AI Governance — OMB M-24-10

The Office of Management and Budget finalized Memorandum M-24-10, Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence, on March 28, 2024. Agencies must publish AI use case inventories by December 1, 2024, certify safety-impact assessments, and notify OMB of serious incidents within 24 hours while alerting affected individuals within seven business days. This full memorandum represents the Biden administration's operational setup of Executive Order 14110 on AI safety and security, establishing detailed compliance requirements that will reshape how federal agencies develop, procure, and deploy artificial intelligence systems across government operations.

Policy Context and Authority

Memorandum M-24-10 implements provisions of Executive Order 14110 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence) signed in October 2023. The memorandum builds upon earlier AI governance guidance including Executive Order 13960 on Promoting the Use of Trustworthy Artificial Intelligence and the American AI Initiative.

OMB authority flows through the Federal Information Technology Acquisition Reform Act and other statutes governing federal technology management. The memorandum applies to executive branch agencies, creating binding requirements that agencies must incorporate into acquisition strategies, development practices, and operational procedures for AI systems.

AI Inventory Requirements

Agencies must publish AI use case inventories covering systems deployed or under development, with initial inventories due by December 1, 2024. Vendors supporting agencies should prepare documentation packets that align offerings to the public inventory format including system purpose, data inputs, safeguards, and human oversight mechanisms.

Inventory entries must describe AI system functionality, intended use cases, training data sources, performance metrics, and risk mitigation measures. Updates are required annually and when material changes occur to inventoried systems. Exemptions exist for classified AI systems and certain law enforcement applications, though agencies must maintain internal inventories even for exempt systems.

Algorithmic Impact Assessment Requirements

Safety-impacting AI requires Algorithmic Impact Assessments before deployment; align red-team reports, bias testing, and assurance evidence to the memorandum's annex specifications. AIAs must evaluate potential harms to individuals' rights, safety, and livelihoods that could result from AI system failures or misuse.

Assessments should document intended and foreseeable uses, potential for disparate impact across demographic groups, data quality and representativeness concerns, human oversight mechanisms, and testing and validation procedures. Chief AI Officers must certify completion of required impact assessments before agencies deploy covered AI systems. External vendors providing AI capabilities to agencies should anticipate AIA documentation requirements in procurement processes.

Incident Reporting Obligations

Wire telemetry, support desks, and legal counsel to meet 24-hour OMB notifications and seven-day individual outreach requirements for serious AI incidents. Serious incidents include AI system failures causing harm to individuals, significant civil rights violations, safety-impacting malfunctions, and security breaches affecting AI system integrity.

Initial notification to OMB must occur within 24 hours of incident detection, with preliminary assessment of scope and impact. Affected individuals must receive notification within seven business days describing the incident, potential impacts on their rights or safety, and remediation measures. Agencies must conduct root cause analysis and implement corrective actions to prevent recurrence.

Human Oversight Requirements

Systems materially affecting rights or safety need advance approval and documented override controls; ensure interfaces expose human-in-the-loop checkpoints at decision points. Human oversight requirements scale with AI system risk levels, with higher-risk systems requiring more strong intervention capabilities. Safety-impacting AI must include mechanisms for human review before consequential decisions take effect. Override capabilities must enable authorized personnel to modify, pause, or end AI system operations when necessary. Training programs must ensure personnel understand AI system limitations and know when and how to exercise oversight authority.

Chief AI Officer Role

The memorandum establishes Chief AI Officer positions responsible for coordinating agency AI governance, compliance, and innovation activities. CAIOs oversee AI inventory maintenance, impact assessment certification, incident response procedures, and workforce development programs. They serve as agency liaisons to OMB on AI governance matters and coordinate with Chief Information Officers, Chief Data Officers, and program officials on AI-related initiatives. CAIO designations and organizational placement should ensure sufficient authority and visibility to fulfill memorandum requirements effectively.

Vendor and Contractor Implications

Update capture playbooks and federal account plans so proposals speak directly to M-24-10 evidence requests. Map memorandum controls to NIST AI RMF, NIST SP 800-53, and ISO/IEC 42001 safeguards to simplify compliance reporting across frameworks. Run quarterly tabletop exercises with agency partners covering incident escalation and public communications. Contractors providing AI systems to agencies should anticipate contract modifications incorporating memorandum requirements, documentation demands during procurement, and ongoing compliance monitoring throughout contract performance.