OMB memos M-25-21 and M-25-22 govern how federal agencies use and acquire artificial intelligence. If your product or service qualifies as high-impact AI, the agency cannot deploy it until minimum risk-management practices are satisfied — and most of the evidence those practices require comes from you, the vendor. Here is exactly what to have ready.
I spent eighteen years in federal acquisition as a Contracting Specialist and Contracting Officer at GSA, IRS, DoD, and DOI. Every compliance wave follows the same pattern: policy lands on the agency first, then flows downhill into solicitations and contract clauses, and the vendors who prepared during the policy stage win the early orders. AI is now at the flow-down stage.
What is OMB's current AI use policy for federal agencies?
Two memos issued under Executive Order 14179 set the rules. M-25-21 governs how agencies use AI — Chief AI Officers, use-case inventories, and minimum risk-management practices for high-impact AI. M-25-22 governs how agencies buy AI — mandatory contract terms on data rights, vendor lock-in, and use of government data. Together they replaced the earlier M-24-10 and M-24-18 framework.
The structure that matters to a vendor:
- Chief AI Officers (CAIOs). Every CFO Act agency has one. The CAIO — not just your program-office customer — has a say in whether a high-impact AI deployment proceeds.
- AI use-case inventories. The Advancing American AI Act requires agencies to inventory their AI use cases annually and publish the non-sensitive ones. Your deployment will appear in a public inventory.
- Minimum risk-management practices. For high-impact AI, agencies must complete specific practices before and during deployment. OMB gave agencies roughly a year from the April 2025 issuance to implement them — that window has closed, so the practices are now live requirements, not future ones.
- Acquisition requirements. M-25-22 directs agencies to build specific protections into AI contracts, which means new clause language and new proposal questions.
What counts as high-impact AI and why does the classification matter?
High-impact AI is AI whose output serves as a principal basis for decisions or actions with legal, material, or significant effect on a person's rights, safety, or access to critical services — or on critical infrastructure and agency operations. The classification is the trigger: it determines whether your deployment gets the light-touch path or the full risk-management workup.
The earlier M-24-10 framework split this into two lists — "rights-impacting" and "safety-impacting" AI. M-25-21 consolidated the concept into the single high-impact category, but the underlying question an agency asks is unchanged. Examples of use cases that will almost always be treated as high-impact:
| Use case | Why it is high-impact |
|---|---|
| Benefits eligibility screening or fraud flagging | Principal basis for decisions affecting access to government services |
| Resume screening or hiring recommendation tools | Materially affects employment decisions |
| Medical diagnosis or treatment-support tools | Directly affects safety and health outcomes |
| Biometric identification used for law enforcement or access | Affects individual rights and due process |
| Control systems for critical infrastructure | Failure creates physical safety risk |
| Internal document summarization or drafting assistants | Generally not high-impact — a human decision-maker sits between output and effect |
Vendors consistently make one mistake here: assuming the classification is the agency's problem. It is the agency's determination, but the determination is made with your technical documentation in front of them. If you cannot describe what your model does, what data trained it, and where a human sits in the loop, the agency's safest move is to classify high and demand everything — or walk away.
What minimum risk-management practices must agencies apply to high-impact AI?
Before deploying high-impact AI, agencies must complete pre-deployment testing, an AI impact assessment, and independent review — then sustain ongoing monitoring, human training and oversight, and remedy processes for affected individuals. A vendor who cannot feed these practices with evidence stalls the deployment.
- Pre-deployment testing. The agency must test the AI in conditions resembling real-world use. You supply test access, performance benchmarks, and known-limitation documentation.
- AI impact assessment. The agency documents intended purpose, expected benefit, data quality, and risks to rights and safety. Your model documentation and training-data description are the raw material.
- Ongoing monitoring. Performance must be tracked in production. Expect contract language requiring model-performance reporting and degradation notification.
- Human oversight and training. Operators must be trained and able to interpret and override outputs. Your product documentation must support that.
- Remedies and appeal. Where AI affects individuals, there must be a path to human review. Your system needs to log enough to make an adverse output explainable after the fact.
When I sat on the other side of the desk as a GSA Contracting Officer, the requirements that killed timelines were never the ones written in the solicitation — they were the ones the program office discovered mid-procurement. High-impact AI review is exactly that kind of requirement. Vendors who show up with the documentation package pre-built turn a three-month internal review into a formality.
How do these obligations flow into solicitations and contract clauses?
M-25-22 directs agencies to address specific topics in AI acquisitions: government rights in data and AI outputs, restrictions on using nonpublic government data to train commercial models, prevention of vendor lock-in, performance-based requirements, and transparency about AI components. Expect these as clauses, representations, and proposal questions — not suggestions.
In practice you will see the flow-down in four places:
- Solicitation instructions. Requests for model documentation, training-data provenance descriptions, and evidence of testing against relevant benchmarks as part of the technical volume.
- Evaluation criteria. Risk-management maturity — often framed as alignment with the NIST AI Risk Management Framework — scored as a technical factor.
- Contract clauses. Data-rights terms that keep government data out of your training pipeline without written consent, interoperability and data-portability terms aimed at lock-in, and performance-monitoring deliverables. GSA has its own AI-focused contract language for Schedule holders, and agency-level clauses are multiplying faster than the FAR Council can standardize them.
- Representations. Questions about whether AI is used in performance at all — including whether your workforce uses generative AI to produce deliverables. Answer these accurately; a false representation is a False Claims Act problem, not a paperwork problem.
What should an AI vendor be ready to certify or document?
Build one reusable evidence package: model documentation, training-data description, testing results, human-oversight design, incident and logging capability, and a data-rights position. Every agency review draws from the same well. Assemble it once, before the first solicitation, and update it per release.
- Model card or system documentation. Intended use, known limitations, performance metrics, and evaluation conditions.
- Training-data provenance statement. What categories of data trained the model, and a certification that government data is segregated from training absent consent.
- Test and evaluation results. Accuracy, bias testing where relevant, and red-team or adversarial testing summaries.
- Human-in-the-loop design description. Where a person can review, override, and audit outputs.
- Logging and explainability capability. What the system records, retention periods, and how an individual output can be reconstructed.
- Security posture. FedRAMP status for cloud-delivered AI, or your hosting agency's authorization path — the AI review does not replace the ATO; it sits on top of it.
How should you use agency AI use-case inventories in your pipeline?
The public inventories are free competitive intelligence. They tell you which agencies are deploying AI, in what mission areas, and at what maturity — which is exactly the targeting data a capture team needs before the RFI stage.
As a Contracting Specialist, I watched vendors waste entire quarters marketing capabilities to offices that had no appetite and no budget for them. The inventories eliminate that guesswork. Pull the inventory for your target agencies, map your capability against listed use cases, and time your outreach to the annual inventory refresh — new entries signal new money. Across our 70+ proven GSA contract awards, the contractors who grow fastest are the ones who sell where the demand signal is already published.
If you sell AI services or AI-enabled products and want your GSA Schedule positioned before these clauses arrive by mass modification, that is exactly the work we do on our GSA Schedule consulting page.
What Is the Bottom Line?
- M-25-21 and M-25-22 are the operative OMB AI policies. They replaced M-24-10 and M-24-18; cite the current memos in your proposals, not the rescinded ones.
- High-impact classification is the trigger. Know before you bid whether your use case will be classified high-impact, and price the documentation burden in.
- The agency implementation window has closed. Minimum risk-management practices are live requirements affecting deployments today.
- Build the evidence package once. Model documentation, training-data provenance, testing results, oversight design, logging, and data-rights terms.
- Never let government data touch your training pipeline without written consent. This is the contract term agencies enforce hardest.
- Mine the public AI use-case inventories. They are a published demand signal — target agencies whose inventories match your capability.
Frequently Asked Questions
What are OMB M-25-21 and M-25-22?
They are the two Office of Management and Budget memoranda issued in April 2025 under Executive Order 14179. M-25-21 governs agency use of AI — Chief AI Officers, use-case inventories, and minimum risk-management practices for high-impact AI. M-25-22 governs AI acquisition, directing agencies to include contract terms on data rights, vendor lock-in, and use of government data.
What happened to the rights-impacting and safety-impacting AI categories?
Those categories came from the earlier M-24-10 memo, which was rescinded. M-25-21 consolidated them into a single "high-impact AI" category covering AI whose output is a principal basis for decisions with legal, material, or significant effect on rights, safety, or access to critical services.
Do the OMB AI memos apply directly to contractors?
No — they bind agencies, not vendors. But agencies satisfy their obligations by demanding evidence, representations, and contract terms from vendors, so the practical burden lands on you through solicitations and clauses.
Does selling AI to an agency require FedRAMP authorization?
If your AI is delivered as a cloud service, the standard FedRAMP requirement applies just as it would for any other SaaS. The AI risk-management review is an additional layer on top of the security authorization, not a substitute for it.
Can an agency use my commercial AI product's outputs to train other models?
The relevant direction runs the other way: M-25-22 pushes agencies to prohibit vendors from using nonpublic government data to train commercial models without consent. Expect explicit contract language on training data in both directions, and read it carefully before signing.
Where can I find agency AI use-case inventories?
Agencies publish their non-sensitive AI use-case inventories on their own websites, and consolidated inventory data has been posted through ai.gov and agency open-data pages. They are refreshed annually under the Advancing American AI Act.
Is there a government-wide FAR clause for AI yet?
Not a finalized government-wide clause covering AI risk management. Agencies are using agency-level clauses and solicitation-specific terms in the meantime — GSA has its own AI contract language for Schedule holders. Track the FAR Council's open FAR cases if you sell AI across multiple agencies.