Government - Overview
21 of 22,000 U.S. cities have AI policies. Federal frameworks exist -- OMB directives, NIST AI RMF, 19 state laws -- but municipal deployment governance is near zero. Legislative momentum is high. Deployment momentum is low. The gap buyer here is the city that adopted AI before adopting a policy for it.
21 of 22,000 U.S. cities have AI policies. Federal frameworks are multiplying -- OMB M-24-10, NIST AI RMF, 19 state AI laws enacted -- but municipal deployment governance is near zero. Government is over-governed at the federal level and ungoverned at the local level simultaneously. The -17 point gap is misleading: federal mandates inflate the governance score, but the deployment reality at the municipal and state level is a different picture entirely. Legislative momentum is high. Deployment momentum is low. The market here is the city or state agency that adopted AI before adopting a policy for it and now faces a public records request asking what the AI decided, what data it used, and why. Government is a regulatory customer, not just a deployment customer.
This industry includes 3 segments in the Ontic governance matrix, spanning risk categories from Category 1 — Assistive through 3_evidentiary. AI adoption index: 4/5.
Government - Regulatory Landscape
The government sector is subject to 18 regulatory frameworks and standards across its segments:
- ADA accessibility requirements
- ADA/Section 508
- APA (5 USC 551+)
- Congressional Review Act
- E-Government Act
- FISMA
- FedRAMP
- Federal grant compliance (2 CFR 200)
- IG Act
- Local municipal codes
- NIST RMF (SP 800-37)
- OMB Circular A-130
- Privacy Act of 1974
- State FOIA/open records laws
- State IG authority
- State administrative procedure acts
- State open records / sunshine laws
- State privacy laws
The specific frameworks that apply depend on the segment and scale of deployment. Cross-industry frameworks (GDPR, ISO 27001, EU AI Act) may apply in addition to sector-specific regulation.
Government - Government -- Municipal / Local
Risk Category: Category 1 — Assistive Scale: SMB Applicable Frameworks: State open records / sunshine laws, ADA accessibility requirements, Local municipal codes, State administrative procedure acts
21 of 22,000 U.S. cities have AI policies. The public records request will not wait for the other 21,979.
The Governance Challenge
Municipal governments use AI for constituent inquiry responses, policy summaries, and grant applications. Most adopted the tools before adopting a policy for them. State open records and sunshine laws apply to AI-generated government communications. ADA accessibility requirements apply to AI-produced public content. When a constituent files a public records request asking what the AI decided, the city needs to produce an evidence chain. Most cannot.
Regulatory Application
State open records and sunshine laws require that AI-generated government communications be producible on request. ADA accessibility requirements apply to AI-generated public content. State administrative procedure acts govern AI-assisted benefit determinations. Local municipal codes may impose additional requirements. The regulatory framework exists — AI-specific implementation does not.
AI Deployment Environments
- Studio: Constituent inquiry drafting | Internal policy summaries | Grant application drafting
- Refinery: Public FAQ and notice governance | Simple benefit explanation checks
Typical deployment path: Studio → Studio → Refinery
Evidence
- 21 of 22,000 U.S. cities have AI policies
- State open records requests are increasingly targeting AI-generated content
- 19 states have enacted AI legislation as of 2025
Government - Public Sector -- State / Regulator
Risk Category: 3_evidentiary Scale: Mid-Market Applicable Frameworks: State administrative procedure acts, State FOIA/open records laws, State IG authority, Federal grant compliance (2 CFR 200), State privacy laws, ADA/Section 508
When a state agency's AI makes a benefit determination, the administrative record must include the model's reasoning.
The Governance Challenge
State agencies and regulators deploy AI for internal policy drafting, research copilots, public-facing benefit determinations, regulatory guidance, and FOIA response governance. State administrative procedure acts govern AI-assisted agency decisions. State FOIA and open records laws require AI-generated government communications be producible. State IG authority extends to AI-assisted program administration. When a constituent challenges an AI-influenced benefit determination through administrative appeal, the administrative record must include the model's contribution — not just the outcome.
Regulatory Application
State administrative procedure acts govern AI-assisted agency decisions and require reasoned decision-making evidence. State FOIA/open records laws require AI-generated content be producible on request. State IG authority extends to AI-assisted program administration and spending decisions. Federal grant compliance (2 CFR 200) applies to AI-assisted grant administration. State privacy laws govern personal data in AI systems. ADA/Section 508 accessibility applies to AI-generated public content.
AI Deployment Environments
- Studio: Internal policy drafting assistants | Staff-facing research copilots
- Refinery: Public-facing benefit determinations | Regulatory guidance output | FOIA response governance
- Clean Room: Inspector General investigation packs | Legislative inquiry response files
Typical deployment path: Refinery → Refinery → Clean Room
Evidence
- By 2025, at least 19 states had enacted AI-related statutes, and that number continues to rise
- State IG investigations of AI-assisted program decisions are increasing
- Administrative appeals of AI-influenced determinations are a new category
- State FOIA requests targeting AI-generated content are proliferating
Government - Public Sector -- Federal / Regulator
Risk Category: 3_evidentiary Scale: Enterprise Applicable Frameworks: FedRAMP, FISMA, OMB Circular A-130, NIST RMF (SP 800-37), Privacy Act of 1974, E-Government Act, IG Act, Congressional Review Act, APA (5 USC 551+)
OMB M-24-10 requires federal AI governance. GAO will audit compliance. The evidence chain must be producible.
The Governance Challenge
Federal agencies deploy AI for analyst copilots, internal memo drafting, FedRAMP-compliant AI output, rulemaking commentary, and public communications. OMB Circular A-130 and OMB M-24-10 mandate AI risk management. NIST RMF (SP 800-37) governs system authorization. FISMA requires security documentation for AI systems. The Privacy Act of 1974 governs AI processing personal records. GAO and agency IGs have audit authority over AI governance compliance. When GAO audits an agency's AI governance and the evidence does not exist, the finding becomes a congressional report.
Regulatory Application
FedRAMP governs cloud AI services for federal use. FISMA requires security documentation for AI systems. OMB Circular A-130 and M-24-10 mandate AI risk management and governance. NIST RMF (SP 800-37) governs system authorization including AI. Privacy Act of 1974 governs AI processing personal records. E-Government Act applies to AI-generated digital government content. IG Act provides audit authority. Congressional Review Act applies to AI-related rulemaking. APA (5 USC 551+) governs AI-assisted administrative decisions.
AI Deployment Environments
- Studio: Analyst copilots | Internal memo drafting
- Refinery: FedRAMP-compliant AI output | Rulemaking commentary drafting | Public communications governance
- Clean Room: IG/GAO audit-defensible files | Classified system governance | Evidentiary chain-of-custody
Typical deployment path: Clean Room → clean_room (primary) | refinery for unclassified operations
Evidence
- OMB M-24-10 mandates federal AI governance with specific reporting requirements
- GAO AI audit reports have increased significantly since 2023
- NIST AI RMF adoption is widespread; implementation evidence is often absent
- FedRAMP AI governance requirements expanding in scope