RFP:\\n{rfp_text}\\n\\n"
f"Proposal:\\n{proposal_text}\\n\\n"
f"Evaluation criteria:\\n{evaluation_criteria}"
)}],
)
return response.content[0].text
Common procurement pitfalls
Several patterns repeatedly cause procurement problems in federal AI:
- FedRAMP confusion. Agencies sometimes attempt to use AI services that aren’t FedRAMP-authorized for their data classification, only discovering the issue late in the process. Confirm FedRAMP status early.
- Data residency. Some AI services are FedRAMP-authorized but route data through non-US infrastructure. Verify data flow paths for sensitive workloads.
- Ongoing compliance. AI procurement isn’t done at contract award. Ongoing monitoring, periodic re-evaluation, and updated documentation are required throughout the deployment lifetime.
- Vendor lock-in. AI procurement contracts often create de-facto vendor lock-in through proprietary integrations, custom prompts, and trained workflows. Build in transition planning from the start.
Chapter 5: State AI Laws — California, Colorado, NYC
State and local AI laws have proliferated through 2024-2026 and create a compliance patchwork that any organization deploying AI must navigate. This chapter walks through the major state laws and the practical implications.
California
California has been the most active state on AI legislation. SB 942 (the California AI Transparency Act) requires AI-generated content disclosure in specific contexts. The bill requires AI providers to offer an AI detection tool and to include manifest disclosure in AI-generated content. SB 1047 — the controversial “AI safety” bill — was vetoed in 2024 but variants of its concepts continue to be debated. The 2025-2026 California AI legislative agenda includes several bills addressing automated decision-making, employment AI, and AI in healthcare.
For organizations deploying AI in California — which often means any organization with California customers — the practical implications include: maintaining AI disclosure capabilities for content distribution, supporting consumer requests for AI-related information, complying with sector-specific California regulations (healthcare under SB 1408 if relevant, employment under various bills, etc.), and tracking ongoing legislative changes.
Colorado
The Colorado AI Act (CAIA), passed in 2024 and effective February 2026, is the most comprehensive state AI legislation passed to date. The Act applies to “developers” and “deployers” of high-risk AI systems and requires impact assessments, consumer notifications when AI is used in consequential decisions, opportunity for consumers to appeal AI decisions, and risk management programs for both developers and deployers.
The compliance requirements are substantial. Organizations subject to CAIA must conduct documented impact assessments before deploying high-risk AI systems, provide consumer notices in specific contexts, establish risk management programs aligned with NIST AI RMF, and document compliance for potential enforcement review. The Colorado Attorney General has primary enforcement authority.
New York City Local Law 144
NYC Local Law 144, effective July 2023, regulates “automated employment decision tools” — AI used in hiring, promotion, or other employment decisions. The law requires bias audits of AEDTs, public posting of audit results, and candidate notices when AEDTs are used. The law’s scope is narrower than CAIA (limited to employment decisions) but the compliance bar is high (annual bias audits by independent auditors).
Other states
Texas, Illinois, Washington, Connecticut, Utah, and a growing list of states have passed or are considering AI-related legislation through 2025-2026. The patterns vary — some focus on government use of AI, some on private sector, some on specific sectors. The patchwork creates compliance complexity for any organization operating across multiple states.
The federal preemption question
An open question through 2026 is whether federal AI legislation will preempt state laws. The current 2026 reality: no comprehensive federal preemption exists, and state laws operate alongside federal frameworks. Some state laws (like CAIA) explicitly preserve their authority alongside any future federal framework. The patchwork is likely to persist for years even if federal legislation eventually passes.
Practical compliance approach
For organizations navigating the state-law patchwork, the practical approach:
- Document where you operate (which states’ residents, which states’ employees, which states’ regulators).
- Identify which state laws apply to which AI deployments.
- Build compliance programs that meet the highest applicable bar across all jurisdictions, then add jurisdiction-specific layers as needed.
- Maintain centralized documentation that satisfies disclosure and audit requirements across multiple jurisdictions.
- Track legislative changes; the landscape is evolving quickly.
Chapter 6: Defense and Intelligence Community AI
The Department of Defense and the Intelligence Community operate the largest and most sophisticated government AI programs. Their deployments combine the unique requirements of national security with the broader trends in commercial AI. This chapter walks through the major DoD and IC AI programs in 2026.
The DoD AI organizational landscape
The Chief Digital and AI Office (CDAO), established in 2022, serves as the DoD’s central AI organization. CDAO succeeded the earlier Joint Artificial Intelligence Center (JAIC) and operates with substantially broader authority. The CDAO’s responsibilities include accelerating AI adoption across DoD components, managing the JADC2 (Joint All-Domain Command and Control) initiative’s AI components, and serving as the focal point for DoD AI strategy.
Below the CDAO, each service branch has its own AI organization. The Army’s AI Task Force, the Navy’s Department of Defense Information Network office’s AI initiatives, the Air Force’s AI Cross-Functional Team, and the Marine Corps’s AI working group all operate within service-specific contexts.
Major DoD AI programs
Several programs have produced visible AI deployments:
- Project Maven (now extended). The Algorithmic Warfare Cross-Functional Team’s work on intelligence analysis, originally controversial when Google participated, has continued under different prime contractors. The capability — AI analysis of imagery and signals intelligence — is now operationally significant.
- JADC2 AI components. Joint All-Domain Command and Control aims to connect sensors, decision-makers, and shooters across services through AI-augmented data fusion. The 2026 JADC2 architecture is still maturing but deploying.
- Replicator initiative. Announced in 2023, Replicator aims to field thousands of AI-enabled autonomous platforms within 18-24 months. The 2026 Replicator deployments include autonomous drones, autonomous maritime systems, and autonomous ground vehicles.
- WarMatrix. The Air Force’s AI-powered wargaming environment, with successful inaugural operational use in 2026 with 150+ participants and physics-based modeling plus AI-assisted adjudication.
The Pentagon-Anthropic friction
The Pentagon’s exclusion of Anthropic from major AI deals (covered separately in the 2026 trade press) reflected the friction between commercial AI labs’ safety commitments and DoD’s specific requirements. The 2026 resolution: Anthropic continues to serve some federal customers but with limited DoD scope; DoD’s primary frontier model partners are OpenAI (through Microsoft Azure Government) and Google (through Google Cloud’s Defense offerings).
The IC AI landscape
The Intelligence Community has its own substantial AI program. The Office of the Director of National Intelligence (ODNI) coordinates IC-wide AI strategy. The CIA’s specific AI work, NSA’s signal-intelligence AI, NGA’s geospatial AI, and DIA’s military intelligence AI all operate within the IC framework. The IC AI ecosystem typically operates through dedicated infrastructure (the IC ITE shared services) rather than the broader federal procurement infrastructure.
The defense industrial base
The defense industrial base — Lockheed Martin, Raytheon, Northrop Grumman, Boeing Defense, BAE Systems, plus the major government contractors (Booz Allen Hamilton, Leidos, SAIC, CACI, ManTech) — has been integrating AI across its offerings. The 2026 DoD AI procurement landscape combines work directly from the major commercial AI labs with substantial contracting through the defense industrial base for AI integration, customization, and operational deployment.
Chapter 7: Public-Facing Citizen Service AI
The largest category of government AI deployment by visible impact is public-facing citizen services. Federal, state, and local governments have deployed AI for benefit determinations, permit processing, citizen inquiries, document processing, and many other citizen-touching services. This chapter walks through the patterns.
Federal citizen-facing AI deployments
Several federal agencies have substantial citizen-facing AI programs:
- Veterans Affairs. AI-augmented claims processing for the substantial backlog of disability and benefits claims. The deployment has measurably reduced processing times.
- Social Security Administration. AI for document processing, benefit calculation review, and program integrity. SSA has been particularly cautious about AI in actual benefit determinations, keeping humans firmly in the loop.
- IRS. AI for audit selection, fraud detection, and taxpayer service. The IRS’s chatbot for routine taxpayer questions handles tens of millions of interactions annually.
- State Department. AI for passport processing, visa screening, and consular services. The visa AI has been notably contentious, with civil rights concerns about bias in screening decisions.
- USCIS. AI for immigration form processing, with significant attention to bias review and human oversight.
State and local citizen-facing AI
State and local deployments have proliferated. New York City’s Mayor’s Office of Operations runs multiple AI initiatives, including a chatbot for citizen inquiries (controversial after early failures generating misleading legal advice). California’s various agencies use AI for unemployment benefit processing. Texas and Florida deploy AI for various permitting and licensing workflows. Smaller cities and counties have followed with more limited deployments.
The bias and fairness imperative
Public-facing government AI faces the most intense scrutiny on bias and fairness considerations. AI deployments that produce statistically disparate outcomes for protected classes face civil rights lawsuits, congressional inquiries, and media attention. The 2026 standard practice: every public-facing government AI deployment includes documented bias testing, ongoing fairness monitoring, and clear paths for affected individuals to appeal AI-influenced decisions.
Sample bias monitoring approach
from typing import Dict, List
import pandas as pd
from scipy import stats
def disparate_impact_analysis(decisions_df: pd.DataFrame,
protected_attribute: str,
outcome_attribute: str) -> Dict:
"""Analyze whether AI decisions show disparate impact across protected classes.
Compliant with the four-fifths rule and similar disparate-impact tests.
"""
groups = decisions_df.groupby(protected_attribute)[outcome_attribute]
# Selection rates per group
selection_rates = groups.mean()
# Compare to highest selection rate
max_rate = selection_rates.max()
ratios = selection_rates / max_rate
# Four-fifths rule: ratio < 0.8 indicates potential adverse impact
adverse_impact_groups = ratios[ratios = group_b:
continue
ct = pd.crosstab(
decisions_df[decisions_df[protected_attribute].isin([group_a, group_b])][protected_attribute],
decisions_df[decisions_df[protected_attribute].isin([group_a, group_b])][outcome_attribute],
)
chi2, p, _, _ = stats.chi2_contingency(ct)
if p < 0.05:
significant_disparities.append((group_a, group_b, p))
return {
"selection_rates": selection_rates.to_dict(),
"ratios": ratios.to_dict(),
"adverse_impact_groups": adverse_impact_groups.to_dict(),
"significant_disparities": significant_disparities,
"passes_four_fifths_rule": len(adverse_impact_groups) == 0,
}
The human-in-the-loop requirement
For high-stakes citizen-facing AI deployments, the federal and state norm is human-in-the-loop decision-making. AI surfaces information, flags risks, and recommends decisions; humans make the final consequential decisions. The exception is for routine, low-risk transactions (like routine document categorization) where pure AI automation is acceptable. The line between “high-stakes” and “routine” varies by agency and decision type and is itself a regulated determination.
Chapter 8: Internal Government AI — HR, Procurement, Operations
Beyond citizen-facing AI, federal agencies have substantial internal AI deployments for human resources, procurement, operations, and other administrative functions. This chapter walks through the major categories.
HR and workforce AI
Federal HR has integrated AI for recruiting, candidate screening, performance management support, and training development. The Office of Personnel Management’s various AI initiatives serve as templates that individual agencies adapt. The compliance considerations for federal HR AI are substantial — federal employment is governed by extensive merit system principles, civil rights protections, and union agreements that affect what AI can and cannot do in personnel decisions.
Procurement AI
Federal procurement has integrated AI for requirements analysis, vendor research, proposal evaluation support, and contract management. The General Services Administration’s AI for procurement initiatives include several pilot programs. The major prime contractors have built AI tools for federal procurement work that they use both internally and offer to government customers.
Operations AI
Internal government operations — facilities management, fleet management, supply chain, financial management — have integrated AI in various ways. Predictive maintenance for federal facilities, AI-augmented financial fraud detection, AI-driven supply chain optimization at agencies like DLA (Defense Logistics Agency) — these are the kinds of operational AI deployments that don’t appear in headlines but produce substantial efficiency gains.
The cybersecurity AI dimension
Government cybersecurity has integrated AI extensively. The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, and individual agency security operations all use AI for threat detection, incident response, vulnerability management, and security operations. The 2026 federal cybersecurity AI ecosystem is one of the most operationally significant areas of government AI deployment.
Chapter 9: AI Vendors Approved for Federal Use
Federal AI deployment relies on a specific ecosystem of vendors that have completed the necessary security authorizations and procurement onboarding. This chapter walks through the major AI vendors operating in federal markets in 2026.
Frontier AI labs (via cloud providers)
The major frontier AI labs reach federal customers primarily through cloud provider partnerships rather than direct federal contracts:
- OpenAI serves federal customers through Microsoft Azure OpenAI Service (FedRAMP High via Azure Government).
- Anthropic serves federal customers through AWS Bedrock with Claude (FedRAMP High via AWS GovCloud).
- Google serves federal customers through Google Cloud Vertex AI with Gemini (FedRAMP authorization expanding through 2026).
- Meta doesn’t operate a managed federal-cloud offering directly; Llama models are deployed by federal customers through cloud providers or on-premises with appropriate authorizations.
Cloud providers
The hyperscaler cloud providers — AWS, Microsoft Azure, Google Cloud, Oracle, plus IBM Cloud — all have FedRAMP-authorized environments serving federal customers. AWS GovCloud and Azure Government are the most established; Google Cloud’s federal offering has been expanding rapidly through 2024-2026.
AI-specific platform vendors
Several AI-specific platforms have established federal practices:
- Palantir Foundry serves substantial federal customers across DoD, IC, and civilian agencies.
- C3.ai has federal customers across multiple agencies.
- Scale AI serves federal data labeling and model training needs.
- Anduril, Shield AI, Saildrone in defense-specific AI applications.
- Smaller specialized vendors in specific niches.
The defense industrial base
The major defense contractors — Lockheed Martin, Raytheon, Northrop Grumman, Boeing Defense — all have substantial AI offerings for federal customers. They typically integrate frontier model AI into broader defense systems rather than offering pure AI products. Booz Allen Hamilton, Leidos, SAIC, CACI, ManTech, and similar IT-heavy government contractors have built substantial AI consulting and integration practices.
Vendor evaluation framework
For federal agencies evaluating AI vendors, the typical framework includes:
- FedRAMP authorization level matched to data classification.
- Track record of federal deployments and references.
- Compliance documentation covering NIST AI RMF and agency-specific requirements.
- Pricing model evaluated against expected usage volumes.
- Integration capabilities with existing agency systems.
- Security posture including SOC 2, ISO 27001, and CMMC where relevant.
- Workforce capacity to support deployment and ongoing operations.
Chapter 10: Compliance and Audit Frameworks
Federal AI compliance is documented through several frameworks. This chapter walks through the major frameworks and how they interact in practice.
NIST AI RMF documentation
Every federal AI deployment requires AI RMF documentation across the four functions (Govern, Map, Measure, Manage). The documentation is typically maintained in agency AI governance systems and made available for audit. The level of detail varies with the AI system’s risk classification — high-risk systems require substantially more documentation than low-risk ones.
FedRAMP continuous monitoring
FedRAMP-authorized services maintain ongoing monitoring obligations. Annual security assessments, monthly vulnerability scans, continuous threat monitoring — all are part of maintaining FedRAMP authorization. AI services have additional monitoring around model behavior, drift, and quality.
Agency-specific audits
Beyond cross-cutting frameworks, agencies have their own audit programs. The Office of Inspector General at each major agency conducts periodic AI-specific audits. The Government Accountability Office (GAO) has issued multiple reports on federal AI use. The Office of Management and Budget conducts oversight through annual reporting requirements.
Civil rights compliance
Federal AI deployment is subject to civil rights laws including Title VI of the Civil Rights Act, Section 504 of the Rehabilitation Act, and various other anti-discrimination provisions. The Department of Justice’s Civil Rights Division and the Equal Employment Opportunity Commission both have authority over AI-related civil rights issues. Compliance requires bias testing, ongoing monitoring, and remediation when disparities are identified.
Chapter 11: Workforce and Training Considerations
The federal AI workforce is one of the major bottlenecks for accelerating AI deployment. This chapter walks through the workforce challenges and the programs addressing them.
The federal AI workforce shortage
Federal compensation for AI roles is structurally lower than private sector compensation. A senior AI engineer at a federal agency might earn $180-220K including all benefits; the same engineer at OpenAI or Anthropic could earn $400-700K plus equity. The compensation gap creates persistent recruiting and retention challenges.
The federal workforce mitigations include the U.S. Digital Service, which recruits technologists for tour-of-duty assignments at competitive (if still below-market) compensation, the Tech Talent Initiative, and various agency-specific programs. The 2026 federal AI workforce remains substantially smaller than the federal AI deployment volume would suggest is needed.
Training programs
The Office of Personnel Management runs federal AI training programs that help existing federal employees develop AI skills. The General Services Administration’s training initiatives extend the work. Individual agencies — particularly DoD and the major civilian agencies — have agency-specific AI training programs.
Contractor workforce
Much of the federal AI workforce is contractor-employed rather than civil servant. The major federal IT contractors (Booz Allen, Leidos, SAIC, CACI, ManTech) employ tens of thousands of contractors working on federal AI projects. The contractor workforce faces fewer compensation constraints than civil servants but produces different operational dynamics around continuity and institutional knowledge.
The AI literacy challenge
Beyond specialist AI workforce, the broader federal workforce needs AI literacy to work effectively with AI tools. Most federal employees aren’t AI specialists but increasingly use AI tools in their daily work. The AI literacy gap is substantial — many federal workers either don’t use available AI tools at all (missing productivity gains) or use them without sufficient understanding (creating compliance and quality risks).
Chapter 12: Case Studies — Successful Federal and State Deployments
Real-world deployments illustrate what works and what doesn’t. This chapter walks through several notable case studies.
Veterans Affairs claims processing
The VA’s AI-augmented claims processing represents one of the most operationally successful federal AI deployments. The system reads incoming claims documents, extracts relevant information, identifies the most material claims-processing requirements, and surfaces decisions for human VA personnel to make. Average claims processing time has dropped significantly; the backlog has been reduced; and the human-in-the-loop architecture has prevented the kinds of errors that pure-automation approaches would have produced.
IRS taxpayer service
The IRS’s taxpayer service chatbot handles tens of millions of routine tax questions annually. The chatbot’s careful scoping (it answers routine questions and escalates complex cases) and integration with existing IRS systems produces a useful citizen service experience. The IRS has been measured about expanding the chatbot’s scope to higher-stakes determinations.
Department of State visa processing
The State Department’s AI for visa processing has been more controversial. AI assistance for visa officers has improved processing efficiency but has faced civil rights concerns about potential bias. The deployment has continued with substantial bias monitoring and human-in-the-loop architecture, and has been used as a case study in both directions — efficiency gains and the need for ongoing fairness work.
Pentagon-Anthropic friction case
The Pentagon’s exclusion of Anthropic from major AI deals (covered in earlier coverage) illustrates how commercial AI lab safety commitments can conflict with federal requirements. The 2026 resolution of the friction shows how federal AI procurement adapts to commercial realities while maintaining government’s specific requirements.
NYC chatbot misinformation case
New York City’s MyCity chatbot, deployed in 2024, produced misleading legal advice in early operation — including incorrectly telling small business owners they could fire workers who reported sexual harassment. The case illustrated the risks of deploying AI in public-facing roles without sufficient quality control. Subsequent versions of the system have been more conservative, better-monitored, and more clearly scoped.
Chapter 13: Common Pitfalls and How to Recover
Government AI deployments fail in predictable ways. This chapter walks through the major pitfalls and recovery patterns.
Pitfall 1: Procurement timeline misjudgment
Symptom: agency expects to deploy AI in months but takes 12-24 months due to FedRAMP, security review, and acquisition cycles.
Recovery: build realistic timelines including FedRAMP and security review at the start. Pre-position vendor relationships through pilot programs. Use existing FedRAMP-authorized services where possible.
Pitfall 2: Inadequate civil rights review
Symptom: deployment produces measurable disparate impact across protected classes; civil rights complaint or lawsuit follows.
Recovery: pause deployment, conduct comprehensive bias review, retrain or restrict the system as needed, document remediation, restart deployment under more rigorous oversight.
Pitfall 3: Vendor lock-in
Symptom: agency invested heavily in one vendor’s AI platform; vendor changes pricing or capability gaps emerge; agency can’t easily migrate.
Recovery: evaluate alternatives early, even if migrating is unlikely. Maintain documentation that allows migration. Negotiate contract terms that include data portability and transition assistance.
Pitfall 4: Insufficient workforce training
Symptom: AI tools deployed but federal workforce doesn’t use them effectively, productivity gains don’t materialize.
Recovery: invest in workforce training as a core component of deployment, not an afterthought. Identify and equip “AI champions” at each agency component.
Pitfall 5: Compliance documentation gaps
Symptom: audit reveals missing AI RMF documentation, incomplete civil rights reviews, or other compliance gaps.
Recovery: implement documentation standards from the start; assign clear ownership; periodic internal review before external audits.
Pitfall 6: Public communication failures
Symptom: media reports negatively on AI deployment; political backlash threatens program continuation.
Recovery: communicate transparently about deployment scope, oversight, and limitations. Engage stakeholders proactively. Build public trust through demonstrated accountability.
Chapter 14: The 2027-2028 Outlook
Federal AI is moving fast. This final chapter looks at what’s coming through 2027-2028.
Federal AI legislation prospects
The 2026 congressional landscape suggests comprehensive federal AI legislation is unlikely in the near term. Targeted legislation on specific issues (national security AI, AI in critical infrastructure, AI safety institute funding) is more likely than comprehensive frameworks. The patchwork of executive action plus state laws will likely persist for several more years.
Procurement evolution
Federal AI procurement will continue to mature. Expect more standardized AI procurement vehicles, more pre-negotiated AI services on GSA Schedule, and faster authorization paths for AI services that meet established baselines. The procurement timeline that currently runs 6-18 months should compress meaningfully by 2028.
Workforce expansion
Federal AI workforce expansion is the biggest uncertainty. Will federal compensation become competitive enough to attract specialist AI talent? Will training programs scale workforce capacity faster than deployment scales need? The answer will substantially shape what federal AI can actually accomplish through 2027-2028.
State law convergence
State AI laws may converge on common patterns through industry pressure for consistency. Multistate compacts, model legislation from organizations like the Uniform Law Commission, and federal preemption pressure may all push states toward more aligned approaches. The 2028 state AI landscape may be substantially more coherent than the 2026 patchwork.
Defense AI scaling
The Replicator initiative and adjacent programs will produce thousands more deployed autonomous systems through 2027-2028. The defense AI ecosystem will continue to grow as a substantial fraction of the broader US AI economy.
Where to go next
For deeper coverage of related topics, the Cybersecurity AI 2026 playbook covers government-relevant cybersecurity in operational depth. The Financial Services AI Playbook 2026 covers regulated-industry parallels. The Multi-Agent Systems 2026 playbook covers the agentic patterns that increasingly drive government AI workflows.
The AI Learning Guides Free Library has the complete set of free deep-dives. Hands-on tool tutorials are 30% off through May 2026 in the AI Learning Guides shop.
Government AI in 2026 is at the inflection point that commercial AI hit several years earlier — moving from pilot programs to production deployments at scale. The agencies that engage seriously with the regulatory frameworks, procurement processes, and workforce considerations will produce the most operationally significant deployments. The agencies that try to skip the foundational work will produce visible failures that set the entire federal AI program back.