Privacy & Information Security Law Blog

On April 3, 2025, the White House’s Office of Management and Budget (“OMB”) issued two revised policies on federal agencies’ use and procurement of artificial intelligence (“AI”), M-25-21 (“Accelerating Federal Use of AI through Innovation, Governance, and Public Trust”) and M-25-22 (“Driving Efficient Acquisition of Artificial Intelligence in Government”). These memos are designed to support the implementation of Executive Order 14179 (“Removing Barriers to American Leadership in Artificial Intelligence”), which was signed on January 23, 2025, and largely focuses on removing existing policies on AI technologies to facilitate rapid, responsible adoption across the federal government and improve public services.

The revised memos essentially replace the OMB memos published during the Biden Administration, including M-24-10 (“Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence”), which was issued on March 28, 2024. Key differences in the revised memos include:

• a “forward-leaning and pro-innovation” approach to AI that encourages accelerated adoption and acquisition of AI by reducing bureaucratic burdens and maximizing U.S. competitiveness;
• empowerment of agency leadership to implement AI governance efforts, risk management and interagency coordination;
• transparency measures for the public that demonstrate AI risk mitigation, use, value and efficiency;
• allowance of waivers for “high-impact” AI use cases and transparency requirements when justified; and
• a strong preference for American-made AI tools and services, as well as for developing and retaining American AI talent.

OMB Memorandum M-25-21: Accelerating Federal Use of AI through Innovation, Governance, and Public Trust

OMB Memo M-25-21 outlines a new framework for the acceleration of federal agencies’ adoption and use of innovative AI technologies by focusing on three key priorities: innovation, governance and public trust. The memo seeks to lessen potential bureaucratic burdens and restrictions that the Administration contends have hindered timely uptake of AI across federal agencies, with the goal of ensuring that the American public receives the maximum benefit from AI adoption.

Scope

• The memo applies to “new and existing AI that is developed, used, or acquired by or on behalf of covered agencies” and to “system functionality that implements or is reliant on AI, rather than to the entirety of an information system that incorporates AI.” The memo does not cover AI being used as a component of a National Security System.

Key Provisions

• Removing bureaucratic barriers: Agencies are called to streamline AI adoption by reducing unnecessary requirements, increasing transparency, and maximizing existing resources and investments. CFO Act agencies must, within 180 days, publish agency-wide strategies for removing barriers to AI use.
• Mandating Chief AI Officers: Agencies must, within 60 days, designate Chief AI Officers (“CAIOs”) to lead AI governance implementation, risk management and strategic AI adoption efforts. The CAIO will serve as the senior advisor on AI to the head of the agency and support interagency coordination on AI (e.g., AI-related councils, standard-setting bodies, international bodies). To further support agencies’ efforts, OMB will convene an interagency council to coordinate federal AI development and use.
• Establishing agency AI Governance Boards: Within 90 days, CFO Act agencies must convene their own governance boards to coordinate cross-functional oversight and include representation from key stakeholders across federal agencies, including IT, cybersecurity, data, and budget.
• Enabling workforce readiness: The memo encourages agencies to leverage AI training programs and resources to upskill federal agencies on AI technology. Agencies also are encouraged to set clear expectations for their workforce on appropriate AI use and designated channels for delegating accountability for AI risk.
• Implementing oversight over high-impact AI: Agencies must implement risk management practices for “high-impact” AI use cases. AI is considered “high-impact” if “its output serves as a principal basis for decisions or actions that have a legal, material, binding, or significant effect on rights or safety.” For these high-impact use cases, agencies must:
  • conduct pre-deployment testing to identify both potential risks and benefits of the AI use case;
  • complete AI Impact Assessments before and throughout deployment that evaluate the intended purpose and expected benefit, performance of the model, and ongoing impacts of its use;
  • ensure adequate human oversight by providing AI training and implementing appropriate safeguards for human intervention;
  • offer remedies or appeals for individuals affected by AI-enabled decisions; and
  • cease or pause use of high-impact AI that does not comply with the minimum requirements set forth in the memo.
• Mandating transparency measures to the public: Agencies must at least annually inventory and publicly publish their AI use cases. Agencies also must publicly report risk determinations and waivers from minimum practices for high-impact AI alongside a justification.

OMB Memorandum M-25-22: Driving Efficient Acquisition of Artificial Intelligence in Government

OMB Memo M-25-22 complements Memo M-25-21 by instructing federal agencies how to acquire AI responsibly. The memo focuses on three overarching themes: fostering a competitive American marketplace for AI to ensure high-quality, cost-effective solutions for the public; safeguarding taxpayer dollars by tracking AI performance and managing risks; and promoting effective AI acquisition through cross-functional engagement.

Scope

• The memo applies to “AI systems or services that are acquired by or on behalf of covered agencies,” and exempts AI acquired for use as a component of a National Security System, among other exemptions.

Key Provisions

• Investing in the American AI marketplace: The memo encourages agencies to maximize investments by purchasing U.S.-developed AI solutions where possible. Agencies also are encouraged to develop and retain AI talent with relevant technical expertise who can contribute to ongoing efforts to scale and govern AI.
• Protecting American privacy and IP rights: Agencies must ensure that any acquired AI system complies with existing privacy and IP legal requirements. Agencies also must have appropriate processes in place that cover the use of government data. For example, procurement contracts should include terms that prevent vendors from processing such data for the purpose of training, fine-tuning or developing an AI system without explicit consent from the agency.
• Ensuring competitive, cost-effective procurement: Procurement contracts should protect against vendor lock-in through requirements, including vendor knowledge transfers, data and model portability, and transparency. Agencies also may incentivize competition by leveraging performance-based contracting to ensure satisfactory model performance.
• Assessing AI risks across the lifecycle: Agencies must ensure that contracts include the ability to regularly monitor and evaluate the performance, risks, and effectiveness of an AI system or service. Agencies also are encouraged to require vendors to perform regular assessments and mitigate new risks or correct changes to AI model performance. Contracts also must comply with the minimum risk management practices for high-impact AI use cases (outlined in OBM Memo M-25-21).
• Contributing to a shared repository of best practices: Within 200 days, GSA, in coordination with OMB, will develop an online repository of tools and resources to enable responsible AI procurement. Agencies should contribute to this repository where possible to foster knowledge-sharing and interagency cooperation.
• Requiring unanticipated disclosures of vendor AI use: Agencies should consider including solicitation provisions in their contracts that require disclosure of unanticipated vendor use of AI.