AIOMB Memorandum M-24-10
OMB Memorandum M-24-10 orders U.S. federal agencies to tighten AI governance with Chief AI Officers, public inventories, and mandatory risk controls for safety-impacting systems.
Accuracy-reviewed by the editorial team
On March 28, 2024 the White House Office of Management and Budget released Memorandum M-24-10, Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence. The policy binds every U.S. federal civilian agency to designate accountable AI leadership, publish expanded inventories, and prove risk mitigations before deploying systems that can meaningfully affect safety or civil rights.
Key directives
- Chief AI Officers within 60 days. Each agency must name a CAIO by May 29, 2024 and help that role to manage AI inventories, procurement, and lifecycle controls.
- Governance boards within 90 days. Agencies need to charter AI governance boards by June 27, 2024 to coordinate legal, privacy, security, and mission owners on every use case.
- Safety-impacting AI safeguards. Systems that influence rights, benefits, or physical safety cannot launch without independent evaluation, pre-production testing, human fallback procedures, and continuous monitoring.
- Public inventories by December 1, 2024. Agencies must publish annual AI use case inventories that flag safety-impacting systems, summarize risk assessments, and disclose third-party suppliers.
How controls apply
- NIST AI Risk Management Framework. The memo requires agencies to implement RMF functions—Govern, Map, Measure, and Manage—for every AI system, with documentation available for inspection.
- ISO/IEC 42001 readiness. Agencies with international obligations can map governance board responsibilities, impact assessments, and monitoring metrics to ISO/IEC 42001 clauses 5 through 8.
- FedRAMP and supply chain controls. Cloud AI services must provide audit artifacts that satisfy FedRAMP moderate baselines and C-SCRM requirements in NIST SP 800-161r1.
Implementation priorities
- Inventory every algorithmic decision workflow, noting data sources, model owners, mission impact, and reliance on commercial or open-source components.
- Codify risk sign-off steps—including independent evaluation teams and red-teaming cadence—inside change management tools so approvals are logged.
- Update acquisition templates and performance-based contracts to require vendors to deliver testing artifacts, bias evaluations, and shutdown mechanisms.
What teams should do
- Brief CIO, CDO, and privacy officers on CAIO escalation paths and the governance board voting structure.
- Provide mission teams with checklists for classifying AI as safety-impacting versus limited-impact, tying examples back to M-24-10 Appendix B.
- Publish transparency notices that align with Section 7225 of the memo so constituents understand how AI influences eligibility or benefits decisions.
Bottom line
- Immediate staffing pressure. Agencies with existing AI leads must formalize the CAIO remit and document delegated authority before the 60-day deadline.
- Oversight extends to vendors. Contractors operating AI on behalf of agencies fall under the same risk controls, requiring shared inventories and contractual enforcement.
- Public reporting drives comparability. The expanded inventories will let oversight bodies and watchdog groups benchmark risk postures across agencies, increasing pressure to evidence compliance.
Federal AI inventory requirements
M-24-10 mandates agency AI inventories with public disclosure. Federal contractors should prepare to contribute inventory information, document AI use in government contracts, and establish reporting processes aligned with agency requirements.
Rights-impacting AI safeguards
Heightened requirements apply to AI affecting individual rights. Develop classification frameworks identifying rights-impacting uses, implement required safeguards, and document compliance with improved oversight requirements.
This brief packaging templates that map M-24-10 deliverables to NIST AI RMF profiles, ISO/IEC 42001 clauses, and agency-specific governance board charters.
Detailed guidance
Successful implementation requires a structured approach that addresses technical, operational, and organizational considerations. Organizations should establish dedicated implementation teams with clear responsibilities and sufficient authority to drive necessary changes across the enterprise.
Project governance should include regular status reviews, risk assessments, and stakeholder communications. Executive sponsorship is essential for securing resources and removing organizational barriers that might impede progress.
Change management practices help ensure smooth transitions and stakeholder acceptance. Training programs, communication plans, and feedback mechanisms all contribute to effective change management outcomes.
Assurance and verification
Compliance verification involves systematic evaluation of implemented controls against applicable requirements. Organizations should establish verification procedures that provide objective evidence of compliance status and identify areas requiring remediation.
Internal audit functions play an important role in providing independent assurance over compliance activities. Audit plans should incorporate risk-based prioritization and coordination with external audit requirements where applicable.
Continuous compliance monitoring capabilities enable early detection of control failures or compliance drift. Automated monitoring tools can provide real-time visibility into compliance status across multiple control domains.
Working with vendors
Third-party relationships require careful management to ensure compliance obligations are properly addressed throughout the vendor ecosystem. Due diligence procedures should evaluate vendor compliance capabilities before engagement.
Contractual provisions should clearly allocate compliance responsibilities and establish appropriate oversight mechanisms. Service level agreements should address compliance-relevant performance metrics and reporting requirements.
Ongoing vendor monitoring ensures continued compliance throughout the relationship lifecycle. Periodic assessments, audit rights, and incident response procedures all contribute to effective third-party risk management.
What planners should consider
Strategic alignment ensures that compliance initiatives support broader organizational objectives while addressing regulatory requirements. Leadership should evaluate how this development affects competitive positioning, operational efficiency, and stakeholder relationships.
Resource planning should account for both immediate implementation needs and ongoing operational requirements. Organizations should develop realistic timelines that balance urgency with practical constraints on resource availability and organizational capacity for change.
How to measure progress
Effective monitoring programs provide visibility into compliance status and control effectiveness. Key performance indicators should be established for critical control areas, with regular reporting to appropriate stakeholders.
Metrics should address both compliance outcomes and process efficiency, enabling continuous improvement of compliance operations. Trend analysis helps identify emerging issues and evaluate the impact of improvement initiatives.
Final notes
Organizations should prioritize assessment of their current posture against the requirements outlined above and develop actionable plans to address identified gaps. Regular progress reviews and stakeholder communications help maintain momentum and accountability throughout the implementation journey.
Continued engagement with industry peers, professional associations, and regulatory bodies provides valuable opportunities for knowledge sharing and influence on future policy developments. Organizations that address emerging requirements position themselves favorably relative to competitors and build stakeholder confidence.
Sustaining progress
Compliance programs should incorporate mechanisms for continuous improvement based on lessons learned, emerging best practices, and evolving requirements. Regular program assessments help identify enhancement opportunities and ensure sustained effectiveness over time.
Organizations that approach this development strategically, with appropriate attention to governance, risk management, and operational excellence, will be well-positioned to achieve compliance objectives while supporting broader business goals.
Continue in the AI pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
AI Procurement Governance Guide
Structure AI procurement pipelines with risk-tier screening, contract controls, supplier monitoring, and EU-U.S.-UK compliance evidence.
-
AI Workforce Enablement and Safeguards Guide
Equip employees for AI adoption with skills pathways, worker protections, and transparency controls aligned to U.S. Department of Labor principles, ISO/IEC 42001, and EU AI Act…
-
AI Model Evaluation Operations Guide
Build traceable AI evaluation programmes that satisfy EU AI Act Annex VIII controls, OMB M-24-10 Appendix C evidence, and AISIC benchmarking requirements.
Further reading
- Industry Standards and Best Practices — International Organization for Standardization
- NIST AI Risk Management Framework
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.