Build AI governance that satisfies the directives, and still ships outcomes.

M-24-10 directs federal agencies to designate a Chief AI Officer, publish and maintain an AI use case inventory, and apply minimum risk management practices to any AI that is rights-impacting or safety-impacting. Those practices include completing AI impact assessments, testing for performance in real-world contexts, independently evaluating the AI, conducting ongoing monitoring, and providing human oversight with the ability to opt out where feasible. If an agency cannot meet the minimum practices by the deadline, it must either stop using the AI or document a compelling justification. The memo also requires agencies to promote responsible AI innovation and remove unnecessary barriers to adoption.

The NIST AI Risk Management Framework is a voluntary, technical framework organized around four functions (Govern, Map, Measure, Manage) that gives engineering and risk teams a concrete way to identify and manage AI risk across the lifecycle. The Blueprint for an AI Bill of Rights is a White House policy document built around five principles: safe and effective systems, algorithmic discrimination protections, data privacy, notice and explanation, and human alternatives with fallback. In practice, the AI RMF is how you operationalize the principles the Blueprint articulates. Agencies typically use the Blueprint to frame policy intent and the AI RMF to build the controls that satisfy it.

The Chief AI Officer is accountable to the agency head and coordinates with OMB, the agency CIO, the Chief Data Officer, the Chief Privacy Officer, and the Senior Agency Official for Privacy. The CAIO owns the agency AI strategy, maintains the AI use case inventory, oversees compliance with OMB guidance and the NIST AI RMF, and signs off on whether rights-impacting and safety-impacting AI meet minimum practices. The role is coordinating and accountable, not purely technical. Most agencies pair the CAIO with a governance board that includes legal, privacy, civil rights, and mission program leads.

OMB defines safety-impacting AI as AI whose output serves as a principal basis for a decision or action that could significantly affect human life, physical safety, critical infrastructure, or the environment. Rights-impacting AI is AI whose output is a principal basis for a decision that meaningfully affects civil rights, civil liberties, privacy, equal opportunity, or access to critical government resources and services (benefits, housing, education, employment, credit, healthcare). Examples include AI in law enforcement screening, benefits eligibility determination, fraud detection that can deny services, and medical triage. If an AI touches either category, the OMB minimum practices apply.

Best practice, and what OMB guidance is steadily moving toward, is to complete the AI impact assessment before procurement, not after. Waiting until after contract award means the agency has already committed funds to a system whose risk posture, data flows, and accountability model are still unknown. Pre-procurement assessments let the agency write the right requirements into the solicitation, including testing, monitoring, transparency, and off-ramp clauses. We help agencies build a reusable impact assessment template tied to acquisition checkpoints so the governance work is done once and reused across programs.

FedRAMP and FISMA give you the security baseline for the system that hosts the AI: boundary, access control, audit logging, continuous monitoring, and incident response. AI governance under the NIST AI RMF and OMB guidance sits on top of that baseline and addresses questions FedRAMP does not: is the model fit for purpose, is it tested for bias, is there human oversight, is there a public use case inventory entry, and is there an opt-out. We help agencies map AI RMF controls to existing FedRAMP and FISMA control inheritance so the same evidence serves both programs and the agency is not running two parallel compliance shops.

Two differences. First, every engagement is led by senior engineers and architects with 25+ years of enterprise IT and direct federal compliance experience, so the governance artifacts we produce are grounded in how systems actually get built, not just how policies read. Second, we have shipped Human-AI products in production ourselves, so we know where governance controls break under real operational load and can design them to hold. If you need a 300-page framework document, we are not your firm. If you need governance that survives contact with a working AI system and an authorizing official, we are.