AI Governance in Government
AI Governance as a Strategic Imperative for Government and Defense
No sector faces higher stakes in AI governance regulation than government and defense. Governments are simultaneously the most powerful deployers of AI systems—in surveillance, intelligence analysis, benefits adjudication, and autonomous weapons—and the primary architects of the regulatory frameworks that govern everyone else. This dual role creates profound tensions: agencies that write AI accountability rules often operate classified AI programs exempt from those same rules, while defense departments must balance operational secrecy with the transparency demands of democratic oversight.
By early 2026, the regulatory landscape for government AI has crystallized around several distinct but intersecting frameworks. The U.S. Department of Defense's Responsible AI (RAI) framework, initially codified in its 2022 Data, Analytics, and Artificial Intelligence Adoption Strategy, mandates that all AI acquisitions undergo a responsible AI assessment aligned with five principles: responsible, equitable, traceable, reliable, and governable (RERTG). The Office of the Chief Digital and Artificial Intelligence Officer (CDAO), stood up in 2022, now serves as the DoD's central AI governance authority, overseeing everything from algorithm audits on predictive maintenance tools to ethical reviews of targeting-assistance software.
The DoD's Responsible AI Framework and Autonomous Weapons
The most contentious governance question in defense AI is the regulation of Lethal Autonomous Weapon Systems (LAWS). DoD Directive 3000.09, last updated in 2023, requires that autonomous and semi-autonomous weapons include "appropriate levels of human judgment" in lethal decisions—but stops short of mandating a human in the loop for every engagement. This ambiguity has become a fault line in international negotiations at the UN Convention on Certain Conventional Weapons (CCW), where over 70 nations have called for a binding treaty on LAWS while the U.S., Russia, China, India, and Israel have resisted hard prohibitions. As autonomous drone swarms deployed by companies like Anduril Industries and Shield AI move from R&D into operational testing, the gap between existing policy language and deployed capability is widening at speed.
Within the U.S. military, governance enforcement is increasingly operationalized through the Algorithmic Warfare Cross-Functional Team (Project Maven), which now requires that all computer vision and intelligence-fusion models used in targeting workflows pass a structured Model Cards review—a process borrowed from academic ML but adapted to include classification-level metadata, adversarial robustness testing, and red-team reports. Palantir's Maven Smart System (MSS), awarded in a controversial $480 million contract, is the most visible example of an AI platform navigating these governance requirements while delivering operational capability to combatant commands.
National Security Exemptions and the Accountability Gap
A structural tension runs through every major AI governance regime: national security carve-outs. The EU AI Act, fully enforceable from 2026, explicitly excludes AI systems used exclusively for military and national security purposes from its scope. The UK's pro-innovation AI framework similarly defers to existing defense oversight structures. This means that the most consequential AI systems—those used in intelligence collection, predictive policing at scale, drone targeting, and information operations—face the lightest external regulatory scrutiny even as they carry the highest risk of irreversible harm.
In the U.S., the National Security Commission on Artificial Intelligence's (NSCAI) landmark 2021 report catalyzed a wave of internal governance infrastructure: the NSC's AI Safety Board, intelligence community AI ethics frameworks from ODNI, and the creation of AI Assurance programs at DARPA. The NIST AI Risk Management Framework (AI RMF 1.0, released 2023) has been formally adopted by over a dozen civilian agencies and is being adapted for use in classified contexts under a separate NIST initiative. The gap, however, remains: civilian agency AI—used in immigration enforcement, fraud detection, and benefits eligibility—is now subject to OMB's M-24-10 memo requiring annual AI use inventories and impact assessments, while many defense and intelligence AI programs are catalogued only in classified annexes reviewed by a handful of oversight staff.
Allied Nations and NATO's AI Governance Architecture
AI governance in defense is increasingly a multilateral challenge. NATO's 2021 Principles of Responsible Use of AI in Defence—six principles covering lawfulness, responsibility, explainability, bias mitigation, reliability, and governable use—established the alliance's baseline, but implementation has been uneven across member states. The NATO AI Governance Framework, developed through the Allied Command Transformation (ACT) and ratified by allies in 2023, now requires that AI systems contributed to NATO joint operations meet minimum documentation and human-oversight standards, creating de facto procurement criteria that shape what systems contractors can sell to allied governments.
The EU AI Act's high-risk classification of AI used in law enforcement, critical infrastructure management, and border control affects defense-adjacent government applications directly. Biometric surveillance systems used by European border agencies, predictive policing tools deployed by national police forces, and AI-assisted asylum processing systems all fall under the Act's most stringent requirements—conformity assessments, technical documentation, logging, and human oversight mechanisms. Systems like the AI-assisted Eurodac biometric database upgrade and Frontex's AI-driven sea-border surveillance platform are navigating these compliance requirements in real time as the Act's enforcement machinery comes online.
AI Procurement Reform and the Governance-by-Acquisition Model
One of the most consequential governance mechanisms is increasingly playing out not through legislation but through procurement. The U.S. General Services Administration's AI vendor assessment framework, the DoD's AI Acquisition Toolkit, and the UK Government's Central Digital and Data Office guidance all embed governance requirements directly into contract vehicles. This "governance-by-acquisition" model means that companies like Booz Allen Hamilton, Leidos, SAIC, and Scale AI must demonstrate compliance with responsible AI standards, maintain model documentation, and support audit rights as a condition of winning government contracts—creating market pressure that shapes internal industry practices far beyond what any regulation alone could achieve.
CDAO's Tradewind platform, an AI acquisition vehicle launched in 2022, now channels hundreds of millions in AI spending through a pathway that mandates responsible AI assessments at each contract stage. C3.ai's government division, which serves the Air Force, Navy, and the Department of Energy, has built its entire government product line around audit-ready architecture precisely because contract vehicles require it. This procurement-driven governance is arguably the most effective near-term lever the U.S. government has, given how slowly formal rulemaking moves relative to AI capability development.
Applications & Use Cases
Autonomous Weapons Oversight
DoD Directive 3000.09 governance reviews for semi-autonomous and autonomous weapon systems. Human-machine teaming frameworks for lethal decision support, applied by programs like Anduril's Lattice mesh network and Shield AI's Hivemind pilot autonomy software to ensure "meaningful human control" documentation before operational deployment.
Intelligence Analysis Audit Trails
Algorithmic accountability frameworks for AI-assisted intelligence fusion, applied under Project Maven. Structured Model Cards, red-team adversarial testing, and classification-level audit logs enable oversight of computer vision and signals intelligence tools without exposing sensitive operational details to public review bodies.
Civilian Agency AI Inventories
OMB M-24-10 compliance: annual AI use-case inventories and impact assessments across civilian federal agencies. Agencies including USCIS, SSA, and IRS now publish inventories of deployed AI systems, flag high-impact use cases, and document human oversight mechanisms—governance infrastructure that has revealed hundreds of previously undisclosed AI deployments.
Law Enforcement Predictive Tools
EU AI Act high-risk compliance for predictive policing, facial recognition, and recidivism-scoring systems. European police forces using tools from providers like Idemia and Clearview AI must now conduct conformity assessments, maintain human override mechanisms, and register systems with national market surveillance authorities before deployment.
Border and Immigration AI
AI-assisted asylum processing, biometric border screening, and risk-scoring tools at Frontex and CBP must satisfy both high-risk EU AI Act requirements and OMB civil rights impact assessment mandates. Governance frameworks require bias audits, explainability for adverse decisions, and appeal mechanisms—reshaping how vendors like Palantir architect immigration enforcement platforms.
Defense Procurement AI Assurance
NATO AI Governance Framework and DoD AI Acquisition Toolkit requirements embedded into contract vehicles like Tradewind and OASIS+. Prime contractors (Booz Allen Hamilton, Leidos, SAIC) must deliver responsible AI assessments, maintain model documentation packages, and support government audit rights for all AI components delivered under qualifying contracts.
Key Players
- Palantir Technologies — Operates the DoD's Maven Smart System (MSS) for AI-assisted targeting and intelligence analysis; has built compliance with DoD Responsible AI principles directly into its Gotham and AIP government platforms, including model audit trails and human-oversight dashboards required under CDAO governance mandates.
- Anduril Industries — Developer of the Lattice autonomous command-and-control mesh network and a range of autonomous drone and sensor systems; operating on the leading edge of DoD Directive 3000.09 compliance as its systems transition from testing to operational deployment with combatant commands.
- Booz Allen Hamilton — The largest AI services contractor to the U.S. federal government; leads responsible AI implementation programs for NSA, NGA, and civilian agencies, and developed the CDAO's Responsible AI Toolkit used to assess AI acquisitions across the DoD.
- Scale AI — Holds major DoD data-labeling and AI evaluation contracts; its Donovan enterprise AI platform for defense is architected around auditability and human-in-the-loop feedback, with governance workflows designed to satisfy both CDAO RAI requirements and classification-level data handling mandates.
- Microsoft (Azure Government / Azure Government Secret) — Primary cloud and AI infrastructure provider for classified and unclassified government AI workloads; its Azure Government AI services include audit logging, content safety filters, and model governance tools built to NIST AI RMF and FedRAMP High standards, including the JWCC contract providing IL5/IL6 AI capabilities.
- Leidos — Major defense and intelligence contractor deploying AI in C2 systems, predictive maintenance, and ISR analysis; actively building responsible AI governance into its AI engineering lifecycle process to satisfy evolving CDAO and NATO procurement requirements.
- MITRE Corporation — Federally Funded R&D Center (FFRDC) that serves as the primary independent technical advisor on AI governance to DoD, DHS, and ODNI; developed the ATLAS adversarial ML threat matrix and contributes directly to NIST AI RMF guidance for government applications.
- Shield AI — Developer of the Hivemind autonomous pilot AI, which powers F-16-class and V-BAT drone operations; navigating the specific LAWS governance requirements of DoD Directive 3000.09 as Hivemind moves from DARPA ACE program trials toward fielded autonomous air combat capability.
Challenges & Considerations
- National Security Carve-Outs Create Unaccountable AI — The most consequential AI systems—used in signals intelligence, targeting, and information operations—are explicitly excluded from the EU AI Act and face only classified internal oversight in the U.S. The result is a governance inversion: the AI systems with the highest potential for irreversible, large-scale harm are subject to the least external accountability, undermining the legitimacy of broader AI governance frameworks.
- Procurement Speed vs. Regulatory Cycles — AI capabilities are advancing on month-scale cycles while defense acquisition and regulatory processes operate on year-scale timelines. By the time a governance framework catches up to a specific capability—autonomous drone swarms, AI-generated intelligence reports, deepfake detection—the technology has already evolved substantially. DoD's Other Transaction Authority (OTA) pathways accelerate procurement but often outpace governance review processes.
- Autonomous Weapons Treaty Stalemate — UN CCW negotiations on Lethal Autonomous Weapon Systems have been deadlocked for over a decade, with major military powers blocking a binding treaty. Without international governance norms, nations face a race dynamic where unilateral restraint risks strategic disadvantage, while unrestrained development risks norm collapse. The growing operational deployment of autonomous systems by Ukraine, Israel, and multiple non-state actors is making the absence of a governance framework increasingly costly.
- Classification Barriers to Algorithmic Accountability — Meaningful AI governance requires transparency about training data, model architecture, and evaluation results—information that is classified for most defense AI systems. This makes independent external audits structurally impossible and concentrates oversight authority in a small number of cleared insiders. Proposed solutions like classified model cards and trusted third-party auditors with clearances are promising but not yet operational at scale.
- Dual-Use Technology and Export Control Gaps — Foundation models and AI development platforms built for commercial use are routinely adapted for defense applications, creating regulatory gaps between AI governance frameworks (which focus on applications) and export control regimes (which focus on technology transfer). The use of commercially available LLMs in intelligence analysis, civil-military fusion of AI capabilities in China, and the proliferation of autonomous drone technology all strain existing governance instruments designed for a cleaner distinction between civilian and military AI.
- Workforce and Institutional Capacity — Effective AI governance requires sufficient technical expertise within regulatory and oversight bodies to evaluate the systems they are supposed to oversee. Congressional oversight staff, agency inspectors general, and allied nation regulators face a persistent capability gap relative to the AI developers they oversee. The CDAO, NSA's AI Security Center, and ODNI's emerging AI governance office are building this capacity, but the expertise imbalance between government overseers and industry deployers remains one of the most fundamental structural weaknesses in the current governance architecture.
Further Reading
- DoD Responsible AI Strategy and Implementation Pathway (CDAO, 2022)
- NIST AI Risk Management Framework 1.0 and Government Implementation Guidance
- OMB Memorandum M-24-10: Advancing Governance, Innovation, and Risk Management for Agency Use of AI
- NATO Principles of Responsible Use of Artificial Intelligence in Defence
- EU AI Act Full Text and Compliance Guidance (European Parliament, 2024)