Federal AI governance policy changed significantly in April 2025. OMB released two memoranda on April 3, 2025: M-25-21, titled Accelerating Federal Use of AI through Innovation, Governance, and Public Trust, and M-25-22, titled Driving Efficient Acquisition of Artificial Intelligence in Government. These documents replaced M-24-10 (March 2024) and M-24-18 (June 2024), which had been the Biden administration's primary AI governance framework for the executive branch.
What M-24-10 Established
M-24-10 was the Biden administration's primary framework for managing AI risk across federal agencies. It required agencies to designate a Chief AI Officer (CAIO), establish AI governance boards, maintain an inventory of AI use cases, and implement rights-impacting AI safeguards. It placed significant emphasis on civil rights protection, bias mitigation, and transparency for AI systems that affected the public. Many of its requirements had specific deadlines tied to the 2024 fiscal year.
M-24-10 also introduced the concept of risk-tiered AI governance, distinguishing between AI systems that impacted safety or civil rights and those that did not. High-impact systems faced more stringent requirements around human review, transparency notices, and recourse mechanisms. The framework reflected the Biden administration's view that responsible AI adoption required front-loaded governance investment.
What Changed Under M-25-21
M-25-21 retains the CAIO structure and requires agencies to continue maintaining AI use case inventories, but it shifts the overall posture from caution-first to innovation-first. The new directive emphasizes removing barriers to AI adoption within the federal government, reducing duplicative reporting requirements, and enabling agencies to move faster in deploying AI tools. The explicit framing is that prior restrictions created friction that slowed federal AI deployment without proportional risk reduction.
Notably, M-25-21 pulls back some of the rights-impacting AI safeguards from M-24-10, reducing mandatory transparency and recourse requirements for certain categories of AI use. The directive maintains accountability for AI systems used in law enforcement, border security, and national security contexts, but reduces governance overhead for lower-stakes agency uses. This represents a meaningful philosophical shift in how the federal government weighs speed against procedural protection.
M-25-22: Procurement Implications for AI Vendors
M-25-22 is specifically focused on how federal agencies acquire AI systems and services. It applies to contracts awarded from solicitations issued on or after October 1, 2025, making it a near-term operational requirement for vendors pursuing federal AI contracts. The memorandum establishes standards for how agencies should evaluate AI vendors, what documentation they must require, and how they should assess AI system risk before acquisition.
Under M-25-22, agencies must require vendors to provide documentation about training data provenance, model performance metrics, known limitations, and security practices. Vendors must also describe how their AI systems can be monitored for performance degradation and how they will support agencies in meeting ongoing accountability requirements. This documentation burden is real and vendors who have not already built their responsible AI documentation practices should begin now.
What Stayed the Same
- CAIO designation: Agencies must continue to have a Chief AI Officer responsible for coordinating AI strategy and governance.
- AI use case inventories: Agencies must maintain and publish inventories of their AI use cases, providing public visibility into how AI is deployed.
- Risk-based approach: Both M-25-21 and M-25-22 maintain a risk-tiered approach, with national security, law enforcement, and public safety AI systems subject to more stringent requirements.
- Interagency coordination: The AI Safety Institute and other interagency bodies retain roles in developing shared standards and tooling.
- Accountability for outcomes: Agencies remain responsible for the performance and impact of AI systems they deploy, regardless of whether those systems were built internally or procured.
What Contractors Should Do
For contractors who were previously complying with M-24-10 obligations as subcontractors or primes on federal AI projects, the immediate step is to review which specific requirements have changed and update your compliance posture accordingly. Do not assume that M-24-10 compliance covers M-25-21 obligations without a gap analysis.
For AI vendors pursuing federal contracts, M-25-22 is the more operationally significant document. Begin building responsible AI documentation packages now, before solicitations require them. Vendors who can demonstrate mature AI governance practices, including bias assessment, performance monitoring, and explainability documentation, will be better positioned in federal source selections under the new framework.
The policy shift from M-24-10 to M-25-21 is significant, but the core expectation that agencies and vendors govern AI responsibly has not changed. The risk of noncompliance remains real, both operationally and reputationally.