PRIA Logo
Back to search
TechnologyOMB Policy Memoranda

OMB Memo M-25-21 — Federal AI Governance & Use Policy

10 min read·Updated May 14, 2026

OMB Memo M-25-21 — Federal AI Governance & Use Policy

OMB Memorandum M-25-21 ("Accelerating Federal Use of AI through Innovation, Governance, and Public Trust," April 3, 2025) is the Trump administration's comprehensive framework for how executive branch agencies must govern, acquire, and deploy artificial intelligence systems. Issued under Executive Order 14179 (January 23, 2025), M-25-21 rescinded and replaced the Biden administration's M-24-10 (March 2024), shifting federal AI policy from a risk-governance emphasis toward an "innovation, governance, and public trust" framing that prioritizes removing barriers to AI adoption while retaining Chief AI Officer designations, AI use case inventories, and minimum safeguards for "high-impact" AI systems.

The memo retains much of M-24-10's institutional architecture — CAOs, inventories, governance boards, safeguards for consequential AI — but reframes the policy posture: agencies are directed to identify and remove barriers to responsible AI adoption "where practicable," use American-made AI technologies where possible, and accelerate deployment rather than slow it. The companion memo M-25-22 ("Driving Efficient Acquisition of Artificial Intelligence in Government," also April 3, 2025) replaced M-24-10's acquisition provisions. For the broader statutory context, see Artificial Intelligence Policy — Federal AI Governance & Regulation.

  • 15 U.S.C. § 9401 — National AI Initiative Act; establishes federal AI research and development framework; provides statutory context for OMB AI governance authority
  • 15 U.S.C. § 9411 — AI in Government Act; directs OMB to issue guidance on federal AI use; requires agencies to designate AI coordinators; the primary statutory authorization for CAIO designations and AI use inventories
  • 44 U.S.C. § 3504 — Paperwork Reduction Act; grants OMB authority over information management and IT systems across the executive branch; provides authority for AI governance standards
  • Executive Order 14179 (January 23, 2025) — "Removing Barriers to American Leadership in Artificial Intelligence"; rescinded Biden's EO 14110; directed OMB to issue revised AI governance guidance prioritizing innovation and accelerated adoption; M-25-21 implements this EO

Key Mechanics

M-25-21 retains the institutional framework from M-24-10 but reorients the policy emphasis. Agencies must still designate Chief AI Officers (CAOs) and maintain AI use case inventories — the operational requirements established under M-24-10 are largely preserved. The key shifts: (1) Innovation framing: agencies are directed to identify and remove barriers to AI adoption "where practicable" rather than approach AI primarily as a risk to be managed; (2) American AI preference: agencies should use American-made AI technologies and AI developed in accordance with U.S. values where feasible in procurement; (3) Minimum safeguards for "high-impact" AI are retained — AI systems that affect benefits eligibility, criminal justice outcomes, employment, health, or safety still require pre-deployment testing, bias assessment, meaningful human oversight, and appeal mechanisms; (4) Governance boards: agencies must establish AI governance boards with senior leadership participation to coordinate AI decisions. M-25-21's companion, M-25-22 ("Driving Efficient Acquisition of AI in Government," April 3, 2025), addresses AI procurement. The Trump administration's approach maintains the CAIO structure and core safeguards for consequential AI while removing some of M-24-10's more prescriptive procedural requirements; agencies with existing M-24-10 compliance programs should review M-25-21 for required modifications rather than assuming full continuity.

Overview

ParameterValue
DocumentOMB Memorandum M-25-21
Date issuedApril 3, 2025 (Trump administration)
Issuing officialRussell Vought, Director of OMB
Implementing EOExecutive Order 14179 ("Removing Barriers to American Leadership in AI," January 23, 2025)
Applies toAll executive branch agencies, including independent regulatory agencies
Companion memoM-25-22 (April 3, 2025, AI acquisition — replaced M-24-10); NIST AI RMF (voluntary framework)
Current statusIn force; supersedes M-24-10 and the rescinded EO 14110 framework
<!-- FACTCHECK 2026-05-11: Sections below still use Biden M-24-10 terminology ("rights-impacting", "safety-impacting" AI). Trump's M-25-21 (April 3, 2025) uses "high-impact AI" as its risk category and reframes safeguards. The institutional architecture (CAOs, inventories, governance boards) is retained but framing differs. Needs deepen pass to align body with current memo text. — wiki-factcheck -->

The Governance Architecture: Three Institutional Requirements

M-25-21's most durable contributions are institutional — creating new accountability structures within agencies that persist even when the underlying executive order is rescinded.

Chief Artificial Intelligence Officers (CAOs): Every agency covered by the Chief Financial Officers Act (the 24 largest federal agencies) must designate a Chief Artificial Intelligence Officer, a senior official with responsibility for coordinating the agency's AI activities, ensuring compliance with AI governance requirements, and overseeing the agency's AI use case inventory. The CAO must have direct access to agency leadership and a voice in budget and acquisition decisions affecting AI systems. This requirement mirrors the CIO and CISO positions created by earlier federal IT governance mandates and is grounded in 15 U.S.C. § 9411 (National AI Initiative Act) as well as OMB's government-wide management authority under 44 U.S.C. § 3504.

AI Use Case Inventories: Agencies must maintain and publish an annual inventory of their AI use cases — every AI system used by the agency, categorized by function, risk level, and whether it is "rights-impacting" or "safety-impacting" (defined below). The inventories must be public, enabling oversight by Congress, inspectors general, and the public. OMB coordinates the government-wide inventory through ai.gov. This transparency requirement is among the most practically significant provisions: it creates a documented record of how federal agencies are using AI, enabling accountability that did not exist before the Biden governance framework.

AI Governance Boards: Agencies must establish internal AI governance bodies — typically an AI council or board composed of the CAO, CIO, CISO, CDO (Chief Data Officer), and relevant mission and legal officials — to review AI use cases, approve deployments in sensitive contexts, and monitor ongoing AI system performance. Governance boards must specifically review and approve any AI system before deployment in rights-impacting or safety-impacting contexts.

What This Memo Requires

Defining Risk: Rights-Impacting and Safety-Impacting AI

M-25-21 (building on M-24-10) established a two-category framework for identifying AI systems that require heightened governance:

Rights-impacting AI is any AI system that has a significant effect on the rights, opportunities, or access to critical resources or services of members of the public. This includes AI that:

  • Determines or significantly influences eligibility for government benefits (Social Security, Medicare, immigration status)
  • Affects civil rights or anti-discrimination protections
  • Makes or informs consequential decisions in the criminal justice context (sentencing recommendations, risk assessments)
  • Determines access to housing, education, or employment through federal programs
  • Affects the exercise of constitutionally protected rights

Safety-impacting AI is any AI system whose output or failure could have significant consequences for the physical safety of people or critical infrastructure. This includes AI used in:

  • Physical security systems
  • Nuclear or critical infrastructure operations
  • Emergency response coordination
  • Military or law enforcement contexts

For both categories, M-25-21 requires minimum safeguards that must be in place before deployment: independent testing for bias and reliability; human oversight — a human with appropriate training must review consequential AI outputs before action is taken; plain-language disclosure to people affected by AI-assisted decisions; meaningful appeal mechanisms allowing people to contest adverse AI-assisted decisions; and fallback procedures so that services can continue if the AI system fails or is disabled.

Prohibited AI Uses

M-25-21 enumerated specific AI applications that federal agencies may not use absent specific statutory authorization or compelling national security justification:

  • Using AI to make final, unreviewable decisions on benefits, rights, or access to government services without human review
  • Deploying biometric identification systems in real-time, public settings (mass facial recognition) without specific legal authority and documented civil liberties review
  • Using AI systems for automated surveillance of First Amendment-protected activities (speech, assembly, religion) without specific legal authorization
  • Applying AI in a way that systematically disadvantages protected classes without mitigation measures
  • Using AI training data collected in violation of applicable privacy laws

Transparency and Reporting

Agencies must:

  • Publish their AI use case inventories annually on a publicly accessible website
  • Submit to OMB an annual AI accountability report covering the categories and risk levels of AI deployed, safeguards in place, any incidents or failures, and corrective actions taken
  • Notify the public, in plain language, when a consequential decision has been made with AI assistance, including an explanation of the AI's role and the right to appeal
  • Report to Congress, through OMB, a government-wide summary of federal AI use and governance

Key Requirements

  • Designate a Chief AI Officer at every CFO Act agency within 60 days of memo issuance, with direct access to agency head and budget involvement
  • Publish an AI use case inventory annually; initial inventory due within 180 days; inventories must categorize use cases by risk level and whether rights-impacting or safety-impacting
  • Establish an internal AI governance board with CAO, CIO, CISO, and CDO representation; board must approve deployments in rights-impacting and safety-impacting contexts
  • Apply minimum safeguards before deploying rights-impacting or safety-impacting AI: independent testing, human oversight, disclosure, appeal mechanism, fallback procedure
  • Prohibit listed uses: no unreviewable automated benefit decisions, no mass real-time facial recognition without legal authority, no AI surveillance of protected First Amendment activities
  • Submit annual accountability report to OMB covering AI inventory, safeguards status, incidents, and corrective actions
  • Ensure procurement compliance: AI acquisition must follow M-24-10 requirements — see OMB Memo M-24-10
  • Coordinate with NIST AI RMF: agencies encouraged to map their AI governance practices to the NIST AI Risk Management Framework's Govern-Map-Measure-Manage structure

How It Affects You

<!-- pria:personalize type="impact" -->

If you work at a federal agency: Your agency's CAO (or whoever has been designated to fill that role) is responsible for maintaining your AI use case inventory and ensuring that every rights-impacting or safety-impacting AI system has gone through governance board review with the required safeguards. Practically: before deploying any AI system that touches benefit eligibility, law enforcement, or other consequential decisions, you need a documented review showing that human oversight is in place, the system has been tested for bias, and there's a disclosure and appeal process for affected individuals. The inventory requirement is ongoing — new AI deployments must be added; retired systems removed. Budget for AI governance infrastructure: testing, oversight staffing, and disclosure systems are not free.

If you are an AI vendor or technology company selling to the federal government: M-25-21 and M-24-10 together define the AI governance expectations you must meet to sell rights-impacting or safety-impacting AI systems to federal agencies. Your product must support the documentation requirements (bias testing results, system card, intended use documentation) and the operational safeguards (human review workflows, audit logs, explainability). Federal AI acquisitions increasingly require that vendors certify their AI systems' compliance with these governance standards. See M-24-10 for the acquisition-specific requirements. The Federal Acquisition Regulatory Council has signaled intent to codify AI governance requirements in the FAR.

If you are a member of the public receiving government services: M-25-21 is the most direct federal protection against consequential automated government decisions being made without meaningful human review. If a federal agency uses AI to determine your eligibility for benefits, immigration status, or other government services, you are entitled to: know that AI was used; have a human review the decision; and appeal an adverse decision through a meaningful process. Whether agencies are actually implementing these protections varies; if you believe AI was used in a federal decision affecting you without appropriate disclosure or review, the agency's CAO and Office of Inspector General are the relevant oversight contacts.

If you are a researcher, journalist, or civil society advocate: The annual AI use case inventories — published on ai.gov and individual agency websites — are the primary transparency mechanism for federal AI use. They document what AI systems agencies are deploying, in what contexts, and what safeguards are in place. Comparing inventories across agencies reveals which agencies are most aggressive in AI deployment and whether safeguards are consistent. IG reports on AI governance compliance are another key source: inspectors general at major agencies have conducted reviews of AI governance implementation, often finding gaps between policy requirements and actual practice.

<!-- /pria:personalize -->

Implementation Status

Implementation of M-25-21 was partial even before the Trump administration's rescission of EO 14110. Early assessments found:

  • Most CFO Act agencies designated Chief AI Officers, though many were collateral duties held by existing CIOs or CDOs rather than dedicated senior positions
  • AI use case inventories varied significantly in completeness — some agencies listed a handful of systems while others disclosed hundreds
  • Safeguard implementation for rights-impacting and safety-impacting AI was inconsistent, with some agencies' governance boards newly constituted and others having no documentation that the required reviews had occurred
  • GAO and agency IGs flagged compliance gaps at multiple agencies in reviews conducted through early 2025

Following the Trump administration's January 2025 EO rescinding EO 14110, individual agencies varied in their responses. Some agencies with mature AI governance programs maintained the structures (CAO designations, inventories, governance boards) as internal policy even without the EO mandate. Others reduced or paused AI governance activities. OMB has not issued formal guidance rescinding M-25-21's specific requirements, creating ambiguity about current obligations.

Relationship to Broader Policy

M-25-21 sits at the intersection of several policy streams:

  • National AI Initiative Act (15 U.S.C. §§ 9401–9461): the statutory foundation for federal AI coordination, establishing the National AI Initiative Office and directing agencies to advance responsible AI
  • NIST AI Risk Management Framework: the voluntary technical standard M-25-21 directs agencies to use as their governance methodology; published January 2023 and updated in 2024
  • FISMA and cybersecurity requirements: AI systems must satisfy standard federal IT security requirements in addition to AI-specific governance requirements; CISA has issued guidance on AI cybersecurity risks
  • Privacy Act and data governance: AI training data and inference data involving individuals must comply with Privacy Act system of records requirements
  • FITARA: the CIO's FITARA authority over IT investment decisions encompasses AI systems, which are increasingly large, consequential IT investments

Recent Developments

  • October 2023 — Biden EO 14110 ("Safe, Secure, and Trustworthy Development and Use of AI") issued; established 180-day deadline for agencies to address AI risks
  • March 2024 — OMB issued M-24-10 ("Advancing Governance, Innovation, and Risk Management for Agency Use of AI"), establishing the initial CAO, inventory, and safeguard requirements
  • January 20, 2025 — Trump rescinded Biden EO 14110
  • January 23, 2025 — Trump issued EO 14179 ("Removing Barriers to American Leadership in AI")
  • April 3, 2025 — OMB issued M-25-21 and M-25-22, rescinding and replacing M-24-10 and M-24-18; established new innovation-forward AI governance framework while retaining CAOs, inventories, and high-impact AI safeguards
  • Ongoing — Federal Acquisition Regulatory Council working on AI-related FAR provisions; M-25-22 governs acquisition in the interim

At My Address

See how OMB Memo M-25-21 — Federal AI Governance & Use Policy plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address