In This Update
- OMB M-25-21: Background and What It Requires
- Enforcement Status: Where Agencies Stand in April 2026
- Agencies Ahead of Schedule
- Agencies Behind Schedule
- Workforce Training Requirements: The Detail
- Procurement Implications for AI Vendors
- The DOGE Wildcard
- What Federal Employees Should Do Now
- What AI Contractors Should Do Now
Key Takeaways
- OMB M-25-21 enforcement is underway as of April 2026, with CAIO designations complete at most major agencies but use case inventories and risk frameworks still in progress
- DoD, NASA, NSF, and parts of the intelligence community are ahead of the implementation curve; many civilian agencies remain behind
- Workforce training requirements are real and creating significant demand for AI literacy training programs across the federal workforce
- AI procurement is more complex under M-25-21 — pre-acquisition risk assessments and transparency requirements affect every AI contract
- DOGE's efficiency mandate has accelerated AI adoption at some agencies while creating compliance uncertainty at others
- Federal employees who proactively develop AI skills are positioning ahead of the mandated training requirements — an advantage in an environment where agency-provided training is inconsistent
OMB M-25-21: Background and What It Requires
OMB M-25-21, titled "Accelerating Federal Use of Artificial Intelligence through Governance, Innovation, and Risk Management," was issued in March 2025 and represents the current administration's replacement of Biden-era AI governance with a more deployment-oriented mandate — the emphasis shifted from restriction to adoption, while maintaining risk management requirements.
The key requirements of M-25-21:
- Chief AI Officer (CAIO) designation: Every CFO Act agency must designate a CAIO with agency-wide authority over AI governance
- AI use case inventory: Complete inventory of all AI use cases in production and development
- AI risk management framework: Adoption of NIST AI RMF or equivalent, with documentation of risk assessments for high-impact AI
- Workforce AI literacy: Agency plans for ensuring the workforce has appropriate AI skills for their roles
- Procurement guardrails: Pre-acquisition AI risk assessments and transparency requirements in AI contracts
- Annual reporting: Annual compliance reports to OMB on AI adoption, risk management, and workforce training progress
The implementation timeline set by M-25-21 was aggressive: CAIO designations within 60 days, use case inventories within 180 days, risk frameworks within one year. The 180-day use case inventory deadline came and went in September 2025, and compliance has been uneven.
Enforcement Status: Where Agencies Stand in April 2026
The honest April 2026 enforcement picture: CAIO designations are largely complete, use case inventories are about half done, risk management frameworks are further behind, and workforce training programs are in early stages at most agencies — significant compliance work remains to be done.
OMB's enforcement mechanism for M-25-21 is softer than for some compliance mandates. There are no financial penalties for non-compliance. The primary enforcement tools are: visibility through annual reports (which create political pressure), potential contract consequences for agencies that cannot certify AI governance (which affects future IT budgets), and CAIO accountability (the designated official is on the record as responsible).
This softer enforcement has meant variable compliance. Agencies with strong existing IT governance and AI leadership have moved quickly. Agencies with limited IT budgets, no prior AI programs, and rotating political leadership have moved slowly. The variation is wide enough that "the federal government" as a statement about AI compliance is meaningless — you have to look agency by agency.
Agencies Ahead of Schedule
The agencies furthest ahead on M-25-21 compliance are those that had existing AI governance infrastructure before the mandate — DoD, NASA, NSF, and parts of the intelligence community — and those that made AI adoption a leadership priority regardless of mandate.
| Agency | CAIO Status | Use Case Inventory | AI Risk Framework | Workforce Training |
|---|---|---|---|---|
| DoD / CDAO | Complete | Complete | Complete (NIST aligned) | Active programs |
| NASA | Complete | Complete | Complete | In progress |
| NSF | Complete | Complete | Complete | In progress |
| GSA | Complete | In progress | In progress | In progress |
| DHS | Complete | In progress | In progress | In progress |
| Smaller independent agencies | Mixed | Behind | Behind | Not started |
Agencies Behind Schedule
The agencies furthest behind tend to be smaller independent regulatory agencies (FTC, SEC, CFTC, FCC) and larger agencies where leadership transitions, budget constraints, or organizational complexity have slowed implementation — but "behind" on M-25-21 does not mean "not using AI," it means the governance structure is not keeping pace with adoption.
The irony at some agencies: informal AI adoption (employees using commercial AI tools, teams deploying AI without formal governance) is ahead of formal compliance. This creates risk — AI being used without the risk management framework the mandate requires. OMB has flagged this pattern in its preliminary compliance assessments and is pushing agencies to inventory what is actually being used before formalizing the use cases that are already happening.
Workforce Training Requirements: The Detail
M-25-21's workforce training requirement is creating the largest single driver of demand for AI training programs across the federal government — agencies need to demonstrate they have a plan for AI literacy across their workforce, and most agency training systems are not equipped to deliver it without external help.
The training requirement is tiered by role, per OMB guidance issued in late 2025:
- All employees: Basic AI awareness — what AI is, how the agency uses it, how to report concerns about AI-generated information
- Employees who work with AI outputs: Functional AI literacy — how to evaluate AI output, appropriate use cases, when to seek human verification
- AI developers and operators: Technical AI competency — model deployment, monitoring, NIST AI RMF application
- Acquisition personnel: AI procurement literacy — how to write AI requirements, evaluate vendor AI claims, conduct pre-acquisition risk assessments
- Senior leaders: AI governance literacy — risk management, accountability, strategic AI decision-making
Most agencies are at the planning stage for workforce training. A few — primarily DoD and the intelligence community — have active programs in place. The majority are still identifying what training programs to use, what the baseline standard looks like, and how to scale training to workforces of tens of thousands of employees.
The Federal AI Training Market Gap
OMB has established the requirement; agencies have to figure out how to deliver on it. Federal training systems (DAU, OPM-managed programs, agency learning management systems) are not set up to deliver current, practical AI training at scale. This is creating procurement demand for commercial AI training programs that can be delivered to federal audiences — an opportunity for training providers who understand both AI and the federal context.
Procurement Implications for AI Vendors
M-25-21's procurement requirements are adding real overhead for AI vendors selling to federal agencies — pre-acquisition risk assessments, model documentation requirements, and post-award monitoring obligations are raising the compliance bar and creating a meaningful advantage for vendors who have this documentation ready.
Federal AI contracts now require vendors to provide:
- Model cards or equivalent documentation describing training data, known limitations, and performance characteristics
- Documentation of testing and evaluation methodology
- Description of bias testing and fairness considerations
- Incident reporting procedures for AI failures
- Post-deployment monitoring plan
For large AI vendors (Microsoft, Google, AWS, Palantir), this documentation is increasingly standard. For smaller AI companies entering the federal market, building this documentation is a meaningful pre-sales activity that separates companies that can win federal contracts from those that cannot.
The DOGE Wildcard
DOGE's efficiency mandate has created a simultaneous acceleration and complication for federal AI compliance: agencies are under pressure to demonstrate AI productivity gains (which encourages adoption), but DOGE's workforce reductions have eliminated some of the governance personnel needed to maintain compliance (which creates risk).
At some agencies, DOGE-driven efficiency goals have resulted in faster AI adoption decisions — teams are deploying AI tools with shorter procurement cycles to demonstrate productivity. At others, DOGE-driven workforce reductions have eliminated the IT governance and compliance staff who would have managed M-25-21 implementation. This tension is unresolved as of April 2026 and adds uncertainty to compliance timelines at affected agencies.
What Federal Employees Should Do Now
Federal employees who proactively develop AI skills are positioning ahead of their agencies' mandatory training requirements — instead of waiting for compliance-driven training that will be baseline and often inadequate, they can acquire deeper practical skills now and demonstrate capability leadership within their agencies.
- Complete basic AI literacy training now. Do not wait for your agency to require it. OPM has free AI awareness modules available at OPM.gov; complete them to demonstrate proactive engagement.
- Document your AI use cases. If you are using AI tools in your work, document them proactively. When your agency's use case inventory process reaches you, having documentation ready marks you as an AI-aware employee.
- Get ahead of the functional training requirement. The mandatory functional training for employees who work with AI is coming. Getting substantive practical AI training now means you will be better positioned for the AI-enabled roles that will expand as agencies accelerate adoption.
- Understand the NIST AI RMF. If you are in an IT, acquisition, or leadership role, the NIST AI RMF is the governance framework your agency will be using. Understanding it before your agency requires it is a meaningful professional advantage.
- Engage with your CAIO office. Most agency CAIO offices are small and overwhelmed. Employees who proactively engage — offering to help with use case inventory, volunteering for AI pilot programs — get visibility and learning opportunities that passive colleagues do not.
What AI Contractors Should Do Now
For AI companies pursuing federal contracts, M-25-21 changes the sales and proposal process — the agencies you are selling to are under new governance requirements, and the vendors who help them meet those requirements while delivering capability will win more contracts than those who lead only with technology.
- Build your model documentation package before you need it: model card, data documentation, testing methodology, bias assessment, incident response procedure
- Get familiar with the NIST AI RMF and be able to speak to how your product supports agency compliance, not just capability
- Engage CAIO offices, not just CIO offices — the new procurement process runs through AI governance, not just IT procurement
- Consider whether you can help agencies with their workforce training requirement — if your product requires users to understand AI, providing training is a contract expansion opportunity
Train ahead of the federal mandate — lead, don't comply.
The Precision AI Academy bootcamp is explicitly designed for federal-context AI work. Three days of hands-on training that prepares you for M-25-21 requirements and beyond. October 2026. $1,490.
Reserve Your SeatNote: Agency compliance status figures are estimates based on publicly available OMB annual reports, agency AI inventories, and GAO assessments as of early 2026. Individual agency compliance varies significantly by organizational unit and mission area. Refer to your agency's CAIO office for authoritative guidance on specific training and compliance requirements.