The GSA OIG CIO and CAIO says AI is changing too quickly for static security reviews. He called for ongoing governance and shared responsibility across agencies.

Federal agencies need to adopt continuous risk management practices to keep pace with rapidly evolving artificial intelligence (AI) technologies, according to Bill English, chief information officer (CIO) and chief AI officer (CAIO) at the General Services Administration (GSA) Office of Inspector General (OIG).

Speaking Tuesday at MeriTalk’s Shift Happens event in Washington, D.C., English said AI is evolving too quickly for agencies to rely solely on annual security assessments. He called for a government-wide shift toward ongoing AI governance and shared responsibility for managing AI risks.

“The one thing to change is a shift from static assessment to a continuous risk literacy,” English said. “AI is rapidly evolving so fast that the systems that we have today are not in the same place that they were, you know, weeks ago, months ago, and certainly not a year ago.”

“While those assessments are important, I’m not saying stop any of those, but if you’re relying on those as the only security assessment, then you’re in trouble,” he stressed.

The shift to continuous risk management is an agencywide mindset shift. Agencies cannot treat AI security as solely the responsibility of cybersecurity teams, English explained.

“There’s an education level that needs to come up, even at an executive level, on how are we implementing, how are we involved, how are we governing, and how are we securing AI, and that becomes critical not just for the people that are directly involved, but everybody in the agency,” he said.

English pointed to President Donald Trump’s executive order issued last month that asks technology companies to provide the federal government with a preview of their advanced AI models before releasing them to the public.

The order also tasks federal agencies with strengthening U.S. cyber defenses to address emerging threats posed by advanced AI capabilities.

“We do have a mandate,” English said, adding that the executive order “directs federal agencies to establish and expand programs and cybersecurity services that enhance AI-enabled defensive tools.”

“Every single agency is stepping up in a different way, and where we’re going to be in six months from now is in a radically different posture than where we’ve been,” he continued. “There is a landscape that is radically shifting, because the AI we’re using today is the worst AI we’re ever going to use.”

Anish Patel, head of federal at cloud services company Cloudflare, added that AI is accelerating long-standing federal cybersecurity priorities, including agencies’ zero trust efforts.

“AI is the application that makes all that zero trust stuff with the various mandates that Bill mentioned, and ones that agencies have been working on for a long time, real,” Patel said.

“The [threats] that cyber folks knew were coming are here now, and they’re only accelerating in their pace of progression,” he added.

Balancing AI innovation with risk

As AI continues to evolve rapidly, English explained that the speed at which agencies leverage the technology matters.

“The best approach is to move quickly in low-risk areas and move deliberately and with caution in high-value, high-impact areas,” English said. “Things that impact citizens, those are the things that need to be a little bit more cautious and deliberate.”

Looking ahead, English said that some of AI’s biggest near-term benefits lie in less glamorous administrative functions.

“This is the non-sexy answer, and it’s all the back-office things,” he said, pointing to capabilities such as case file summarization, institutional knowledge search, and drafting procurement language as areas where agencies can achieve meaningful efficiency gains today.

“That gets lost sometimes in the fun, cool things of what’s going on with AI. Don’t get me wrong, I’m excited about what’s coming, but I think there’s opportunity here,” English said.

The CIO and CAIO also pushed back on the growing hype surrounding autonomous AI agents.

“One of the things that’s overhyped right now is agentic AI, and the reason I say that is it’s not there yet,” he said. While the technology is advancing rapidly, English said agencies should not expect AI to make complex decisions without human judgment.

Patel agreed that autonomous AI agents remain an emerging technology, but he said agencies should begin preparing now for how those systems will behave once they become more widely deployed.

“The agents are going to try to find a way to do the things you’ve asked it to do, and that’s okay if you’re a good actor. But if you’re a bad actor, then you know how to get creative with that and ask the right questions, so that you get the right response,” Patel said.

“That’s going to get taken advantage of,” he warned. “I think that’s a portion that we really have to account for.”

Read More About