Listen to this article
The Government Accountability Office does not write breathless reports. Its job is to audit, count, and understate. So when GAO published its review of generative AI use across federal agencies two weeks ago (GAO-25-107653, July 29), the numbers carry a credibility that no vendor survey can match. Across the 11 agencies that maintain AI inventories, reported AI use cases nearly doubled in a single year.
Inside that total, the generative AI slice is the one moving at a different speed entirely. GenAI use cases grew roughly nine-fold in the same window:
The agencies' own admission
The growth numbers are the setup. The finding that matters is what the agencies told GAO about their ability to govern that growth. Of the 12 agencies GAO selected for interviews, 10 said existing federal policy - data privacy rules, for example - could obstruct AI adoption. And 4 of the 12 said something more uncomfortable: the technology simply evolves too fast for their policies to keep up.
Small sample, honest math: that is 10 of 12 and 4 of 12 selected agencies, respectively.
Sit with that combination for a moment. The same institutions reporting a doubling of AI use cases are telling their own auditor that the rules governing that use are simultaneously obstructive and obsolete - too slow to keep up, yet still in the way. That is not a technology problem. It is what happens when governance is written as policy documents instead of built as operational controls.
The playbook already exists
Here is the part that makes the gap frustrating rather than mysterious: the federal government already published the playbook. NIST's Generative AI Profile (NIST AI 600-1, July 2024) defines 12 categories of GenAI risk and lays out more than 200 suggested actions, mapped to the framework's four functions - Govern, Map, Measure, Manage. Its working groups focused on four areas: governance, content provenance, pre-deployment testing, and incident disclosure.
Strip away the framework language and the operational core is two things: govern the change, and test it before it deploys. That is not a policy document you circulate. It is a gate you build - a checkpoint every change must pass through, where the testing happens and the governance is enforced rather than described.
The AuthorityGate take
Unlike the vendor surveys we usually dissect, GAO has no product to sell and no adoption narrative to protect. When the auditor of the US government reports that AI deployment doubled while a third of interviewed agencies admit their policies cannot keep pace with the technology, that is the cleanest evidence yet that written policy alone cannot govern AI velocity. Policy revision cycles are measured in years. Use-case growth is measured in multiples.
The way out is to stop making policy race the technology and start making the technology pass through the policy. A validation gate operationalizes exactly what NIST's profile calls for: every change - human, pipeline, or AI - is checked against current policy, tested before deployment, and routed to an accountable human when the risk warrants it. Rules enforced at the gate do not go stale the way documents do, because the gate is where the rules and the changes actually meet.
The federal numbers will keep climbing; nine-fold growth curves do not politely pause while the policy office catches up. Every organization, public or private, faces the same choice GAO just documented: keep writing rules that trail the deployments, or build the checkpoint where every deployment meets the rules. One of those scales with the curve. The other is the curve's first casualty.
Sources
Go deeper
Every agent action, validated before it takes effect
AuthorityGate's newsletter breaks down real AI incidents and the governance failures behind them. Our configurable 8-gate validation model is how organizations keep a named human accountable for what their AI actually does.