PRIA Logo
Back to search
TechnologyOMB Policy Memoranda

OMB Memo M-24-10 — Responsible AI Acquisition by Federal Agencies

10 min read·Updated May 14, 2026

OMB Memo M-24-10 — Responsible AI Acquisition by Federal Agencies

OMB Memorandum M-24-10 (March 28, 2024) — formally titled "Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence" — was the Biden administration's first comprehensive OMB directive implementing Executive Order 14110 (October 2023). The memo established the institutional scaffolding for federal AI governance: it required agencies to designate Chief AI Officers, build AI use case inventories, apply minimum safeguards for rights-impacting and safety-impacting AI, and embed responsible AI requirements into procurement. Together with the later M-25-21, M-24-10 defined the Biden-era federal AI governance framework.

The memo's acquisition provisions are among its most enduring components. By requiring agencies to incorporate AI governance standards into contracts before purchase — specifying what documentation, transparency, and testing vendors must provide — M-24-10 attempted to shift AI accountability upstream to the point of acquisition rather than after deployment. The Federal Acquisition Regulatory (FAR) Council subsequently proposed rulemaking to codify AI acquisition requirements in the FAR, and M-24-10's framework has shaped how agencies write AI contract requirements even as the political environment around AI governance has shifted. For the broader AI governance context, see OMB Memo M-25-21 and Artificial Intelligence Policy.

  • 15 U.S.C. § 9401 — National AI Initiative Act; establishes the national framework for AI research and development; defines roles of NIST, NSF, and other agencies in AI; provides the statutory context for OMB's AI governance directives
  • 41 U.S.C. § 1707 — FAR regulation authority; the FAR Council's authority to issue regulations governing federal acquisition; M-24-10 directed the FAR Council to propose AI-specific acquisition requirements
  • 44 U.S.C. § 3504 — Paperwork Reduction Act; OMB authority over information management and IT standards across the executive branch; provides authority for OMB to issue AI governance standards
  • Executive Order 14110 (October 30, 2023) — "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence"; directed OMB to issue guidance on federal AI use and acquisition; M-24-10 implements this EO
  • OMB Memorandum M-24-10 (March 28, 2024) — Requires agencies to designate Chief AI Officers, build AI use case inventories, apply minimum safeguards for rights-impacting and safety-impacting AI systems, and embed responsible AI requirements into AI procurement contracts

Key Mechanics

M-24-10 established three operational requirements for federal AI governance. Institutional structure: all agencies must designate a Chief AI Officer (CAIO) within 60 days to coordinate AI governance, manage the AI use case inventory, and oversee compliance with minimum risk safeguards; the CAIO reports to the CIO or a senior official. AI use case inventory: agencies must maintain a public inventory of all AI systems in use; the inventory must include the purpose, data used, and rights-impact assessment for each system; inventories are aggregated at ai.gov. Minimum safeguards for "rights-impacting" and "safety-impacting" AI (systems that affect benefits eligibility, employment, criminal justice, housing, health, or safety): before deployment, agencies must conduct pre-deployment testing and bias assessments; provide meaningful human oversight; ensure affected individuals can appeal AI-driven determinations; and document performance monitoring. Acquisition requirements: when procuring AI systems, agencies must require vendors to provide documentation of training data, testing methodologies, performance benchmarks, and security practices; contracts must include AI-specific oversight clauses. M-24-10 was superseded in some respects by M-25-21 (issued by the Trump administration in 2025); the Trump memo revised AI governance directions, generally reducing procedural requirements while maintaining some acquisition transparency provisions.

Overview

ParameterValue
DocumentOMB Memorandum M-24-10
Date issuedMarch 28, 2024
Issuing officialShalanda Young, Director of OMB
Implementing EOExecutive Order 14110 (October 30, 2023)
Applies toAll executive branch agencies
CAO designation deadline60 days from issuance
AI inventory deadline180 days; updated annually
Companion memoM-25-21 (comprehensive AI governance, April 2025)

Governance Foundations: CAOs and Inventories

Before any agency could responsibly acquire AI, M-24-10 required institutional readiness. The memo mandated two foundational steps:

Chief AI Officers (CAOs): Within 60 days of the memo's issuance, every agency subject to the Chief Financial Officers Act (the 24 largest federal agencies) must designate a Chief AI Officer. The CAO is responsible for:

  • Coordinating the agency's AI activities and ensuring compliance with OMB AI policy
  • Maintaining and annually publishing the agency's AI use case inventory
  • Reviewing and approving AI deployments in rights-impacting or safety-impacting contexts before they go live
  • Representing the agency on the Chief AI Officers Council, an interagency body convened by OMB

The CAO position must have sufficient seniority and authority to meaningfully influence AI acquisition and deployment decisions — not merely a compliance coordinator role. In practice, many agencies initially designated existing CIOs or CDOs as collateral-duty CAOs; OMB's subsequent guidance encouraged agencies to treat the role as a distinct senior position.

AI Use Case Inventories: Within 180 days, agencies must compile and publicly release an inventory of every AI system they use. Each entry must include:

  • The name and description of the AI system
  • Whether it is a rights-impacting or safety-impacting use case
  • The stage of development or deployment
  • What safeguards are in place
  • Whether the system was acquired from a vendor or developed in-house

Inventories must be updated at least annually and published in a machine-readable format. OMB coordinates a government-wide AI inventory accessible at ai.gov. The inventory requirement is the transparency backbone of the entire framework — without knowing what AI agencies are using, oversight by Congress, IGs, and the public is impossible.

The AI Acquisition Framework

The most distinctive contribution of M-24-10 is its AI acquisition provisions — requirements that agencies must build into contracts before purchasing AI systems. The framework rests on the premise that responsible AI cannot be retrofitted after purchase; governance requirements must be specified in solicitations and enforced through contract terms.

Pre-acquisition due diligence: Before purchasing an AI system for a rights-impacting or safety-impacting use case, agencies must:

  • Document the specific mission need and why AI is the appropriate solution
  • Assess the AI system's development process, including the data used for training and any known limitations or biases
  • Evaluate whether the system has been independently tested for accuracy, reliability, and disparate impact
  • Determine whether the system's decision-making is sufficiently explainable for the context (e.g., can the agency explain to an affected individual why a particular output was generated)
  • Identify what human oversight mechanisms will be in place during operation

Contract requirements for AI vendors: Solicitations and contracts for AI systems must specify vendor obligations including:

  • Documentation: vendors must provide system cards or model cards describing the AI system's intended use, training data sources and limitations, performance benchmarks, and known failure modes
  • Testing results: vendors must disclose bias testing and accuracy testing results, including performance disaggregated by demographic groups where relevant to the use case
  • Ongoing monitoring: vendors must support agencies' ability to monitor system performance post-deployment and must notify agencies of material changes to model behavior (including updates or retraining)
  • Data rights: agencies must retain rights to audit training data, model weights (where applicable), and performance data sufficient to conduct independent evaluations
  • Incident reporting: vendors must notify the agency promptly of AI system failures, unexpected outputs, or security incidents

Prohibited acquisition practices: Agencies may not acquire AI systems for rights-impacting or safety-impacting uses from vendors who:

  • Refuse to provide documentation of training data sources and known limitations
  • Cannot demonstrate that the system has been tested for bias relevant to the use case
  • Will not support human oversight mechanisms in the system's operation
  • Will not provide audit rights sufficient for the agency to meet its OMB reporting obligations

Minimum Practices for Rights-Impacting and Safety-Impacting AI

M-24-10 established binding minimum practices for the two highest-risk AI categories. These apply both to AI systems acquired from vendors and to AI developed in-house.

Rights-impacting AI covers systems that significantly affect access to, eligibility for, or conditions of government services; civil rights; employment; housing; education; credit; or the exercise of constitutional rights. For rights-impacting AI, agencies must ensure:

  • Human oversight: A qualified human reviewer must be in the decision loop for consequential outputs; fully automated final decisions on rights or benefits without human review are prohibited
  • Meaningful disclosure: Individuals affected by AI-assisted decisions must be notified in plain language that AI was used and what role it played
  • Explainability: The agency must be able to explain the basis for an AI-assisted decision in sufficient detail for the affected person to understand and contest it
  • Appeal mechanism: Individuals must have a meaningful way to contest adverse AI-assisted decisions and have a human review their case
  • Fallback procedures: Agencies must maintain the ability to process cases without the AI system if it fails or is taken offline

Safety-impacting AI covers systems whose outputs or failures could have material consequences for physical safety — including systems used in critical infrastructure, emergency response, or physical security. Safety-impacting AI requires the same minimum practices plus:

  • Testing under adversarial conditions: the system must be tested for robustness against manipulation and edge-case failures
  • Redundancy planning: agencies must have documented fallback systems or procedures
  • Incident reporting protocols: failures or unexpected behavior must be reported promptly to CISA and OMB

Key Requirements

  • Designate a Chief AI Officer at every CFO Act agency within 60 days of memo issuance
  • Publish an AI use case inventory within 180 days; update annually; include risk classification for each system
  • Embed AI documentation requirements in all solicitations for rights-impacting or safety-impacting AI: system cards, bias testing results, data provenance
  • Apply the five minimum practices before deploying rights-impacting AI: human oversight, disclosure, explainability, appeal mechanism, fallback procedures
  • Prohibit acquisition of AI for rights-impacting or safety-impacting uses from vendors who won't support documentation, testing disclosure, or audit rights
  • Submit annual AI accountability report to OMB covering inventory, safeguards status, incidents, and corrective actions
  • Halt or defer rights-impacting or safety-impacting AI use cases where minimum practices cannot be met until they can be met
  • Establish internal AI governance board to review and approve high-risk AI deployments before go-live

How It Affects You

<!-- pria:personalize type="impact" -->

If you work at a federal agency: Your acquisition process for AI systems must incorporate M-24-10's requirements from the solicitation stage — not after contract award. Work with your contracting officers and legal counsel to build AI governance requirements into statements of work, evaluation criteria, and contract terms before issuing an RFP for any AI system that touches rights-impacting or safety-impacting use cases. Your CAO (or whoever holds that role) must approve the use case and the safeguards plan before deployment. Failure to apply minimum practices before deployment exposes the agency to IG findings, adverse court rulings in APA challenges, and congressional oversight.

If you are an AI vendor or technology company selling to the federal government: M-24-10 defines the baseline documentation you must be able to provide to win and retain federal AI contracts. Prepare system cards documenting training data, intended use, known limitations, and bias testing results. Develop processes for notifying agency customers of material model updates. Build audit trail capabilities into your systems so agencies can monitor performance and demonstrate compliance. Federal AI acquisitions will increasingly score vendors on governance maturity — not just technical performance — in evaluation criteria. Companies that can demonstrate NIST AI RMF alignment, third-party bias testing, and documented incident response processes have a competitive advantage in federal AI sales.

If you are a member of the public or civil society advocate: M-24-10's inventory requirement is the most direct transparency tool available for scrutinizing federal AI use. Annual AI use case inventories — published by each agency — list every AI system in use and its risk classification. Comparing inventories across agencies, cross-referencing them against contract data in USASpending.gov and FPDS, and reviewing IG reports on AI governance compliance reveals where agencies are deploying AI in consequential contexts without adequate safeguards. FOIA requests for agency CAO reports, governance board meeting records, and vendor documentation can supplement public inventory data.

If you are a researcher or policy analyst: M-24-10 created the first comprehensive public record of federal AI use. The annual AI inventories, the CAO designation records, the OMB accountability reports, and the FAR Council's proposed rulemaking proceedings are all primary sources for understanding how the federal government is managing AI risk. The gap between M-24-10's requirements and actual agency practice — documented in GAO and IG reports — is a rich area for policy research. The memo's acquisition framework also creates a template that state and local governments are examining as they develop their own AI procurement standards.

<!-- /pria:personalize -->

Implementation Status

M-24-10 implementation was mixed. Within the 60-day CAO designation deadline, most CFO Act agencies formally designated someone to fill the role, but many treated it as a collateral duty. AI use case inventories, due within 180 days, varied enormously in quality: some agencies listed fewer than 10 AI systems, suggesting incomplete inventories, while others disclosed hundreds. A GAO review of AI governance implementation found that most agencies had partially implemented M-24-10's requirements but few had fully met all minimum practices for rights-impacting AI by the initial deadlines.

The acquisition provisions have had more durable impact. Several large agencies — including DHS, VA, and HHS — updated their AI acquisition playbooks to incorporate M-24-10's vendor documentation requirements. The General Services Administration developed AI contract clause templates that agencies can use to implement the memo's requirements. These procurement changes are more institutionally embedded than the governance requirements and have continued under the Trump administration's more permissive AI posture.

Relationship to Broader Policy

M-24-10 is one piece of a layered federal AI policy architecture:

  • Artificial Intelligence Policy: the broader statutory and regulatory landscape including the National AI Initiative Act, NIST AI RMF, and sector-specific agency rules
  • FITARA: AI systems are major IT investments subject to the CIO's FITARA budget authority and the Exhibit 300 capital planning process
  • Federal Procurement: the FAR governs how agencies write contracts; the FAR Council's AI rulemaking will eventually codify M-24-10's requirements in binding regulation
  • NIST Cybersecurity Framework: AI systems must meet FISMA security requirements; the NIST AI RMF is the complementary voluntary standard for AI-specific risk management

Recent Developments

  • March 2024 — M-24-10 issued; 60-day CAO designation deadline and 180-day inventory deadline set
  • January 2025 — EO 14110 rescinded by Trump administration
  • April 3, 2025 — M-25-21 issued under EO 14179 as a comprehensive follow-on framework; M-24-10 rescinded
  • 2025 — FAR Council published advance notice of proposed rulemaking (ANPRM) seeking input on how to codify AI acquisition requirements in the FAR; comment period extended amid administration transition
  • Ongoing — GSA AI contract clause templates available for agency use; adoption rates vary by agency and program office

At My Address

See how OMB Memo M-24-10 — Responsible AI Acquisition by Federal Agencies plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address