Administration Releases Guidance On Federal Use Of AI

On March 28, the Office of Management and Budget (OMB), released a memo implementing major provisions of the Biden Administration's AI Executive Order. The memo covers the following broad themes each of which are summarized below:

• Strengthening AI Governance
• Advancing Responsible AI Innovation
• Managing Risks from the Use of AI
• Government

Scope of memo:

Agencies covered: Virtually all federal agencies (including independent agencies) are covered by the memo.

• Some requirements apply only to departments listed in the Chief Financial Officers Act, which are essentially the cabinet-level departments plus the EPA and NASA.

AI covered: "Any artificial system that performs tasks under varying and unpredictable circumstances without significant human oversight, or that can learn from experience and improve performance when exposed to data sets." (2019 Defense Authorization Act).

AI Governance:

• Each agency must convene relevant senior officials to coordinate issues regarding use of AI within the federal government.
• Compliance plans: By September 24, 2024, (and every two years thereafter until 2036), each agency must post publicly on the agency's website either a plan to achieve consistency with the OMB memo, or a determination that the agency does not use and does not anticipate using covered AI.
• AI Use Case Inventories: Each agency must make an inventory of it AI use cases at least annually.

The Executive Order on AI had mandated that each agency designate a Chief AI Officer (CAIO). This memo provides information on the responsibilities of the CAIOs:

• Must be appointed by May 27.
• Coordination, innovation, and risk management for the agency's use of AI specifically, as opposed to data or IT issues in general.
• Serving as the senior advisor for AI to the head of the agency
• Instituting the requisite governance and oversight processes to comply with the memo.
• identifying and removing barriers to the responsible use of AI in the agency, including through the advancement of AI-enabling enterprise infrastructure

AI Innovation

• Agencies must increase their capacity to responsibly adopt AI, including generative AI, and take steps to enable sharing and reuse of AI models, code, and data. The memo requires each agency identified in the CFO Act to develop an enterprise strategy for how they will advance the responsible use of AI.
• Agencies should develop adequate infrastructure and capacity to sufficiently share, curate, and govern agency data for use in training, testing, and operating AI. This includes an agency's capacity to maximize appropriate access to and sharing of both internally held data and agency data managed by third parties.
• Agencies should assess potential beneficial uses of generative AI in their missions and establish adequate safeguards and oversight mechanisms that allow generative AI to be used in the agency without posing undue risk.
• Agencies must proactively share their custom-developed code20—including models and model weights—for AI applications in active use and must release and maintain that code as open source software on a public repository unless some exceptions apply (such as export control or national security).
• Data used to develop and test AI is likely to constitute a "data asset" for the purposes of implementing the Open, Public, Electronic and Necessary (OPEN) Government Data Act, and agencies must, if required by that Act, release such data assets publicly as open government data assets.

AI Risk Management

• The memo establishes new requirements and recommendations that address the specific risks from relying on AI to inform or carry out agency decisions and actions, particularly when such reliance impacts the rights and safety of the public.
• Agencies must complete an AI impact assessment, including evaluating the potential risks of AI to the agency's mission.
• Evaluate the quality of the data: "the quality of the data used in the AI's design, development, training, testing, and operation and its fitness to the AI's intended purpose."
  • "In conducting assessments, if the agency cannot obtain such data after a reasonable effort to do so, it must obtain sufficient descriptive information from the vendor (e.g., AI or data provider)." Such information must include:
    • the data collection and preparation process, which must also include the provenance of any data used to train, fine-tune, or operate the AI;
    • the quality and representativeness of the data for its intended purpose;
    • whether the data contains sufficient breadth to address the range of real-world inputs the AI might encounter and how data gaps and shortcomings have been addressed either by the agency or vendor

AI Procurement

• Agencies should take steps to ensure transparency and adequate performance for their procured AI including by:
  • obtaining adequate documentation to assess the AI's capabilities
  • obtaining adequate information about the provenance of the data used to train, fine-tune, or operate the AI;

In contracts for AI products and services, agencies should treat relevant data, as well as improvements to that data as a critical asset.

• Agencies should ensure that their contracts retain for the Government sufficient rights to data so as to avoid vendor lock-in and facilitate the Government's continued development of AI.
• Agencies should consider contracting provisions that protect Federal information used by vendors in the development and operation of AI products for the government, so that such data cannot be subsequently used to train or improve the functionality of the vendor's commercial offerings without express permission from the agency.

Regarding generative AI procurement:

• requiring adequate testing and safeguards;
• requiring results of internal or external testing and evaluation, to include AI red-teaming against risks from generative AI, such as discriminatory, misleading, inflammatory, unsafe, or deceptive outputs;
• requiring that generative AI models have capabilities, as appropriate and technologically feasible, to reliably label or establish provenance for their content as generated or modified by AI

Further Request for Information

The OMB also released a Request for Information (RFI) on the "Responsible Procurement of Artificial Intelligence in Government." Comments were due on April 29, 2024

Among others, the questions asked include:

• How can OMB promote robust competition, attract new entrants, including small businesses, into the Federal marketplace, and avoid vendor lock-in across specific elements of the technology sector, including data collectors and labelers, model developers, infrastructure providers, and AI service providers? Are there ways OMB can address practices that limit competition, such as inappropriate tying, egress fees, and self-preferencing?
• What access to documentation, data, code, models, software, and other technical components might vendors provide to agencies to demonstrate compliance with the requirements established in the AI memo?
• What if any terms should agencies include in contracts to protect the Federal Government's rights and access to its data, while maintaining protection of a vendor's intellectual property?

We will provide updates based on additional OMB guidance on federal use of AI.