← Back to all briefings

AI · Credibility 93/100 · · 2 min read

AI Governance Briefing — March 28, 2025

U.S. federal agencies hit the OMB M-24-10 deadline to operationalise Appendix C safeguards for safety-impacting AI, and Zeph Tech is aligning inventories, waivers, and quarterly attestations before oversight escalates.

Executive briefing: The Office of Management and Budget’s Memorandum M-24-10 gave civilian agencies one year to implement the minimum risk-management practices in Appendix C for safety-impacting AI systems. marks that 365-day deadline: Chief AI Officers must certify inventories, impact assessments, independent evaluations, and human fallback controls or document limited waivers for national-security and law-enforcement uses. Zeph Tech is building CAIO command centres that reconcile use-case registries, model cards, assurance artefacts, and public transparency packs before inspectors general, OMB, and Congress review compliance.

Regulatory checkpoints

  • Appendix C controls. Agencies must show documented governance boards, pre-deployment testing, real-time monitoring, human oversight, incident response, and fallback procedures for safety-impacting AI.
  • Waiver governance. Limited waivers require agency-head approval, mitigation plans, and quarterly reporting to OMB per Section 5(c).
  • Quarterly attestations. Section 5(d) establishes recurring reporting on compliance status, outstanding risks, and corrective action plans.

Control alignment

  • NIST AI RMF Govern/Manage. Map Appendix C safeguards to RMF functions so safety-impacting AI pipelines capture testing, monitoring, and incident playbooks.
  • Executive Order 14110 Section 4.2. Ensure compute inventories, model evaluations, and dual-use reporting align with Commerce Department rulemakings triggered by the EO.
  • ISO/IEC 42001 clauses 8.3–8.4. Treat Appendix C artefacts as part of the AI management system, with configuration control and retention requirements.

Detection and response priorities

  • Alert when safety-impacting AI runs without approved governance board sign-off or missing independent evaluation records.
  • Integrate incident reporting to meet the memo’s timelines for notifying OMB, affected communities, and oversight bodies.
  • Track waiver expirations and remediation milestones so elevated-risk deployments receive additional scrutiny.

Enablement moves

  • Run joint workshops with programme, legal, civil-rights, and cybersecurity offices to validate Appendix C checklists before the 365-day reviews.
  • Publish public AI use-case inventories that explain safety classifications, evaluation outcomes, and responsible officials.
  • Embed Appendix C criteria into acquisition templates and MLOps gates so future projects inherit compliant controls automatically.
  • OMB M-24-10
  • Executive Order 14110
  • Federal AI governance
Back to curated briefings