Trust on the Line: Pilots, Waivers, and the Patchwork Risk in Federal AI

Public Trust and the Stakes of Federal AI Regulation

Americans are split on whether the federal government can govern AI well. A 2025 Pew Research Center study shows 44% express trust in federal AI regulation, while 47% do not. Other nations report far higher confidence. The EU is also trusted more on AI oversight than the U.S.

Trust is not a communications issue. It is permission to use AI in places where it matters most-healthcare, public benefits, education, and national security. If people think these systems are opaque, unfair, or unaccountable, they will resist them. Adoption slows, polarization grows, and outcomes suffer.

The good news: trust in AI is not a partisan fight. Leaders in both parties say the same thing-people will accept AI when it's safe, fair, and clearly governed. That means agencies must show their work, not just state their intent.

Government Is the Proving Ground

The federal government is both a regulator and a high-stakes user of AI. It runs systems that influence benefits eligibility, law enforcement priorities, immigration decisions, and defense. How agencies deploy AI sets expectations for vendors, researchers, and the public. If government can show effective oversight, it boosts confidence in the technology at large. If it fails, trust erodes-in AI and in government's ability to manage risk.

Where Trust Is Won or Lost: Two Federal Use Cases

VA REACH VET. This program uses predictive models to flag veterans at elevated suicide risk so clinicians can reach out. It draws on sensitive health data and includes explicit race coding. Without clear transparency, clinical guardrails, and accountability, veterans may view outreach as algorithm-first and care-second. Missed flags or incorrect alerts don't just hurt outcomes-they weaken trust in the VA's AI use and mental health work.

Medicare's WISeR Model (planned). CMS plans to test whether AI can speed prior authorization for items and services vulnerable to fraud or misuse. If models incorrectly flag legitimate care, denials or delays could feel more automated, less explainable, and harder to challenge-especially for older or complex patients. If people believe AI puts cost control ahead of care, confidence in Medicare-and government use of AI-drops fast.

From M-24-10 to M-25-21: What Changed and Why It Matters

OMB's 2024 guidance (M-24-10) created two categories focused on rights and safety. The 2025 update (M-25-21) replaces them with one umbrella standard: "high-impact AI." This consolidation sounds technical, but it sets the trigger for stronger safeguards, oversight, and accountability.

Both memos require baseline practices before agencies deploy consequential AI. The differences are where trust gets built-or lost:

• AI impact assessments: Still required. M-25-21 emphasizes expected benefits, cost analysis, internal independent review, and explicit risk acceptance by a responsible official. This leans into tradeoffs that must be signed and owned.
• Pre-deployment testing: Required under both. Agencies must prove benefits and demonstrate they can manage risks before rollout.
• Independent review: M-24-10 specified CAIO or advisory board review. M-25-21 allows an internal reviewer not involved in development, documented in the assessment.
• Monitoring: M-24-10 pushed continuous monitoring. M-25-21 moves to scheduled reassessments, leaving depth and cadence to the agency.
• Human oversight and training: Required in both for consequential uses.
• Transparency: M-24-10 called for plain-language public notice. M-25-21 shifts to discretionary engagement.
• Equity and civil rights: M-24-10 included proactive steps to prevent discrimination and support opt-outs for certain uses. M-25-21 centers on documenting privacy and civil liberties impacts and provides remedies or appeals for harmed individuals.
• Remedy and redress: M-24-10 emphasized human consideration and opt-outs for certain decisions. M-25-21 narrows this to consistent appeals mechanisms.
• Pilots: New in M-25-21. Small, time-limited pilots can proceed with lighter requirements if approved and tracked by the CAIO and participants can opt in or out when possible.
• Waivers: Both memos allow them. M-25-21 expands discretion-CAIOs can waive minimum practices if strict compliance would impede mission or increase overall risk, with central tracking and OMB reporting.

The result: more flexibility, more agency discretion, and a higher risk of uneven implementation across government.

Agency Compliance Snapshot: Uneven Footing

Under M-25-21, agencies published AI strategies and compliance plans in late 2025. A few snapshots:

• DHS: High-stakes user across security and law enforcement. Waivers require CAIO coordination, written risk assessments, tracking in the AI use-case inventory, OMB reporting, and annual re-evaluation. DHS also uses its own method to flag high-risk systems.
• GSA: Manages shared infrastructure and procurement. Launched USAi.gov to help agencies adopt general-purpose AI, raising concerns about speed versus oversight. Waivers route through the CAIO and an executive board. An internal AI Safety team reviews potential high-impact use cases.
• DoL: Strong relevance to fairness and civil rights in employment and benefits. Says it does not anticipate waivers. Uses an AI Use Case Impact Assessment Framework to categorize risk; documentation exists but appears not public.
• CSOSA: Smaller, justice-focused, and resource-constrained. Says it does not anticipate waivers. Its AI Governance Body is still finalizing procedures.

Some variation is expected-missions differ. But process inconsistency is a governance problem. Federal studies already show agencies struggle to implement AI directives and even to publish AI inventories. A flexible memo can't fix uneven state capacity by itself.

Capacity Is the Constraint

Discretion without people, process, and skill will fragment oversight. CAIO roles vary widely in authority and staffing. Some agencies have built strong governance bodies and testing programs. Others are still laying foundation.

The talent picture has worsened. Hundreds of thousands left federal service in 2025. Many AI hires from the prior surge were still in probation and vulnerable. Digital teams-including GSA's 18F and DHS's AI Corps-were cut. New efforts focus on early-career pipelines and fellowships, which help, but do not replace institutional depth.

If we want safe, fair, and effective AI, we need consistent procedures and the people to run them.

What Agency Leaders Can Do Now

• Publish what you use: Maintain a public, plain-language page for every high-impact AI system. State purpose, benefits, limits, data sources, and contacts for questions and appeals.
• Set a clear threshold: Define "high-impact" for your mission. Maintain a central register and require written risk acceptance by a senior official for every listed system.
• Test before you deploy: Ship with a test plan that covers accuracy, errors by subgroup, drift, adversarial and misuse cases, and user trials. Document pass/fail criteria and remediation steps.
• Make review independent: Stand up a review board with the CAIO, data leadership, privacy and civil rights counsel, domain experts, and frontline operators. Keep reviewers independent from development.
• Guarantee recourse: Provide human review for adverse outcomes, clear appeals timelines, and, where feasible, opt-out for sensitive uses. Track reversal rates and reasons.
• Pilot with discipline: Keep pilots small, time-boxed, and opt-in when possible. Require sunset dates, learning reports, and a go/no-go decision before scaling.
• Treat waivers as temporary: Tie waivers to specific risks, set short expirations, publish plain-language summaries, and report centrally. Use them to unblock learning, not bypass safeguards.
• Procure for transparency: Bake in model documentation, audit hooks, data rights, incident reporting, and rapid rollback. Attach evaluation protocols and shift-left risk checks to the acquisition process.
• Monitor in production: Run dashboards for drift and disparities. Establish incident response. Schedule periodic reassessments with fresh data and user feedback.
• Invest in people: Fund CAIO offices. Staff model evaluation, product, procurement, privacy/civil rights, and domain expertise. Upskill teams and build repeatable playbooks.

Tools and Training

• AI for Government - practical guides on governance, compliance, and agency capacity for high-impact AI.
• AI Learning Path for Policy Makers - helpful for CAIOs, policy staff, and program leaders turning OMB guidance into action.

The Bottom Line

Trust is earned through consistent, transparent governance-and the capacity to do the work. M-25-21 gives agencies room to move. Use that room to lock in clear thresholds, credible testing, independent review, real recourse, and public transparency. Fund the people and processes that make those practices real.

If you build trust into the system, the public will let you use it.

OMB Memoranda provide the current federal direction referenced here (M-24-10 and M-25-21). Review your agency's plan against these expectations and close the gaps now.