AI Governance — OMB M-24-10

The Office of Management and Budget finalized Memorandum M-24-10, Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence, on March 28, 2024. Agencies must publish AI use case inventories by December 1, 2024, certify safety-impact assessments, and notify OMB of serious incidents within 24 hours while alerting affected individuals within seven business days. This full memorandum represents the Biden administration's operational setup of Executive Order 14110 on AI safety and security, establishing detailed compliance requirements that will reshape how federal agencies develop, procure, and deploy artificial intelligence systems across government operations.

Policy Context and Authority

Memorandum M-24-10 implements provisions of Executive Order 14110 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence) signed in October 2023. The memorandum builds upon earlier AI governance guidance including Executive Order 13960 on Promoting the Use of Trustworthy Artificial Intelligence and the American AI Initiative.

OMB authority flows through the Federal Information Technology Acquisition Reform Act and other statutes governing federal technology management. The memorandum applies to executive branch agencies, creating binding requirements that agencies must incorporate into acquisition strategies, development practices, and operational procedures for AI systems.

AI Inventory Requirements

Agencies must publish AI use case inventories covering systems deployed or under development, with initial inventories due by December 1, 2024. Vendors supporting agencies should prepare documentation packets that align offerings to the public inventory format including system purpose, data inputs, safeguards, and human oversight mechanisms.

Inventory entries must describe AI system functionality, intended use cases, training data sources, performance metrics, and risk mitigation measures. Updates are required annually and when material changes occur to inventoried systems. Exemptions exist for classified AI systems and certain law enforcement applications, though agencies must maintain internal inventories even for exempt systems.

Algorithmic Impact Assessment Requirements

Safety-impacting AI requires Algorithmic Impact Assessments before deployment; align red-team reports, bias testing, and assurance evidence to the memorandum's annex specifications. AIAs must evaluate potential harms to individuals' rights, safety, and livelihoods that could result from AI system failures or misuse.

Assessments should document intended and foreseeable uses, potential for disparate impact across demographic groups, data quality and representativeness concerns, human oversight mechanisms, and testing and validation procedures. Chief AI Officers must certify completion of required impact assessments before agencies deploy covered AI systems. External vendors providing AI capabilities to agencies should anticipate AIA documentation requirements in procurement processes.

Incident Reporting Obligations

Wire telemetry, support desks, and legal counsel to meet 24-hour OMB notifications and seven-day individual outreach requirements for serious AI incidents. Serious incidents include AI system failures causing harm to individuals, significant civil rights violations, safety-impacting malfunctions, and security breaches affecting AI system integrity.

Initial notification to OMB must occur within 24 hours of incident detection, with preliminary assessment of scope and impact. Affected individuals must receive notification within seven business days describing the incident, potential impacts on their rights or safety, and remediation measures. Agencies must conduct root cause analysis and implement corrective actions to prevent recurrence.

Human Oversight Requirements

Systems materially affecting rights or safety need advance approval and documented override controls; ensure interfaces expose human-in-the-loop checkpoints at decision points. Human oversight requirements scale with AI system risk levels, with higher-risk systems requiring more strong intervention capabilities. Safety-impacting AI must include mechanisms for human review before consequential decisions take effect. Override capabilities must enable authorized personnel to modify, pause, or end AI system operations when necessary. Training programs must ensure personnel understand AI system limitations and know when and how to exercise oversight authority.

Chief AI Officer Role

The memorandum establishes Chief AI Officer positions responsible for coordinating agency AI governance, compliance, and innovation activities. CAIOs oversee AI inventory maintenance, impact assessment certification, incident response procedures, and workforce development programs. They serve as agency liaisons to OMB on AI governance matters and coordinate with Chief Information Officers, Chief Data Officers, and program officials on AI-related initiatives. CAIO designations and organizational placement should ensure sufficient authority and visibility to fulfill memorandum requirements effectively.

Vendor and Contractor Implications

Update capture playbooks and federal account plans so proposals speak directly to M-24-10 evidence requests. Map memorandum controls to NIST AI RMF, NIST SP 800-53, and ISO/IEC 42001 safeguards to simplify compliance reporting across frameworks. Run quarterly tabletop exercises with agency partners covering incident escalation and public communications. Contractors providing AI systems to agencies should anticipate contract modifications incorporating memorandum requirements, documentation demands during procurement, and ongoing compliance monitoring throughout contract performance.

Planning considerations

Strategic alignment ensures that compliance initiatives support broader organizational objectives while addressing regulatory requirements. Leadership should evaluate how this development affects competitive positioning, operational efficiency, and stakeholder relationships.

Resource planning should account for both immediate implementation needs and ongoing operational requirements. Organizations should develop realistic timelines that balance urgency with practical constraints on resource availability and organizational capacity for change.

Tracking performance

Effective monitoring programs provide visibility into compliance status and control effectiveness. Key performance indicators should be established for critical control areas, with regular reporting to appropriate stakeholders.

Metrics should address both compliance outcomes and process efficiency, enabling continuous improvement of compliance operations. Trend analysis helps identify emerging issues and evaluate the impact of improvement initiatives.

Summary and next steps

Organizations should prioritize assessment of their current posture against the requirements outlined above and develop actionable plans to address identified gaps. Regular progress reviews and stakeholder communications help maintain momentum and accountability throughout the implementation journey.

Continued engagement with industry peers, professional associations, and regulatory bodies provides valuable opportunities for knowledge sharing and influence on future policy developments. Organizations that address emerging requirements position themselves favorably relative to competitors and build stakeholder confidence.

Governance structure

Effective governance ensures appropriate oversight of compliance activities and timely escalation of significant issues. Organizations should establish clear roles, responsibilities, and accountability structures that align with their compliance objectives and risk appetite.

Regular reporting to senior leadership and board-level committees provides visibility into compliance status and supports informed decision-making about resource allocation and risk management priorities.

Ongoing improvement

Compliance programs should incorporate mechanisms for continuous improvement based on lessons learned, emerging best practices, and evolving requirements. Regular program assessments help identify enhancement opportunities and ensure sustained effectiveness over time.

Organizations that approach this development strategically, with appropriate attention to governance, risk management, and operational excellence, will be well-positioned to achieve compliance objectives while supporting broader business goals.

Priority actions

• Assessment requirement: Evaluate current practices against the updated requirements outlined in this analysis.
• Documentation update: Review and update relevant policies, procedures, and technical documentation.
• Stakeholder communication: Brief affected teams on timeline implications and resource requirements.
• Compliance verification: Schedule internal review to confirm alignment with guidance.

You may also find useful

Hand-picked articles on adjacent topics.

AI · Credibility 94/100 · March 14, 2025

OMB M-24-10 Incident Reporting: 24-Hour Safety Notification Requirements

OMB M-24-10 AI governance memo includes incident reporting requirements for federal AI systems. Agencies need to track and report AI-related incidents, including harms, failures, and near-misses. This creates a learning…

AI · Credibility 91/100 · May 17, 2024

Colorado AI Act

Colorado enacted SB24-205, creating the first statewide artificial intelligence law with mandatory risk management, consumer notice, impact assessment, and incident reporting controls for high-risk systems.

AI · Credibility 94/100 · March 21, 2025

AI Governance — OMB M-24-10

OMB M-24-10 requires independent evaluations of high-impact AI systems used by federal agencies. External assessments of algorithm performance, bias, and safety. If you are selling AI to the federal government, prepare…

AI · Credibility 95/100 · March 28, 2025

OMB M-24-10 Safety Controls Implementation

U.S. civilian agencies faced a March 28, 2025 deadline to implement OMB M-24-10's risk-management practices for AI that impacts safety or rights. Here's what you need to know about inventories, impact assessments…

AI · Credibility 92/100 · August 15, 2025

EU AI Act Systemic Risk: Incident Reporting and Response Windows

If you are running a systemic-risk GPAI model under the EU AI Act, you need to report serious incidents to regulators fast. Article 55 sets strict notification timelines—here's what you need to know about incident…

Continue in the AI pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Procurement Governance Guide

  Structure AI procurement pipelines with risk-tier screening, contract controls, supplier monitoring, and EU-U.S.-UK compliance evidence.

• AI Workforce Enablement and Safeguards Guide

  Equip employees for AI adoption with skills pathways, worker protections, and transparency controls aligned to U.S. Department of Labor principles, ISO/IEC 42001, and EU AI Act…

• AI Model Evaluation Operations Guide

  Build traceable AI evaluation programmes that satisfy EU AI Act Annex VIII controls, OMB M-24-10 Appendix C evidence, and AISIC benchmarking requirements.

Documentation

1. OMB Memorandum M-24-10 — whitehouse.gov
2. OMB issues guidance to advance governance, innovation, and risk management for agency use of AI — whitehouse.gov
3. ai.gov — Federal AI governance resources — ai.gov