Full Report
The deadline for federal agencies to implement risk management practices for high-impact AI use cases — or terminate them — has come and gone, but a handful of departments are still working to complete their requirements. FedScoop reached out to 28 federal agencies to inquire about the steps they have taken to ensure compliance within…
Analysis Summary
# Regulation/Compliance: OMB Memorandum M-25-21 (AI Risk Management)
## Overview
This compliance requirement stems from the Office of Management and Budget (OMB) guidance directing federal agencies to manage risks associated with "high-impact" Artificial Intelligence (AI) use cases. It mandates that agencies either implement specific minimum risk management practices for these AI systems or terminate their use to ensure public trust, safety, and rights-based protections.
## Key Details
- **Issuing Authority:** Office of Management and Budget (OMB)
- **Effective Date:** April 3, 2026
- **Jurisdiction:** United States Federal Government Agencies
- **Status:** In Effect (Deadline has passed)
## Requirements
### Mandatory Requirements
Agencies utilizing high-impact AI must implement the following "minimum risk management practices":
1. **Pre-deployment Testing:** Rigorous evaluation of the AI system before it is operational.
2. **Impact Assessments:** Formal assessments of the AI’s effect on individuals and society.
3. **Adverse Impact Monitoring:** Ongoing surveillance for unintended or harmful consequences.
4. **Human Training:** Ensuring operators are adequately trained to manage the AI system.
5. **Fail-safes:** Implementation of technical safeguards to minimize harm in case of failure.
6. **Appeal Processes:** Establishing a consistent method for individuals to contest AI-driven decisions.
7. **Feedback Mechanisms:** Providing end-users with options to submit feedback on AI performance or outcomes.
### Recommended Practices
1. **Inventory Reclassification:** Reviewing AI use cases to determine if they qualify as "high-impact" or require lower levels of oversight.
2. **Cross-Departmental Collaboration:** Coordination between Chief AI Officers and IT security teams to streamline documentation.
## Affected Organizations
- **Industries:** Federal Government (All Executive Departments and Agencies).
- **Organization Size:** All federal agencies regardless of size (28 major agencies specifically monitored).
- **Geographic Scope:** United States (Federal operations).
## Compliance Timeline
- **Late 2024/Early 2025:** Issuance of OMB Memorandum.
- **April 3, 2026:** **Final Deadline** for full implementation of risk management practices for high-impact AI.
- **Post-April 3, 2026:** Mandatory termination of non-compliant high-impact AI use cases.
## Implementation Guidance
### Assessment Phase
- **Inventory Audit:** Identify all AI use cases currently in operation.
- **Impact Classification:** Categorize use cases as "high-impact" based on their potential to affect safety or civil rights.
### Implementation Phase
- **Control Integration:** Apply the required technical and procedural safeguards (testing, fail-safes, monitoring).
- **Policy Development:** Create standard operating procedures for the human-in-the-loop and appeal processes.
### Validation Phase
- **Certification/Reporting:** Verification of compliance by agency leadership.
- **OMB Reporting:** Submitting updated AI inventories and compliance status to the OMB.
## Technical Requirements
- **Automated Monitoring:** Systems for detecting drift or adverse impacts.
- **Testing Environments:** Sandboxed environments for pre-deployment validation.
- **UI/UX Integrity:** Specific interfaces to allow for end-user feedback and transparency.
## Penalties & Enforcement
- **Fines:** Not applicable (Inter-agency administrative compliance).
- **Other Consequences:** **Termination of Use Case.** Agencies are legally/administratively required to shut down any high-impact AI system that does not meet the risk management requirements.
- **Enforcement:** Oversights by the OMB and potential inquiry by the Government Accountability Office (GAO).
## Related Standards
- **NIST AI Risk Management Framework (AI RMF):** Provides the foundational technical standards for assessing AI risk.
- **Executive Order 14110:** The overarching executive action on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.
## Resources
- **Official Documentation:** hxxps://www[.]whitehouse[.]gov/wp-content/uploads/2025/02/M-25-21-Accelerating-Federal-Use-of-AI-through-Innovation-Governance-and-Public-Trust[.]pdf
- **Guidance Documents:** FedScoop AI Inventory Tracking and Federal AI Use Case Inventory.
## Practical Recommendations
- **Audit Immediately:** For agencies currently non-compliant, immediately identify high-impact systems vs. standard systems to prioritize remediation.
- **Human-Centric Design:** Focus on the "Appeals" and "Feedback" requirements, as these often require more administrative infrastructure than technical coding.
- **Document Everything:** Maintain a clear paper trail of impact assessments to defend the classification of AI use cases.