← Back to all briefings
Governance 5 min read Published Updated Credibility 89/100

OMB Issues M-24-10 AI Risk Management Guidance

The U.S. Office of Management and Budget released Memorandum M-24-10 on March 19, 2024, requiring federal agencies to inventory AI use cases, implement risk management controls, and publish transparency dashboards by December 2024.

Kodi C.

Editor & Research Lead

Verified for technical accuracy — Kodi C.

Governance pillar illustration for Zeph Tech briefings
Governance, ESG, and board reporting briefings

The Office of Management and Budget issued Memorandum M-24-10 on , setting governance expectations for federal AI systems that also influence vendors serving public-sector customers. The memorandum implements Executive Order 14110 requirements and establishes the most full federal AI governance framework to date.

AI Inventory Requirements

Agencies must maintain full inventories of AI systems within their organizations. The inventory requirement extends beyond traditional software asset management to capture AI-specific attributes including intended use cases, risk classifications, and deployment contexts. Agencies must categorize systems by risk level and document safety and rights impacts.

Public transparency dashboards require agencies to publish AI inventories with sufficient detail for public understanding while protecting sensitive information. Dashboard requirements include use case descriptions, risk assessments, and human oversight mechanisms. This transparency creates accountability while enabling informed public discourse about government AI use.

Vendor systems fall within scope when agencies procure AI capabilities. Organizations selling AI to federal agencies should prepare documentation packages covering training data provenance, evaluation results, and governance processes. Procurement specifications now reference M-24-10 compliance, making documentation readiness a competitive differentiator.

Safety and Rights Safeguards

Safety-impacting AI applications require improved governance measures. The memorandum defines safety impacts broadly, encompassing systems affecting physical safety, infrastructure operations, and critical service delivery. Mandatory safeguards include impact assessments, independent evaluation, and human oversight with appropriate intervention capabilities.

Rights-impacting AI receives similar heightened scrutiny. Systems affecting individual rights, access to government services, or consequential decisions about people trigger additional requirements. Agencies must assess algorithmic discrimination risks, establish appeals processes, and document fairness evaluations. Civil rights implications require explicit attention in system design and deployment.

Independent evaluation requirements distinguish M-24-10 from prior guidance. Agencies cannot rely solely on internal assessments for high-risk systems. Third-party evaluation, inspector general review, or cross-agency assessment provides independent verification of safety and effectiveness claims.

Governance Structure Requirements

Chief AI Officers receive formal mandate under M-24-10. Agencies must designate officials with authority over AI governance, inventory management, and risk oversight. The CAIO role coordinates across technical, legal, and programmatic functions to ensure full AI management.

AI governance boards or equivalent structures provide decision-making authority for AI deployment. Board responsibilities include reviewing high-risk use cases, approving safety assessments, and overseeing compliance with M-24-10 requirements. Governance structures must include appropriate representation from technical, legal, civil rights, and privacy functions.

Risk management integration connects AI governance with enterprise risk management. Agencies must incorporate AI risks into existing risk frameworks rather than treating AI governance as separate from organizational risk management. This integration ensures AI considerations receive appropriate executive attention.

Compliance Timeline and Reporting

December 2024 marks the initial compliance deadline for inventory publication and governance structure establishment. Annual reporting cycles require ongoing compliance demonstration. Agencies must report on AI use cases, risk assessments, and safeguard setup through established channels.

OMB oversight includes review of agency AI inventories, assessment of governance structures, and monitoring of safeguard setup. Agencies failing to meet requirements face potential consequences including budget impacts and procurement restrictions.

Vendor and Contractor Implications

Federal contractors providing AI capabilities face derivative requirements. Contract modifications may incorporate M-24-10 documentation requirements. If you are affected, prepare for requests covering training data descriptions, evaluation methodologies, and governance documentation. Early preparation enables responsive engagement with agency requirements.

FedRAMP considerations intersect with M-24-10 for cloud-delivered AI services. If you are affected, evaluate how AI governance documentation integrates with existing authorization packages. Supplementary documentation may address AI-specific requirements beyond current FedRAMP scope.

Implementation Recommendations

  • Inventory preparation: Document AI systems with appropriate detail for federal customer requirements including use cases, risk classifications, and governance processes.
  • Safety documentation: Prepare impact assessments and evaluation results for AI systems sold to federal agencies.
  • Governance alignment: Embed AI risk management controls including model cards, evaluation pipelines, and human oversight into public-sector product offerings.
  • Timeline tracking: Monitor agency setup and update compliance approaches for the December 2024 deadline and annual cycles.
  • Contract review: Assess existing federal contracts for AI governance requirements and prepare for modification requests.

See also

Selected articles on related subjects.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Board Oversight Governance Blueprint

    Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

  • Third-Party Governance Control Blueprint

    Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

  • Public-Sector Governance Alignment Playbook

    Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published
Coverage pillar
Governance
Source credibility
89/100 — high confidence
Topics
OMB M-24-10 · AI governance · Federal compliance · Risk management
Sources cited
3 sources (hitehouse.gov, iso.org)
Reading time
5 min

Cited sources

  1. OMB Memorandum M-24-10 — Advancing Governance, Innovation, and Risk Management for Agency Use of AI — whitehouse.gov
  2. OMB — Fact Sheet on Implementing the AI Executive Order — whitehouse.gov
  3. ISO 37000:2021 — Governance of Organizations — International Organization for Standardization
  • OMB M-24-10
  • AI governance
  • Federal compliance
  • Risk management
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.