GSA releases revised AI clause that narrows scope and increases contractor compliance demands

The GSA released a revised contracting clause tightening data rules for federal contractors using large language models. Comments are due August 3.

Categorized in: AI News Government
Published on: Jul 02, 2026
GSA releases revised AI clause that narrows scope and increases contractor compliance demands

The General Services Administration released a revised proposed contracting clause on June 17, 2026, that tightens rules for how federal contractors safeguard government data processed by large language models. The update narrows the clause's reach while giving agencies more detailed, enforceable compliance obligations - and contractors have until August 3 to submit formal comments.

Where the Clause Applies Now

The proposed rule only kicks in when a GSA contract involves Government Data processed by a Large Language Model Artificial Intelligence System (LLM). It does not cover AI features already embedded in common commercial products - word processors, mapping tools, or similar software where AI is incidental to the procurement. This is a direct response to industry pushback against the original, far broader version released in January.

For contractors caught by the rule, however, the updated text leaves far less room for interpretation. Compliance now demands documented due diligence across the entire AI supply chain, from LLM developers to service providers. Contractors get two safe harbors to meet that obligation: they can flow down the clause's requirements to third parties or obtain attestations from those parties.

Government Data Rights and Protection

The government still owns all Government Data and any Custom Developments produced under the contract. Contractors receive only a limited license to copy, store, transmit, modify, display, and use that data for contract performance - and cannot use it to train, fine-tune, or improve LLMs. Data also cannot be used for marketing, business analytics, or other commercial purposes, and must be deleted when the contract ends unless otherwise directed.

A critical change limits the government's own license to use the LLM. The earlier draft allowed use for "any lawful Government purpose"; the revised language restricts it to the specific purposes and scope of work defined in the contract. Contractors also retain their rights to underlying models, base systems, and pre-existing background intellectual property.

The data-protection section has moved from a general "eyes-off" standard to prescriptive technical controls. Among them: automated ingestion and response generation without human review, encryption that makes data unreadable to personnel, and audit logging that tracks activity without exposing the data itself. A new data-minimization requirement says Government Data may be stored or processed only when reasonably necessary to perform the contract.

The rule tightens data localization - Government Data generally must stay inside agreed-upon premises or FedRAMP-authorized services, with the Contracting Officer holding approval authority. It also clarifies that logical segregation meets the security bar: contractors do not need physically separate instances, and continued compliance with the applicable FedRAMP authorization level satisfies segregation requirements. That is a practical win for multi-tenant cloud and AI environments.

Supply Chain, Foreign Control, and Enforcement

Foreign-ownership concerns are now handled through a risk-based lens. Instead of a blanket ban on any foreign-developed or controlled AI components, the clause targets actual risks of foreign compulsion or adversary-government influence and allows incidental foreign components when the risk is properly mitigated.

Routine model updates, provider substitutions, FedRAMP changes, or degradations in bias and safety now trigger a notice to the government. Contractors must use reasonable efforts to give the government concurrent access to successor LLMs - for 30 days for major versions, 15 days for minor ones - a timeline far less disruptive than the prior version.

Noncompliance can lead to suspension, remediation demands, and recovery of decommissioning costs. The proposed language removes earlier ambiguity by requiring that the Contracting Officer insert a not-to-exceed percentage of contract value for decommissioning liability and that the government share enough information for the contractor to fix alleged LLM performance problems.

Why this matters for Government

The clause directly affects how contracting officers, program managers, and agency IT teams evaluate and monitor AI-enabled services. The shift to prescriptive, verifiable controls - rather than general promises - means compliance can be audited against concrete technical benchmarks. Understanding the new safe harbors, data-minimization rule, and FedRAMP alignment will matter when reviewing contractor proposals and managing performance. The public listening session on July 14 and the August 3 comment deadline offer federal employees a formal channel to help shape the final rule before it reshapes procurement operations.


Get Daily AI News

Your membership also unlocks:

700+ AI Courses
700+ Certifications
Personalized AI Learning Plan
6500+ AI Tools (no Ads)
Daily AI News by job industry (no Ads)