AI at the VA: Gains, Risks, and the Ops Playbook
The VA scaled AI fast to automate imaging, summarize records, and speed decisions. It's delivering efficiency, but lawmakers and watchdogs are clear: privacy, staffing, and infrastructure must catch up.
For operations leaders, this is the balancing act-turn time saved into better service while protecting highly sensitive data and shoring up aging systems.
What Scaled-and Why It Matters
VA AI use cases jumped from 40 to 229 in 2023-2024; generative AI increased from 1 to 27. Federal agencies reported similar growth, with a 200% surge in AI use cases across government, according to policy analysts following agency inventories.
Inside the VA, VA GPT reportedly serves 85,000 employees, saving an average of 2.5 hours weekly. GitHub Copilot shows eight hours saved per week among 2,000 users. The STORM tool flagged high-risk opioid patients and, per VA leadership, "decreased mortality in high-risk patients by 22%."
The open question for Ops: how are those hours reinvested into outcomes like shorter wait times, faster claims, and more in-person care?
Risks Called Out by GAO and Congress
A September 2025 GAO report cited gaps in risk management, compliance, budgets, and AI-skilled staffing. It also noted past recommendations were not implemented and inventories weren't current-signals of systemic governance issues and IT resource strain.
Lawmakers flagged breaches affecting VA contractors, with veterans' data implicated. "Veterans deserve proven, safe care-not services driven by experimental AI tools that are deployed without oversight," said Sydney Saubestre of New America's Open Technology Institute. Darrell West of Brookings stressed the lack of a national privacy law and the need for higher agency-level protections for medical data.
For reference, see GAO's work on AI oversight and risk management: GAO: Artificial Intelligence.
Infrastructure and Leadership Friction
House oversight members underscored a core reality: the VA's IT backbone still struggles while AI adoption accelerates. Cyber incidents and contractor exposures amplify risk when governance and visibility lag.
Leadership flux adds pressure. The CIO seat remains pivotal with a $7B tech budget and 16,000 staff, yet transitions have delayed a stable hand at the wheel. The VA's chief technology officer, who also serves as chief AI officer, says the goal is industry-leading AI with strong governance and trust.
The VA introduced a Trustworthy AI Framework (2023) and expanded investments in early 2025 in line with an executive order on removing barriers to AI leadership. That's momentum-without guaranteed maturity.
The Operations Playbook: Scale AI Without Breaking Trust
- Inventory and ownership: Keep a live AI use case portfolio. Assign business owners, risk tier, data types used, and clear RACI across Ops, Security, Legal, and Clinical/Benefits units.
- Tie "time saved" to outcomes: Convert hours saved into measurable service improvements: claims cycle time, appointment availability, call handle time, case backlog, staff-to-case ratios.
- Data protection first: Classify data; enforce least-privilege and role-based access; encrypt in transit/at rest; isolate PHI/PII; log access; set retention limits. Require vendor security attestations and contractor controls equal to internal standards.
- Model risk management: Pre-deployment testing for accuracy, bias, and hallucinations; red-team high-risk tools; monitor drift; set human-in-the-loop for determinations; provide contestability and appeal paths for beneficiaries.
- Privacy by design: Run data protection impact assessments. Limit data collection, implement purpose binding, and publish plain-language notices for any AI touching veteran data.
- Workforce and staffing: Budget for AI security, MLOps, data engineering, and monitoring-not just tool licenses. Upskill front-line staff on safe prompts, verification, and escalation. For structured upskilling, consider practical programs like AI Automation Certification.
- Procurement guardrails: Bake monitoring costs, exit clauses, and data handling terms into contracts. Validate compliance claims and require incident notification SLAs. Avoid tool sprawl with an architecture review board.
- Governance without gridlock: Centralize policy and standards; allow decentralized execution with auditability. Require periodic reauthorization for high-risk use cases.
- Incident readiness: Define playbooks for data leakage, model errors, and vendor outages. Drill tabletop exercises and publish post-incident reports with corrective actions.
- Equity and access: Track regional parity in outcomes and adoption. If some offices lack staffing or budget, delay deployment until support is in place.
Metrics That Matter
- Service delivery: Claims cycle time, appointment scheduling speed, queue length, first-contact resolution, in-person care availability.
- Quality and safety: Error/override rate, appeals and reversals, adverse events linked to AI recommendations.
- Security and privacy: Incidents by severity, time to contain, third-party exposure events, access anomalies.
- Model health: Accuracy vs. baseline, drift, bias metrics across demographics and regions, prompt misuse flags.
- Adoption and utilization: Active users, tasks automated, hours saved, and hours redeployed to veteran-facing work.
- Cost-to-value: Total cost of ownership, monitoring spend, vendor utilization, ROI tied to service KPIs.
What to Watch Next
- Filling the CIO role and clarifying a unified enterprise IT strategy.
- Closing GAO-identified gaps, implementing past recommendations, and maintaining an accurate AI inventory.
- Proof that time savings convert into better care access and faster benefits.
- Stronger contractor oversight and uniform privacy controls across regions.
The stakes are high. As one policy analyst noted, harms can range from wasted taxpayer dollars to wrongful claim denials. The path forward is clear: convert AI speed into service quality, pair innovation with security, and fund the unglamorous work-governance, monitoring, and staffing-that keeps veterans safe.
