OMB's AI Governance Framework One Year In: What Federal Procurement Teams Must Do Now

On April 3, 2025, OMB issued memoranda M-25-21 and M-25-22, implementing Executive Order 14179 to accelerate federal AI use and acquisition. The memos established binding timelines — Chief AI Officers designated within 60 days, compliance plans published within 180 days, Generative AI policies developed within 270 days.

One year later, those initial deadlines have passed. Agencies including DHS, GSA, and others have published their compliance plans, and the federal government is firmly in the execution phase of its AI governance mandate. For procurement teams, that shift from planning to execution has direct implications for how AI tools are bought, overseen, and documented going forward.

What M-25-21 and M-25-22 Require

The two memoranda work together. M-25-21 focuses on accelerating AI deployment — explicitly aimed at reducing bureaucratic friction around AI adoption. M-25-22 covers the acquisition and use of AI by federal agencies — setting requirements for how agencies buy, disclose, and govern AI systems. Together they create a framework that is simultaneously permissive (get AI deployed faster) and structured (document what you're deploying and how).

Key requirements from M-25-22 that directly affect procurement teams:

• Chief AI Officer designation — agencies must have a designated CAIO responsible for AI governance, including overseeing AI acquisitions and ensuring compliance with the framework
• AI inventory and disclosure — agencies must maintain an inventory of AI use cases and make appropriate information publicly available, creating accountability for what AI is actually being used for
• Generative AI policy — each agency must establish a policy governing use of generative AI tools, including commercial tools used by the workforce
• Compliance plans — agencies must publish plans describing how they're implementing the OMB framework, updated biennially through 2036

The Execution Phase: What's Actually Happening

With the major deadlines behind them, agencies are now in the harder part: operationalizing the policies they published. The gap between a written compliance plan and actual compliance is where most governance frameworks encounter friction — and AI governance is no exception.

For procurement teams, three execution-phase challenges are emerging consistently:

AI inventory maintenance. Keeping an accurate, current inventory of AI use cases requires ongoing coordination between contracting officers (who know what's been purchased), program offices (who know what's being used), and IT (who know what's been deployed). Most agencies don't have a systematic process for this — it's often maintained manually or not at all.

Generative AI policy compliance in practice. An agency GenAI policy that says "employees may use approved generative AI tools for appropriate work tasks" is easy to write. Implementing it — defining what "approved" means, establishing the approval process, tracking which tools are in use across the workforce — requires operational infrastructure that most agencies are still building.

Contract oversight for AI-enabled tools. CORs overseeing contracts for AI-enabled software need guidance on what to look for — how to assess whether the AI components are performing as promised, what performance metrics to track, and what disclosure to require from vendors when AI capabilities are updated or changed post-award.

What the CAIO Mandate Means for Acquisition Teams

The Chief AI Officer designation is more than a title. Under M-25-22, the CAIO is responsible for overseeing AI acquisitions — which means, for the first time, there is a designated senior official whose job includes evaluating whether the agency is buying AI well.

For contracting officers and program managers, this creates both accountability and opportunity. Accountability, because AI acquisitions are now subject to a level of scrutiny that general software purchases haven't historically faced. Opportunity, because it creates a natural internal champion for building the acquisition infrastructure — evaluation criteria, oversight processes, documentation standards — that the CAIO needs to do their job.

Practical Steps for Procurement Teams

• Brief your CAIO on acquisition gaps. Most CAIOs are focused on the technology and governance side; they may not fully understand the procurement infrastructure gaps that the OMB framework implies. A briefing on what's needed — AI-specific evaluation criteria, technical evaluator access, lessons-learned processes — is a good way to get resources aligned
• Build AI use case tracking into your contract administration process. Every contract that includes an AI component should be flagged and tracked against your agency's AI inventory requirements. This doesn't require new software — it requires a field in your contract tracking system and a process for keeping it current
• Develop AI-specific COR training. CORs overseeing AI-enabled contracts need guidance beyond standard contract administration training. What performance metrics apply to AI systems? What vendor disclosure is appropriate when AI models are updated? These questions should have documented answers

---

One year after M-25-21 and M-25-22, the framework is in place. The compliance plans are published. The CAIOs are designated. The Generative AI policies are written. What's left — and what will determine whether the framework achieves its goals — is execution. That's the work that happens in acquisition shops, not in policy offices.