The U.S. Department of Agriculture (USDA) does not entirely meet artificial intelligence (AI) cybersecurity and governance control requirements for its critical AI systems, leaving the agency vulnerable to cyber threats, the department’s Office of Inspector General (OIG) said.
As the federal government expands its use of AI, the White House’s Office of Management and Budget (OMB) directed agencies to adopt formal AI governance measures. Those measures include AI strategies, compliance plans, AI inventories, and risk management standards for high-impact AI systems.
USDA rules also require all IT systems to obtain an authorization to operate (ATO) and maintain cybersecurity records in its cybersecurity tracking system, CSAM.
However, the USDA OIG said in a report last week that the department failed to completely meet all of those mandates.
While some goals were met, the OIG said USDA did not update agency policies and develop a generative AI policy by December 2025, and it did not implement minimum risk management practices for its critical AI systems by OMB’s April 2026 deadline.
The OIG said the department had prioritized AI implementation over cybersecurity and governance controls. “As a result, USDA AI technologies could be vulnerable and lack critical security controls, leaving the agency susceptible to data breaches or reputational harm,” the report stated.
“While there are benefits to implementing AI, AI technologies pose risks that can negatively impact individuals, groups, and organizations,” the OIG’s report said. “Without proper controls, AI systems can amplify, perpetuate, or exacerbate undesirable outcomes for individuals and organizations.”
OIG auditors found widespread failures in AI cybersecurity compliance. Seventy-three of the 82 AI use cases lacked ATOs and were not recorded in CSAM. Of the nine AI systems with ATOs, two were missing required security documentation.
The OIG noted that under federal law and USDA policy, all IT and AI systems must undergo security assessments and continuous monitoring before deployment.
“USDA will continue to implement AI technologies to support its mission and improve service to the American people. It is imperative that governance and cybersecurity controls over AI activities are top priorities,” the OIG said.
USDA also does not have a complete AI inventory. While the department identified 82 operational AI use cases for its 2024 inventory, it solely relied on annual self-reporting exercises. Therefore, the inventory could not be verified as complete and accurate, the OIG said.
“When the primary governance method is self-reporting, it can create a false sense of security that can lead to inaccurate inventory of AI tools, which can contribute to instances of Shadow AI … not mitigating the risk of Shadow AI could lead to systems on the network that USDA is not aware of, which could result in data leakage,” the OIG said.
The USDA Office of the Chief Information Officer agreed to overhaul the department’s AI governance and cybersecurity practices according to the OIG’s findings. Planned changes include mandatory impact assessments, updated IT and AI policies, a continuously maintained AI inventory, and new approval processes requiring risk assessments and security reviews.
USDA said it aims to complete the reforms between June and December 2026.