Standing Up AI Governance That Survives an OMB Review
What a defensible federal AI governance framework actually requires — and the three places most agency programs fall apart under scrutiny.
Every federal agency now has an AI policy. Far fewer have AI governance — the difference being that a policy is a document, and governance is what holds up when an inspector general, an OMB desk officer, or a skeptical congressional staffer starts asking how a model actually got into production.
With the federal AI guidance that has followed the executive orders of the last two years, the bar has moved from “do you have a responsible-AI statement” to “show us the controls, the inventory, and the human accountable for this system.” That is a much harder question, and it is where most programs we see are exposed.
The three places programs fall apart
Across federal AI work, the failure points are remarkably consistent. They are rarely about the algorithms.
1. No defensible inventory
Agencies are required to know what AI they are using, including systems embedded in tools they bought rather than built. The programs that struggle are the ones that treated the AI use-case inventory as a one-time spreadsheet exercise. An inventory that is not refreshed, not owned, and not tied to the budget cycle is not an inventory — it is a snapshot that was wrong the day after it was filed.
2. Governance that lives in the wrong office
When responsible-AI sits entirely inside the CIO shop, it tends to become a compliance checkbox that program offices route around. When it sits entirely in a policy office, it produces principles no engineer can implement. Durable governance is a shared function with a named accountable official, a cross-functional review body, and a path that a program manager can actually navigate without a six-month detour.
3. No evidence trail
The question that ends careers is not “is your model fair?” It is “show me how you determined that, and who signed off.” Programs that cannot produce the risk assessment, the testing record, and the approval chain are the ones that get paused.
A policy is a document. Governance is what holds up when someone starts asking how a model actually got into production.
What a framework that survives review actually contains
The agencies that pass scrutiny without a fire drill tend to have built the same handful of things, in roughly this order:
- A living inventory tied to procurement and budget, so new AI cannot enter the environment without being recorded.
- A risk-tiering model that distinguishes a low-stakes productivity tool from a system that affects rights, safety, or benefits — and applies proportionate controls to each.
- A single accountable official with the authority to stop a deployment, not just advise on one.
- An evidence pipeline — documented testing, monitoring, and approval — that produces the audit trail before anyone asks for it.
- A human-in-the-loop standard that is specific about which decisions require human review and what that review consists of.
Start where the scrutiny will land first
The instinct is to write the perfect framework before touching a single system. That is backwards. The faster path is to identify the two or three highest-risk, highest-visibility AI uses already in the environment, get those fully governed and documented, and let that work define the framework. It produces evidence immediately, it focuses effort where the exposure is real, and it gives leadership a defensible answer on day one rather than a project plan.
AI governance is not a brake on modernization. Done well, it is the thing that lets an agency say yes to AI with confidence — because it can show its work.