Federal AI Compliance Lag

A federal deadline quietly passed on April 3, and several agencies were still scrambling after it. The rule said any agency using “high-impact” artificial intelligence had to put minimum safeguards in place by that date or shut the system down. (whitehouse.gov) Those safeguards were not abstract. The Office of Management and Budget required pre-deployment testing, impact assessments, ongoing monitoring for harm, trained human oversight, fail-safes, appeal processes, and a way for users to submit feedback. (whitehouse.gov) FedScoop contacted 28 agencies after the deadline and found a mixed picture. Some agencies said they were compliant, some reclassified systems, and a few still had unfinished requirements. (fedscoop.com) The Department of Labor said it had no active non-compliant high-risk artificial intelligence uses and had paused or discontinued any system that failed federal standards. NASA posted an updated inventory too, but its filing still said monitoring protocols were in progress and an independent review had not been completed for its one high-impact use case. (fedscoop.com) This is the part where artificial intelligence policy stops being a memo and turns into paperwork, testing logs, and kill switches. A tool that helps write summaries is one thing, but a tool that affects benefits, safety, rights, or personal data now needs the kind of documentation a federal auditor can actually inspect. (whitehouse.gov) The backdrop changed in April 2025, when the White House replaced the earlier artificial intelligence guidance with two new memoranda, called M-25-21 and M-25-22. One covers agency use of artificial intelligence, and the other covers how agencies buy it, which means the compliance burden now reaches into procurement as well as operations. (whitehouse.gov) The procurement memo is aimed at speed, competition, and avoiding lock-in, but it also makes agencies think about data portability and interoperability before they sign contracts. In plain English, the government does not want to buy a system it cannot audit, cannot move, and cannot safely turn off. (whitehouse.gov) That is why missed deadlines inside agencies spill outward to vendors. If an agency has to prove testing, oversight, appeal rights, and shutdown procedures for a high-impact system, the contractor selling that system will increasingly be asked to hand over evidence instead of slide decks. (whitehouse.gov) At the same time, the Department of Justice is asking Congress for $149 million for its Justice Information Sharing Technology fund in fiscal year 2027, including $110.3 million specifically for zero-trust cybersecurity. The department says that money would support its shift to tighter identity checks, network controls, and endpoint defenses across unclassified and national security systems. (fedscoop.com) Justice says it has more than 275,000 endpoints and about 160,000 users, and it warns that flat funding leaves sensitive law-enforcement and national-security systems more exposed. If Congress does not provide the full request, the department says it may have to halt work on a central identity platform, a cloud network broker, and endpoint and mobile threat detection tools. (fedscoop.com) Put those two stories together and the federal market starts to look different. Agencies are being pushed to show that artificial intelligence systems can be tested, explained, monitored, and terminated, while cybersecurity teams are being pushed to prove every user, device, and connection belongs there. (fedscoop.com 1) (fedscoop.com 2) For companies selling into Washington, the old pitch was “our model works.” The new pitch is closer to “here is the audit trail, here is the fallback plan, here is how the data moves, and here is how you shut it off on a bad day.” (whitehouse.gov)