USDA uses AI without required security controls, inspector general finds

USDA Using AI Without Required Security Controls, Watchdog Finds

The Agriculture Department is deploying artificial intelligence across critical operations-from supply chain risk identification to crop yield forecasting-but lacks the cybersecurity and governance controls federal standards require, according to an inspector general report released last week.

The department has no generative AI policy at all. It also hasn't fully implemented cyber and risk controls mandated by federal standards, prioritizing deployment over safeguards.

What's at Risk

USDA's AI systems "could be vulnerable and lack critical security controls, leaving the agency susceptible to data breaches or reputational harm," the report says. Management has no assurance that cybersecurity protections are in place across these systems.

The department installed a chief AI officer as required but hasn't updated agency policies or implemented minimum risk management practices for high-stakes AI applications-those affecting civil rights or critical infrastructure.

Almost none of the AI use cases in USDA's fiscal year 2024 inventory had an authority to operate, the formal approval required before government agencies deploy technology systems. That document forces agencies to think through risks before rollout.

Shadow AI Problem

USDA relies on annual employee self-reporting to track AI use across the department. This approach creates vulnerability to "shadow AI"-unapproved technology running without management awareness-since the agency has no systematic way to discover systems employees deploy independently.

The inventory itself may be incomplete and insufficient to account for all potential dangers.

What Comes Next

The inspector general made several recommendations for implementing controls and updating policies. USDA agreed with all of them.

For managers overseeing AI deployment, this case illustrates the gap between speed and governance. Learn more about AI for Government agencies navigating these tensions, or explore an AI Learning Path for CIOs focused on governance and infrastructure security.