The conventional take on Office of Management and Budget (OMB) M-25-21 is that the Trump administration ripped out the Biden-era guardrails and told agencies to move fast. That reading is wrong, and acting on it will leave your agency exposed.
M-25-21 does not abandon AI governance. It restructures it. The bifurcated “rights-impacting” and “safety-impacting” categories from M-24-10 created compliance confusion, inconsistent agency interpretations, and governance theater around low-risk systems. M-25-21 replaces both with a single standard: high-impact AI. For the systems that actually matter, the oversight requirements are no weaker. They are more precisely targeted.
What follows is the framework analysis every federal compliance officer, Chief AI Officer (CAIO), and agency counsel needs before the September 30, 2025 deadline arrives.
Comply with OMB M-25-21 by completing five actions: designate a Chief AI Officer with agency-wide governance authority, stand up an AI governance board (CFO Act agencies), classify every AI system against the high-impact standard, maintain a public annual AI use case inventory, and publish a public AI strategy within 180 days (CFO Act agencies, deadline September 30, 2025). The companion memorandum M-25-22 governs how agencies procure AI.
OMB M-25-21 Compliance Requirements: What Changed from M-24-10
M-24-10 organized agency obligations around two separate AI categories: rights-impacting AI and safety-impacting AI. Each category carried its own risk management checklist. In practice, agencies spent significant effort debating which category a system fell into before any substantive governance work began.
M-25-21 eliminates that categorization debate. One standard now governs: high-impact AI. A system qualifies when its output serves as a “principal basis for decisions or actions that have a legal, material, binding, or significant effect on rights or safety” (M-25-21 §4(a)). The governance obligations attach to the impact on the people affected, not to an administrative label on the system. For a practitioner-level analysis of how to apply this threshold, see the companion article on high-impact AI classification.
The policy goal behind the change is stated directly in M-25-21: foster AI innovation, advance AI governance, and promote responsible AI use. The ordering matters. Innovation comes first because the prior framework’s administrative overhead was itself a barrier. Governance comes second because accountability for high-impact systems is non-negotiable.
Three compliance timeline triggers agencies should track:
- CAIO designation: within 60 days of issuance for all covered agencies (M-25-21 §3(a)(i))
- AI governance board convened: within 90 days of issuance for CFO Act agencies (M-25-21 §3(a)(ii))
- Public AI strategy published: CFO Act agencies per 31 U.S.C. §901(b), September 30, 2025 (180 days from the April 3, 2025 issuance under M-25-21 §2(a))
The audit fix. Audit every AI system currently classified under M-24-10’s rights-impacting or safety-impacting categories. Apply the M-25-21 §4(a) principal-basis threshold to each. Some systems will move out of enhanced oversight scope. Some will stay in. Document the reclassification rationale before the September 30, 2025 public strategy deadline.
The High-Impact AI Classification Framework
M-25-21 §5 defines high-impact AI as systems whose output “serves as a principal basis for decisions or actions with legal, material, binding, or significant effect” on any of six enumerated categories: (1) civil rights, civil liberties, or privacy; (2) access to education, housing, insurance, credit, employment, and other programs; (3) access to critical government resources or services; (4) human health and safety; (5) critical infrastructure or public safety; or (6) strategic assets or resources, including high-value property and information marked as sensitive or classified. For governance design purposes, these six categories group analytically into four domains (individual rights, government services access, personal safety, and sensitive federal resources), but that four-domain framing is an analytical aid for practitioners, not memorandum terminology. One category match is sufficient to trigger high-impact classification.
Applying the §4(a) threshold requires examining what the system’s output actually drives, not what it was designed to do. An outcome-proximity analysis (examining how close the AI output sits to the consequential decision or action) operationalizes M-25-21’s “principal basis” requirement. An AI system that screens benefits eligibility and produces a determination that a caseworker accepts without independent review is high-impact: the AI output is, functionally, the decision. An AI system that summarizes policy documents for an analyst to read and interpret is not: the AI output is one input among many. That distinction is an analytical tool for applying §4(a), not a named test in the memorandum.
M-25-21 §4(b) requires seven minimum risk management practices for high-impact systems: pre-deployment testing; an AI impact assessment; ongoing monitoring; adequate human training and oversight; human oversight, intervention, and accountability mechanisms; consistent remedies or appeals for affected individuals; and consultation with end users and the public. These seven practices replace the looser M-24-10 checklists. Each must be documented within 365 days of the April 3, 2025 issuance (by April 3, 2026) and be ready to report to OMB as part of periodic accountability reviews or the annual AI use case inventory (M-25-21 §4(a)(i)).
One area where M-25-21 takes a notably different posture from M-24-10: the explicit requirement to share custom-developed AI code government-wide and to release it as open-source software unless one of four statutory exceptions applies (M-25-21 §2(b)(i)). Agencies are directed to remove barriers to AI adoption, not add them.
The audit fix. Map every active AI system to M-25-21’s §5 six-category definition. For each system that triggers any one category, document all seven §4(b) minimum risk management practices. Systems with no documentation should be treated as non-compliant until the record is built. The April 3, 2026 documentation deadline is a hard date under §4(a)(i).
Chief AI Officer and Governance Board Requirements
M-25-21 requires every covered agency to designate a Chief AI Officer within 60 days of issuance (M-25-21 §3(a)(i)). The CAIO is not a symbolic appointment. The role carries accountability for agency-wide AI governance, coordination with the interagency CAIO Council, oversight of the high-impact classification process, and ownership of the public AI strategy publication requirement. For CFO Act agencies, the CAIO must hold a Senior Executive Service, Scientific and Professional, or Senior Leader position or equivalent; for other agencies, Grade 14 or above (M-25-21 §3(a)(i)).
The interagency CAIO Council must be convened within 90 days of issuance by the OMB Director or a designated senior OMB official (M-25-21 §3(c)(i)). The Council coordinates AI development and use across agencies’ programs and operations and drives cross-agency consistency on implementation. That structure matters for compliance officers in agencies that share data, systems, or infrastructure with other departments: governance gaps at one agency become shared risk across the council.
AI governance boards are specifically required of CFO Act agencies, which must convene the board within 90 days of issuance (M-25-21 §3(a)(ii)). Non-CFO Act agencies have different governance structure obligations. The CFO Act board must be chaired at the Deputy Secretary level or equivalent, with the CAIO as vice-chair, and must include cross-functional representation from IT, cybersecurity, data, budget, legal, privacy, civil rights, and civil liberties (M-25-21 §3(a)(ii)(A)-(B)). The board functions as the institutional check on AI deployment decisions, high-impact classifications, and the use case inventory process.
The CAIO and governance board requirements together address the accountability gap that produced M-24-10’s uneven implementation. When no single official owns AI governance outcomes, accountability diffuses and documentation lags. M-25-21 creates a named owner and, for CFO Act agencies, an institutional body. Auditors will look for both.
The CAIO requirement reflects a governance philosophy shift that goes beyond M-25-21. Federal AI governance is converging toward the CISO model: a designated officer with cross-functional authority, board-level visibility, and a public accountability record. Agencies that treat the CAIO as a compliance checkbox will spend the next two years retrofitting real authority into a hollow title.
The audit fix. Confirm the CAIO designation is documented, current, and at the required grade level per M-25-21 §3(a)(i). For CFO Act agencies, verify the AI governance board has a charter, a Deputy Secretary-level chair, a membership roster that meets §3(a)(ii)(B) cross-functional requirements, and a meeting record. If the CAIO position is vacant or the board is inactive, treat both as material compliance gaps requiring immediate escalation. Notify OMB within 30 days if the CAIO changes or the position is vacant (M-25-21 §3(a)(i)).
AI Use Case Inventory Under M-25-21
The AI use case inventory requirement carries forward from M-24-10. All agencies except the Department of Defense and the Intelligence Community must maintain and publish an annual inventory of AI use cases (M-25-21 §3(b)(v)). The public nature of the requirement is intentional: it creates external accountability and enables the interagency CAIO Council to identify duplication, share solutions, and flag emerging risks across the federal enterprise.
M-25-21’s inventory requirement operates alongside the high-impact classification framework. Each inventoried system should carry a classification status: high-impact or not. That classification drives the governance tier applied to the system. An inventory that lists AI systems without classification assessments does not satisfy the governance structure M-25-21 builds.
Annual publication means the inventory is a living document. Systems are added, retired, and reclassified. For CFO Act agencies, the CAIO holds responsibility for maintaining the inventory under §3(a)(i)(E), and the governance board should own the inventory update process review cycle.
The audit fix. Pull the current AI use case inventory and verify every listed system carries a high-impact classification determination under M-25-21 §5. Add any AI systems not yet in the inventory. Set a governance board review cycle timed to the annual publication requirement. The CAIO should review and approve the final published version per §3(a)(i)(E).
AI Procurement Under M-25-22
OMB M-25-22 is the procurement companion to M-25-21. Where M-25-21 governs how agencies use and govern AI internally, M-25-22 governs how agencies buy it. The two memoranda work as an integrated framework, not as independent compliance tracks.
For compliance officers, any AI system acquired through federal procurement after M-25-22’s issuance should be evaluated against both frameworks before deployment. M-25-22 sets the standards vendors must meet and the contract terms agencies should require. M-25-21 determines the governance tier the system enters once deployed.
M-25-21 §2(b)(i) directs agencies to share custom-developed AI code government-wide and to release it as open-source software in a public repository, subject to four exceptions covering legal restrictions, national security risk, contractual obligations, and operational risk. A procurement process that defaults to proprietary commercial solutions without evaluating whether government-developed code could be reused does not align with this framework.
The interagency CAIO Council is the coordination mechanism for identifying code reuse opportunities. If another agency has already built and deployed an AI system for a similar use case, M-25-21 §2(b) creates an affirmative obligation to evaluate that solution before developing or procuring a new one.
The audit fix. Review any AI procurement currently in progress or planned for the next 12 months. Confirm each acquisition is evaluated against both M-25-21 governance requirements and M-25-22 procurement standards. Document whether existing government-developed code and open-source options were considered per M-25-21 §2(b)(i).
| Dimension | M-24-10 (Biden, March 2024) | M-25-21 (Trump, April 2025) |
|---|---|---|
| Risk categories | Two categories: rights-impacting and safety-impacting | Single category: high-impact AI (M-25-21 §5) |
| Classification threshold | Separate rights/safety checklists | “Principal basis for decisions or actions with legal, material, binding, or significant effect” on six enumerated categories (M-25-21 §4(a), §5) |
| CAIO requirement | Required | Required within 60 days; interagency CAIO Council added, convened within 90 days by OMB Director (M-25-21 §3(a)(i), §3(c)(i)) |
| AI governance board | Required | Required for CFO Act agencies within 90 days; Deputy Secretary-level chair; cross-functional membership requirements (M-25-21 §3(a)(ii)) |
| Minimum risk management practices | Separate checklists by rights/safety category | Seven uniform practices for all high-impact AI (M-25-21 §4(b)); documentation within 365 days |
| AI use case inventory | Required, annual, public | Carried forward, annual, public; CAIO responsible for maintenance (M-25-21 §3(b)(v), §3(a)(i)(E)) |
| Open-source AI and code reuse | Not emphasized | Affirmative obligation to share custom code government-wide and release as open source, subject to four exceptions (M-25-21 §2(b)(i)) |
| AI procurement governance | Addressed within M-24-10 | Separate companion memorandum M-25-22 |
| Public AI strategy | Not required | Required for CFO Act agencies per 31 U.S.C. §901(b); deadline September 30, 2025 (M-25-21 §2(a)) |
| Compliance Plans | Not required on this cadence | Required within 180 days, then every two years through 2036 (M-25-21 §3(b)(ii)) |
| Governing executive order | EO 14110 (Biden, October 30, 2023) | EO 14179 (Trump, January 23, 2025). EO 14148 (January 20, 2025) rescinded EO 14110; EO 14179 is the replacement that directed OMB to revise M-24-10 and M-24-18. |
OMB M-25-21 is a governance restructuring, not a governance rollback. Agencies that reclassify their AI systems under the high-impact standard, appoint a functioning CAIO at the required grade level, activate their governance board (CFO Act agencies), document all seven §4(b) minimum risk management practices, and publish a credible AI strategy by September 30, 2025 will be compliant and positioned well for whatever oversight attention federal AI draws in 2026. Agencies that treat the simplified risk category as a signal to reduce oversight will have a problem the first time a high-impact system produces a bad outcome with no governance record behind it.
Frequently Asked Questions
What is the OMB M-25-21 compliance framework?
OMB M-25-21 establishes the federal AI governance framework under the current administration. It requires CAIO designation, AI governance boards for CFO Act agencies, annual public AI use case inventories, seven minimum risk management practices for high-impact AI (M-25-21 §4(b)), and public AI strategy publication within 180 days for CFO Act agencies.
What replaced the rights-impacting and safety-impacting categories?
M-25-21 replaces M-24-10’s bifurcated structure with a single high-impact AI standard. Under M-25-21 §5, a system is high-impact when its output serves as a “principal basis for decisions or actions with legal, material, binding, or significant effect” on any of six enumerated categories: civil rights/civil liberties/privacy; access to education, housing, insurance, credit, employment, and other programs; access to critical government resources or services; human health and safety; critical infrastructure or public safety; or strategic assets or resources.
When is the public AI strategy deadline?
CFO Act agencies per 31 U.S.C. §901(b) must publish public AI strategies by September 30, 2025, which is 180 days from the April 3, 2025 issuance (M-25-21 §2(a)). That is a hard date, not an approximation.
What does the Chief AI Officer do under M-25-21?
The CAIO holds agency-wide accountability for AI governance, maintains the AI use case inventory, ensures the seven §4(b) minimum risk management practices are implemented for high-impact systems, oversees the high-impact classification process, and participates in the interagency CAIO Council coordinated by OMB (M-25-21 §3(a)(i)).
How does M-25-22 relate to M-25-21?
M-25-22 governs AI procurement as the companion memorandum to M-25-21. M-25-21 governs use and oversight after deployment. M-25-22 governs acquisition. Both apply to any AI system a federal agency deploys. Evaluate new acquisitions against both frameworks before deployment.
Does M-25-21 require open-source AI?
M-25-21 §2(b)(i) creates an affirmative obligation to share custom-developed AI code government-wide and to release it as open-source software in a public repository unless one of four statutory exceptions applies: legal or regulatory restriction, national security risk, contractual obligation, or operational risk to agency systems. The obligation is more precise than a general encouragement.
Is the AI use case inventory still required?
Yes. The annual public AI use case inventory carries forward from M-24-10 under M-25-21 §3(b)(v), with the CAIO responsible for maintenance under §3(a)(i)(E). Each inventoried system should include a current high-impact classification determination.
Which executive order does M-25-21 implement?
M-25-21 implements EO 14179, “Removing Barriers to American Leadership in Artificial Intelligence,” signed January 23, 2025. The path: EO 14148 (January 20, 2025) rescinded the Biden-era EO 14110; EO 14179 (January 23, 2025) is the affirmative replacement that directed OMB to revise M-24-10 and M-24-18 within 60 days. M-25-21 is the product of that direction.
What are the seven minimum risk management practices for high-impact AI?
M-25-21 §4(b) enumerates seven practices: (1) pre-deployment testing with documented risk mitigation plans; (2) an AI impact assessment covering intended purpose, data quality, civil rights impacts, reassessment schedules, and risk acceptance; (3) ongoing monitoring for performance and adverse impacts; (4) adequate human training and periodic assessment for AI operators; (5) human oversight, intervention, and accountability mechanisms with fail-safe provisions where practicable; (6) consistent remedies or appeals for individuals affected by AI-enabled decisions; and (7) consultation with end users and the public with feedback incorporated into agency decision-making. All seven must be documented within 365 days of issuance, by April 3, 2026.
Subscribe to The Authority Brief for next week’s analysis.
