Blog AI Governance August 12, 2025 4 min read

Federal AI Use Cases Doubled in a Year. The Agencies Say Their Own Policies Can't Keep Up.

GAO counted federal AI use cases nearly doubling in a single year, with generative AI growing nine-fold - while the agencies themselves say policy cannot keep pace.

By the AuthorityGate Architect Team

The Government Accountability Office does not write breathless reports. Its job is to audit, count, and understate. So when GAO published its review of generative AI use across federal agencies two weeks ago (GAO-25-107653, July 29), the numbers carry a credibility that no vendor survey can match. Across the 11 agencies that maintain AI inventories, reported AI use cases nearly doubled in a single year.

Federal AI use nearly doubled in one year Reported AI use cases across 11 agencies with AI inventories, GAO-25-107653
0
2023
0
2024

Inside that total, the generative AI slice is the one moving at a different speed entirely. GenAI use cases grew roughly nine-fold in the same window:

Generative AI grew nine-fold inside the total Reported generative AI use cases, same 11 agencies, GAO-25-107653
0
2023
0
2024

The agencies' own admission

The growth numbers are the setup. The finding that matters is what the agencies told GAO about their ability to govern that growth. Of the 12 agencies GAO selected for interviews, 10 said existing federal policy - data privacy rules, for example - could obstruct AI adoption. And 4 of the 12 said something more uncomfortable: the technology simply evolves too fast for their policies to keep up.

The policy machinery is behind, by its operators' own account Share of 12 selected agencies reporting each challenge to GAO
Existing federal policy could obstruct AI adoption
83%
Technology evolves too fast for policies to keep up
33%

Small sample, honest math: that is 10 of 12 and 4 of 12 selected agencies, respectively.

Sit with that combination for a moment. The same institutions reporting a doubling of AI use cases are telling their own auditor that the rules governing that use are simultaneously obstructive and obsolete - too slow to keep up, yet still in the way. That is not a technology problem. It is what happens when governance is written as policy documents instead of built as operational controls.

A marble government archive hall with towering shelves of paper binders, while server racks with glowing lights crowd the aisle between them
Policy written at paper speed, deployment happening at machine speed - inside the same building.

The playbook already exists

Here is the part that makes the gap frustrating rather than mysterious: the federal government already published the playbook. NIST's Generative AI Profile (NIST AI 600-1, July 2024) defines 12 categories of GenAI risk and lays out more than 200 suggested actions, mapped to the framework's four functions - Govern, Map, Measure, Manage. Its working groups focused on four areas: governance, content provenance, pre-deployment testing, and incident disclosure.

Strip away the framework language and the operational core is two things: govern the change, and test it before it deploys. That is not a policy document you circulate. It is a gate you build - a checkpoint every change must pass through, where the testing happens and the governance is enforced rather than described.

The AuthorityGate take

Unlike the vendor surveys we usually dissect, GAO has no product to sell and no adoption narrative to protect. When the auditor of the US government reports that AI deployment doubled while a third of interviewed agencies admit their policies cannot keep pace with the technology, that is the cleanest evidence yet that written policy alone cannot govern AI velocity. Policy revision cycles are measured in years. Use-case growth is measured in multiples.

The way out is to stop making policy race the technology and start making the technology pass through the policy. A validation gate operationalizes exactly what NIST's profile calls for: every change - human, pipeline, or AI - is checked against current policy, tested before deployment, and routed to an accountable human when the risk warrants it. Rules enforced at the gate do not go stale the way documents do, because the gate is where the rules and the changes actually meet.

The federal numbers will keep climbing; nine-fold growth curves do not politely pause while the policy office catches up. Every organization, public or private, faces the same choice GAO just documented: keep writing rules that trail the deployments, or build the checkpoint where every deployment meets the rules. One of those scales with the curve. The other is the curve's first casualty.

Share this post: LinkedIn

Go deeper

Every agent action, validated before it takes effect

AuthorityGate's newsletter breaks down real AI incidents and the governance failures behind them. Our configurable 8-gate validation model is how organizations keep a named human accountable for what their AI actually does.