Federal agencies cannot rely on static annual security reviews to keep pace with AI technologies that are evolving by the week, Bill English, CIO and chief AI officer at the General Services Administration Office of Inspector General, said Tuesday at MeriTalk's Shift Happens event in Washington, D.C. His remarks point to a widening gap between the speed of traditional government risk assessment and the velocity of AI tool deployment across agencies.
"While those assessments are important, I'm not saying stop any of those, but if you're relying on those as the only security assessment, then you're in trouble," English said. He called for a government-wide shift toward ongoing AI governance and shared responsibility for managing AI risks, rather than treating security as a handoff to cybersecurity teams.
Agency-wide responsibility, not a siloed function
English stressed that AI security cannot live exclusively with IT or cybersecurity staff. "There's an education level that needs to come up, even at an executive level, on how are we implementing, how are we involved, how are we governing, and how are we securing AI, and that becomes critical not just for the people that are directly involved, but everybody in the agency," he said. The shift requires agencies to build what English called "continuous risk literacy" across all roles.
Anish Patel, head of federal at Cloudflare, added that AI is accelerating long-standing federal cybersecurity priorities, including zero trust architecture. "AI is the application that makes all that zero trust stuff with the various mandates that Bill mentioned, and ones that agencies have been working on for a long time, real," Patel said. He warned that threats cyber professionals anticipated are now arriving and accelerating in their pace of progression.
Executive mandates and the push for defensive tools
English pointed to President Donald Trump's executive order issued last month, which asks technology companies to provide the federal government with a preview of advanced AI models before public release. The order also directs agencies to strengthen U.S. cyber defenses against threats posed by advanced AI capabilities. "Every single agency is stepping up in a different way, and where we're going to be in six months from now is in a radically different posture than where we've been," English said.
He added a blunt assessment of the technology's trajectory: "The AI we're using today is the worst AI we're ever going to use." English urged education at the executive level on implementing, governing, and securing AI systems, noting that the current moment demands more than top-down directives - it requires working knowledge among decision-makers.
Low-risk speed, high-impact caution
English offered a practical framework for agencies navigating the tension between innovation and risk. "The best approach is to move quickly in low-risk areas and move deliberately and with caution in high-value, high-impact areas," he said. "Things that impact citizens, those are the things that need to be a little bit more cautious and deliberate."
He also pushed back on the growing excitement around autonomous AI agents, calling the technology "overhyped" and saying "it's not there yet." While the tools are advancing quickly, English said agencies should not expect AI to make complex decisions without human judgment. Patel agreed but cautioned that agencies should prepare now for how agentic systems will behave once deployed more widely, especially given how bad actors might manipulate them.
Back-office wins over flashy demos
English pointed to less visible administrative functions as the most promising near-term use cases for AI in government. Case file summarization, institutional knowledge search, and drafting procurement language are areas where agencies can achieve real efficiency gains today. "This is the non-sexy answer, and it's all the back-office things," he said. "That gets lost sometimes in the fun, cool things of what's going on with AI."
Why this matters for government professionals
English's message carries a concrete operational implication: if you are waiting for annual review cycles to catch AI security risks, you are already behind. For federal employees, the takeaway is that AI governance is not a specialized function delegated to a single office - it is becoming part of every manager's responsibility. Agencies that build literacy now, especially in low-risk back-office applications, will be better positioned when higher-stakes deployments arrive. The executive order adds a compliance driver, but the underlying urgency is technical: the tools are changing faster than the policies designed to contain them.
Your membership also unlocks: