AI Briefing — March 28, 2024
OMB Memorandum M-24-10 orders U.S. federal agencies to tighten AI governance with Chief AI Officers, public inventories, and mandatory risk controls for safety-impacting systems.
Executive briefing: On March 28, 2024 the White House Office of Management and Budget released Memorandum M-24-10, Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence. The policy binds every U.S. federal civilian agency to designate accountable AI leadership, publish expanded inventories, and prove risk mitigations before deploying systems that can meaningfully affect safety or civil rights.
Key directives
- Chief AI Officers within 60 days. Each agency must name a CAIO by May 29, 2024 and empower that role to manage AI inventories, procurement, and lifecycle controls.
- Governance boards within 90 days. Agencies are required to charter AI governance boards by June 27, 2024 to coordinate legal, privacy, security, and mission owners on every use case.
- Safety-impacting AI safeguards. Systems that influence rights, benefits, or physical safety cannot launch without independent evaluation, pre-production testing, human fallback procedures, and continuous monitoring.
- Public inventories by December 1, 2024. Agencies must publish annual AI use case inventories that flag safety-impacting systems, summarize risk assessments, and disclose third-party suppliers.
Control alignment
- NIST AI Risk Management Framework. The memo requires agencies to implement RMF functions—Govern, Map, Measure, and Manage—for every AI system, with documentation available for inspection.
- ISO/IEC 42001 readiness. Agencies with international obligations can map governance board responsibilities, impact assessments, and monitoring metrics to ISO/IEC 42001 clauses 5 through 8.
- FedRAMP and supply chain controls. Cloud AI services must provide audit artefacts that satisfy FedRAMP moderate baselines and C-SCRM requirements in NIST SP 800-161r1.
Implementation priorities
- Inventory every algorithmic decision workflow, noting data sources, model owners, mission impact, and reliance on commercial or open-source components.
- Codify risk sign-off steps—including independent evaluation teams and red-teaming cadence—inside change management tools so approvals are logged.
- Update acquisition templates and performance-based contracts to require vendors to deliver testing artefacts, bias evaluations, and shutdown mechanisms.
Enablement moves
- Brief CIO, CDO, and privacy officers on CAIO escalation paths and the governance board voting structure.
- Provide mission teams with checklists for classifying AI as safety-impacting versus limited-impact, tying examples back to M-24-10 Appendix B.
- Publish transparency notices that align with Section 7225 of the memo so constituents understand how AI influences eligibility or benefits decisions.
Zeph Tech analysis
- Immediate staffing pressure. Agencies with existing AI leads must formalize the CAIO remit and document delegated authority before the 60-day deadline.
- Oversight extends to vendors. Contractors operating AI on behalf of agencies fall under the same risk controls, requiring shared inventories and contractual enforcement.
- Public reporting drives comparability. The expanded inventories will let oversight bodies and watchdog groups benchmark risk postures across agencies, increasing pressure to evidence compliance.
Zeph Tech is packaging templates that map M-24-10 deliverables to NIST AI RMF profiles, ISO/IEC 42001 clauses, and agency-specific governance board charters.