Tag Archives: Onspring

Why Supply Chain Risk Management is Now a Public Sector Resilience Priority

Posted on by
Reply

From ransomware disrupting city services to vendor failures impacting school operations, supply chain failures seem to be dominating the headlines lately. Naturally, whether your organization is in the Private or Public Sector, you’ll want to avoid attracting attention for the wrong reasons.

The best way to do that is to prioritize implementing best practices to safeguard critical vendors and services from cybersecurity risks and operational disruptions. In this guide, we’ll cover the NIST framework, how it applies to Public Sector organizations and how you can use NIST best practices to reduce risk and maintain public trust. Even private sector teams increasingly rely on NIST supply chain risk management practices when working with Government partners, especially across information technology environments.

Why Is Supply Chain Risk Management Important?

Managing supplier risk should be a fundamental part of any data-based businesses’ operations, but it’s all the more important for Public Sector organizations, whether that means Federal, State or Local services.

Why? Without clear practices for identifying, assessing and mitigating vendor and operational risk, you could expose your organization to a whole host of potential issues, including:

  • Financial losses: Even nonprofit organizations depend on reliable financial backing from Governments and other entities. Those revenue streams can be endangered when an overlooked security risk becomes an operational blockage.
  • Reputational damage: Eroded consumer trust can be as costly as any disruption in service or productivity. When your organization attracts the wrong kind of attention, like for suffering a data breach or failing to fulfill obligations, earning that trust back can be a difficult feat.
  • Regulatory violations: In worst-case scenarios, failing to catch a supply chain risk before it becomes a major problem can lead to your organization falling afoul of relevant regulations and facing stiff consequences like fines or legal fees.

Learn more: Quick Guide: What is Operational Risk Management?

When Does an Organization Need a Supply Chain Risk Management Framework?

The purpose of using a risk management framework is to standardize the process of identifying, assessing and mitigating potential threats and vulnerabilities to your organization’s supply chain. If your organization’s ability to provide services, attract new users and secure funding would be severely impacted by a potential data breach or supply chain disruption, then you’d most likely benefit from using a framework to ensure consistent supplier security.

State, Local and education (SLED) entities are all the more likely to need a framework for regulating risk assessments and mitigation steps. Since the services provided by such entities are typically essential to a community, it’s that much more important that you take all the necessary actions to secure your supply chain and prevent service interruptions whenever possible.

What Is the NIST Risk Management Framework?

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is the go-to solution public service organizations have been using to mitigate vendor, technology and cybersecurity risks for the last decade. The result of a Federal task force established in 2014 under the Federal Information Security Modernization Act (FISMA), this framework for risk management processes can be used to set standards across Federal agencies and the organizations that work with them.

Today, the NIST framework is a main point of reference for any organization looking to implement a secure and reliable process for managing cybersecurity risks and other potential supply chain issues. The framework is a living document regularly updated to meet the latest challenges in the data privacy space.

Learn more: What is NIST RMF? Risk Management Framework

What Are the NIST Best Practices for Supply Chain Management?

The 2022 revision NIST SP 800-161 offers comprehensive guidelines for handling supply chain risks related to information and communications technology. These recommendations are divided into three main categories: foundational practices, sustaining practices and enhancing practices.

Think of these categories as sequential stages. You’ll need to implement foundational practices before you move on to sustaining practices, and sustaining must come before enhancing.

1. Foundational Practices: Establishing a Process for Supply Chain Risk Management

Some of the best practices recommended in NIST SP 800-161 for creating a foundation for a supply chain risk management process include:

  • Dedicate a multidisciplinary team to your vendor and technology risk oversight
  • Create and fill dedicated roles for risk oversight procedures
  • Gain support from senior leadership to ensure adequate resources
  • Implement a governance hierarchy and a governance structure
  • Codify processes for identifying and assessing the criticality of your suppliers, products and services and conducting formal risk assessments, preferably using FIPS 199 impact levels
  • Establish internal checks and balances for compliance
  • Integrate risk oversight practices into your policies regarding supplier selection
  • Raise internal awareness and understanding of the importance of supply chain risk management
  • Create processes and practices for quality control and consistent development practices

Learn more: Guide: Risk Management Strategies To Future-Proof Your Organization

2. Sustaining Practices: Improving the Efficacy of Your Supply Chain Risk Management

Some of the best practices recommended in NIST SP 800-161 for building on your foundational risk management processes include:

  • Implement third-party risk assessments
  • Create a program for monitoring suppliers
  • Define and quantify levels of acceptable risk
  • Determine key supplier risk metrics and create procedures for tracking and reporting them
  • Formalize your information sharing procedures
  • Establish a training program for vendor risk practices
  • Integrate supply chain risk management practices into your supplier contracts
  • Solicit supplier participation in contingency planning and incident response
  • Collaborate with suppliers to address risk factors
  • Expand supply chain risk management training to all applicable roles across your organization

Learn more: How to Mitigate Third-Party Risks in Your Supply Chain

3. Enhancing Practices: Predicting Supply Chain Issues Before They Impact Your Business

Some of the best practices recommended in NIST SP 800-161 for building a structured supply chain risk management program include:

  • Codify processes for quantitative risk analysis, optimize risk response resources and measure your return on investment
  • Use insights gained over time to identify key risk factors and create predictive strategies to address risks before they arise
  • Introduce automation into your cybersecurity oversight procedures whenever possible
  • Join a community of practice where you can improve your cybersecurity risk management practices

Learn more: 5 Reasons Your Company Should Automate Third-Party Risk Management – Onspring

Additional NIST Resources

Organizations implementing a supply chain risk management program often reference several complementary NIST publications, including:

How to Future-Proof Your Vendor Risk Program

It’s impossible to overstate the importance of recognizing and addressing risk factors in your supply chain when your organization is responsible for providing or securing local and state services. The best guide to follow when establishing or enhancing your supplier risk program is the NIST Risk Management Framework. A structured platform can help Public Sector teams manage these challenges more effectively while taking advantage of AI advancements without exposing their organizations to unnecessary risk.

See how Onspring’s platform supports these efforts and get a demo today.

Top Cybersecurity Trends Reshaping Federal Risk Management in 2026

Posted on by
Reply

If you’re a governance, risk and compliance (GRC) professional on the Federal level feeling overwhelmed by the many recent and constantly changing cybersecurity trends, you’re not alone. As in many industries, Federal risk management has been all but upended by the rise of artificial intelligence and other major advancements in technology.

As a cybersecurity professional, you might be hesitant to jump on the latest bandwagon in favor of the tried-and-true methods you’re used to. While caution is always warranted, being overly reluctant to upgrade can hold you back from making beneficial changes to your organization that improve efficiency without compromising data security. In this guide, we’ll review exactly what you need to know about the five most impactful trends in cybersecurity right now, including what you and your team should be doing now to stay a step ahead of the competition as well as bad actors.

Top 5 Trends in Cybersecurity in 2026

To keep cyber threats at bay and prevent data breaches, you need to be aware of the latest changes in the cybersecurity space, including those that offer bad actors more opportunities to get in your way.

1. AI-Powered Monitoring

What it is: Artificial intelligence (AI) using large language models (LLMs) and machine learning (ML) has been the most monumental shift to the GRC landscape in many years. With the help of generative AI programs like ChatGPT, risk professionals can collect and analyze troves of data in a fraction of the time they used to.

How it impacts GRC: Whether or not your organization explicitly allows the use of AI, many employees will have an interest in a tool that promises to cut their workload without compromising on quality. Of course, those promises are often overblown. The truth is that working with the wrong kind of AI can expose your organization to greater risk of errors, compliance issues and data breaches.

How to stay ahead: Avoiding AI altogether will only mean your organization risks falling behind competitors that aren’t afraid to adapt to the latest technology. Instead of avoiding it, it’s vital to learn how to use AI responsibly.

2. Criminal Use of AI

What it is: GRC professionals and others who safeguard data aren’t the only people with access to the generative power of AI. Naturally, cybercriminals and other bad actors have as much access to AI as you do. In fact, there are even specific generative AI platforms tailored for criminals, such as FraudGPT.

How it impacts GRC: We probably don’t need to tell you that more empowered and efficient cybercriminals are an obvious threat to the integrity of your organization’s data. Any trove of personal or financial data will provide a tantalizing target to such criminals, as risk managers in Federal agencies are well aware.

How to stay ahead: It makes the most sense to fight fire with fire. When used correctly, AI programs excel at analyzing large amounts of data and flagging abnormalities that might indicate the presence of online intruders.

3. Quantum-resistant Encryption

What it is: Encrypted data has a new threat: quantum computing. Put simply, these advanced computers use the principles of quantum mechanics to perform calculations at exponential speed. For now, this technology is expensive and difficult to access, but future advancements might make quantum computing much more widespread within the next decade.

How it impacts GRC: Quantum computing has the potential to revolutionize problem-solving across the globe, empowering people to better understand our universe and share resources equitably. Unfortunately, well-intentioned people won’t be the only ones with access to this powerful technology. For GRC leaders, your main concern should be how easy quantum computing makes it to unlock encrypted data.

How to stay ahead: The National Institute of Standards & Technology (NIST) has spent the last eight years developing a set of new standards for encryption that can stand up to the threat of quantum computing, called post-quantum cryptographic standards. Getting familiar with these standards and formulating a plan to implement them is the best way to stay on top of this rapidly advancing technology.

4. Automation Beyond Generative AI

What it is: While recent headlines may make it sound like there is only one type of AI that matters, the newest cybersecurity tools aren’t limited to what’s offered by generative AI. Cybersecurity automation doesn’t rely on written prompts or require constant human monitoring to avoid mistakes. Instead, purpose-built automation can pull live data from your systems and analyze it for patterns without introducing additional third-party risk.

How it impacts GRC: The benefits of automation for cybersecurity professionals are hard to overstate. When used properly, cybersecurity automation can help you and your team eliminate repetitive tasks, detect threats and anomalies more quickly, and kick off pre-programmed incident responses without human intervention.

How to stay ahead: Keep your organization competitive by employing automation that connects to your existing tools and processes, offers no-code options for less tech-savvy team members and incorporates NIST requirements and compliance frameworks.

5. Predictive Analytics in Healthcare GRC

What it is: When it comes to protecting and acting on patient data, any wave of new technology in the cybersecurity market brings with it additional challenges. The rise of AI and other types of automation appeals to healthcare GRC professionals as much as any other risk manager, but these organizations require significantly more caution than needed for compliance in other industries.

How it impacts GRC: As more healthcare organizations adopt automation to streamline workflows, possibilities are expanding for the focus on patient care to shift from reacting to existing concerns to proactively identifying and addressing potential risk factors. While promising, this potential future poses new, complex challenges for healthcare GRC managers looking to avoid exposing sensitive patient data to mistakes, misinterpretation and theft.

How to stay ahead: Fortunately, predictive analytics can also be used to flag potential compliance issues that can lead your organization to fall afoul of regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR).

Stay Informed as Cybersecurity Technology Advances

Feeling more prepared for the next wave of technological advances in GRC? Don’t get too comfortable. The cybersecurity landscape is always changing, and you’ll need to successfully incorporate these trends to be ready for the next round of changes.

Get the insights into cybersecurity trends you need to stay ahead of the curve:

Cybersecurity Automation: Strengthening Defense in a Resource-Strapped Environment

Posted on by
Reply

If you work in Government agencies or as a contractor, you feel the pressure to do more with less every day. Security teams in particular have to reduce response times despite limited staff and resources.

Cybersecurity automation gives a practical way to manage these tasks without relying on constant hiring. Two core compliance frameworks that shape this work for you are the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Cybersecurity Maturity Model Certification (CMMC).

NIST organizes cybersecurity activities into five functions: Identify, Protect, Detect, Respond and Recover. Meanwhile, CMMC defines maturity levels and specific practices across domains, such as access control, auditing and incident response. Let’s explore three cybersecurity automation strategies that help organizations strengthen their defense.

Why Cybersecurity Automation Is Important

For security teams, a typical day revolves around manual triage, status chasing and spreadsheet maintenance. Cybersecurity automation changes it by pulling live data from your systems to maintain current asset and risk inventories. This happens without asking people to update information by hand.

Under NIST’s Identify function, this means you can see where your critical assets live and how they change over time. On the other hand, the Protect function benefits from automated patching, network segmentation and access monitoring that do not depend on someone remembering to run a script.

Cybersecurity automation also strengthens access control. It enables security professionals to manage who joins, moves and leaves networks and critical systems. At the same time, it keeps user privileges aligned with each user’s role.

This automation handles all your repeatable tasks, allowing you and your teams to spend more time on strategic risk decisions instead of routine checks. You can easily keep pace with security requirements even when the headcount is tight.

Three Ways Cybersecurity Automation Reduces Risks

The main purpose of automating cybersecurity is to minimize threats and speed up recovery and incident response times. Below are three cybersecurity automation strategies that help achieve that:

Smarter Threat Detection

Staff shortages directly or indirectly impact almost every step of your security process. This also includes your ability to watch for threats around the clock. With manual scans and periodic log reviews, your team is more likely to leave gaps that adversaries can take advantage of.

Cybersecurity automation closes those gaps by running continuous monitoring and correlating logs across your security operations center. It also surfaces patterns, such as unusual data transfers or login behaviors, that deserve a closer look. This lines up directly with the Detect function of the NIST Cybersecurity Framework, which emphasizes the timely discovery of cybersecurity events.

Automated anomaly detection can learn what “normal” looks like in your environment and instantly flag deviations for investigation. Your analysts don’t have to stare at dashboards all day. This way, you give your security operations greater depth without adding more people to the roster.

Additionally, CMMC strengthens this need through the AU (Audit and Accountability) domain. It expects systematic collection, protection and review of audit logs. Automation can collect and timestamp events, retain them according to policy and perform first-level analysis to find suspicious sequences. If you work in Government services, this type of threat detection raises your confidence that your team won’t miss any meaningful events.

Faster Incident Response and Recovery

Security teams feel the need for more staff members, especially when something goes wrong. A strong incident response plan only helps if you can execute it quickly and consistently.

Cybersecurity automation brings that plan into action by triggering playbooks as soon as a qualifying event occurs. The automated system instantly isolates affected systems, blocks malicious IP addresses and starts forensics workflows without waiting for someone to manually coordinate the steps.

NIST’s Respond and Recover functions call for well-defined processes that you can rely on during stressful situations. With automation in place, regular backups can be created and tested according to schedule. It also makes sure recovery takes place before systems return to production and that every step is logged for later review.

CMMC’s IR (Incident Response) domain expects this level of definition and documentation. This is much easier to achieve via automation than phone calls or ad hoc emails.

Compliance Made More Manageable

Agencies and contractors working in regulated environments must show that they consistently follow their stated controls. NIST SP 800-53 includes controls that can be supported through cybersecurity automation, such as CA-7 for continuous monitoring. It runs assessments on a defined cadence and produces standardized reports for reviewers.

For security teams, this means they can rely on their automation solutions to maintain an up-to-date record of control performance.

CMMC evaluates maturity across Risk Assessment (RA) and Security Assessment (CA) domains. Automation can help you bring together threat, vulnerability and asset information to support cybersecurity activities without adding new layers of manual work. These include objective risk scoring, tracking remediation activities and monitoring third-party risks.

This automates the flow of information and helps security teams, auditors and compliance leaders easily interpret the results. You still own the decisions, but security automation makes it much easier to show how your program aligns with compliance requirements.

Choosing the Right Cybersecurity Automation Platform

If you’ve already started planning to put these strategies into practice, you may still be wondering which security automation platform to choose. As a general rule of thumb, look for a solution that:

  • Connects to your existing cybersecurity technology, tools and processes
  • Supports a range of users, from CISOs and risk officers to analysts and auditors
  • Offers no-code or low-code options, as they allow security teams to design and adjust workflows without requiring many development resources
  • Aligns with your long-term Governance, Risk and Compliance (GRC) strategy while giving you quick wins in log review, alert triage, incident response and control testing
  • Ties with NIST and CMMC requirements
  • Comes with strong reporting and user experiences

Onspring offers all these features to security teams. Their no-code GRC platform connects risk, compliance and audit data so you can manage policies, assessments and issues in one place.

The platform has strong social proof. Their customers report saving up to 70% of the time they once spent managing policies, consolidating 12% of their applications and improving overall business efficiency by 33%.

Onspring also automates repetitive tasks and displays everything on spreadsheets and dashboards for easy collaboration. It also has GovCloud support for Government environments, which enables CISOs, auditors and security teams to manage security-related functions on autopilot.

Connect with Onspring’s team to understand how their cybersecurity automation capabilities can reduce risks in diverse environments.

Discover How Automation Reduces Cybersecurity Risks

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Onspring, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Artificial Intelligence and Cybersecurity: A Federal Perspective

Posted on by
Reply

As artificial intelligence (AI) continues to expand across Government operations, Federal agencies must integrate advanced AI technology to strengthen cybersecurity while staying ahead of new cyber threats. This is especially crucial in environments where critical systems, personally identifiable information (PII), and critical infrastructure are constantly targeted by sophisticated adversaries.

AI is a double-edged sword. Malicious actors now use machine learning techniques, deep learning and generative AI to scale cyberattacks at unprecedented speed. At the same time, security teams are successfully deploying advanced AI algorithms, security tools and threat intelligence to detect, defend and respond faster. Striking the right balance is essential for Federal leaders responsible for safeguarding national interests.

In this article, we’ll talk about how to find the right balance between exploiting AI’s capabilities and guarding against the risks. We’ll also explore the specific threats agencies face today, and discuss how AI can help by automating risk management.

The Growing Cybersecurity Challenge

Ransomware, large-scale phishing campaigns and deepfake social engineering attacks are accelerating due to advancements in AI systems and large language models (LLMs). Cybercriminals can cast a wider net than ever before, with little effort and at a low cost to themselves, especially when targeting critical infrastructure and Federal systems.

Increased Threats

It’s worth noting that even benign AI applications are paving the way for more cyber events. When Government agencies adopt AI tools, they automatically expand their networks and their “attack surfaces,” requiring new security measures and stronger vulnerability assessment practices.

AI’s automation and speed enable large-scale attacks. AI can rapidly scan and scrape online databases and analyze network traffic, looking for potential targets to attack. Hackers can use AI’s no-code automation capabilities to create the code for malware at high speed, and to send out phishing emails at a larger scale than ever before. AI’s natural language processing (NLP) capabilities allow it to create credible “deepfake” video and audio at high speed, as well.

The vast majority of these attacks are unsuccessful, but it only takes one careless end user to click a bad link to a malicious website, or to click a link that triggers a domain blocking failure. That’s why it’s so important for security teams to be on their guard. Fortunately, AI tools can also help. Just as no-code automation helps hackers, it also helps agencies protect themselves against threats.

Leveraging AI Tools To Fight Cyberattacks

The same capabilities that can make AI useful for hackers also make it a great tool in fighting cyber threats. Automation, speed and the ability to identify patterns are all invaluable for countering online threats.

Using AI to Identify Phishing Attacks

AI excels at assisting with phishing detection. AI and Machine Learning (ML) tools can quickly “read” incoming emails and texts and scan them for telltale signs of danger, like unusual sender addresses. AI’s natural language processing capabilities also help. NLP tools scan incoming messages for unusual phrasing or a strange tone, which might indicate a phishing attack.

Most spam folders are powered by AI and ML tools. These tools are constantly learning on the job, too. Whenever you mark an incoming email “spam,” your software learns a little more about what you consider to be spam. Going forward, it incorporates that information into its workflow.

Using AI To Scan for Malware

AI-powered antivirus tools scan for malware more effectively than older antivirus detection systems. The AI software scans and analyzes huge quantities of data in network traffic and system logs to identify patterns that could indicate a virus. Because deep learning models are so good at identifying patterns and spotting anomalies, it can often spot new viruses early on.

Older antivirus software relies on known viral signatures. While useful, these tools can’t keep up with new threats evolving through AI algorithms. That’s the AI difference: predictive pattern detection supports proactive cybersecurity solutions and strengthens incident response.

Using AI To Identify Threats From Within

AI can help to spot attacks from within. The software establishes a baseline of user behavior, like normal login hours and normal patterns of data access. When there’s a change in that baseline, the AI tool flags it for further investigation.

AI looks for changes like unusual activity outside of a team member’s normal working hours or location-based aberrations. For example, if a member of your team normally logs in at 9 a.m. and out at 5 p.m., the AI tool will notice if they start logging in again at midnight to download files. Even if they have authorization to view that information, it’s worth asking why they suddenly need to access it at an unusual time. In the same vein, further review may be warranted if an employee views a record from an atypical IP address.

Using AI To Actively Fight Threats

Beyond identifying cyber threats, AI tools can proactively defend systems. They block or isolate compromised devices, enforce malicious domain blocking, apply system patches and notify security teams of attempted attacks.

AI-backed incident response workflows reduce the spread of malware and help protect the network even when one endpoint is compromised.

Exercising Precaution: Building Guardrails for AI

AI is a valuable tool for fighting cyber threats. However, it’s important to protect your network and end users against AI’s natural pitfalls. Federal agencies have a special responsibility to install guardrails in accordance with the relevant regulations and guidelines.

AI guardrails ensure that the technology behaves according to ethical standards, avoiding bias and making appropriate use of sensitive data. To some extent, AI itself can create guidelines. Generative AI tools can routinely scan for ethical problems and alert managers to any new issues.

However, human oversight remains crucial, and agencies should appoint managers to be directly accountable for AI supervision. The NIST AI Risk Management Framework provides detailed guidance for managers and anyone else involved in managing AI guardrails.

Making the Best Use of AI

Government agencies can’t turn their backs on AI. The technology offers too many benefits to stop using it. However, leaders must be aware that expanding AI also opens them up to greater threats. It’s also critical to be alert to the many dangers posed by AI-enabled cyberattacks.

The first step? Inform yourself about how AI can impact your agency. To get started, learn about AI integration into GRC today.

The Practical Applications of Artificial Intelligence in Government Programs

Posted on by
Reply

A Government’s ability to lead, protect and serve is tied to how boldly it embraces technology. Artificial intelligence (AI) is no longer a distant concept. It’s a force already redefining the way agencies operate, safeguard resources and deliver services. In an era where global competitors are racing ahead with automation and advanced analytics, standing still is not an option. Agencies that adopt AI strategically will not only keep pace but set new standards for effectiveness, transparency and citizen trust.

Key Use Cases for Artificial Intelligence in Government

Across the Public Sector, AI is moving beyond pilot projects into critical programs. Government agencies are weaving AI into their daily operations. They are detecting fraud before it drains budgets, automating compliance that once accounted for many staff hours and analyzing risks too complicated for manual review. The practical applications are real, measurable and growing. What once seemed like gradual innovation is quickly becoming a foundation for modern governance.

Common AI use cases in Government include:

Fraud detection and prevention

The U.S. Government loses between $233 billion and $521 billion a year to fraud. While no agency is immune to fraud, AI is helping the Government fight back. For example:

  • The Treasury Departmentuses machine learning to detect fraud in real time, enabling it to recover over $4 billion in fraudulent funds during fiscal year 2024.
  • The Centers for Medicare & Medicaid Services (CMS)has integrated AI in its fraud prevention system to review claims before payment. Between January and August 2025 alone, it denied over 800,000 fraudulent claims, saving more than $141 million.
  • The IRS uses AI-powered tools, such as the Risk-Based Collection Model, to improve fraud detection and reduce the tax gap.

Compliance reporting

Compliance is time-consuming for agencies, but AI is now automating much of the process. Agencies use AI to monitor real-time data and flag inconsistencies to simplify reporting. With these capabilities, AI enables greater transparency and faster responses to regulatory requirements.

While AI doesn’t replace human oversight, it frees staff to focus on higher-value analysis, cutting the time and costs of compliance. A good example is the Securities and Exchange Commission’s (SEC) use of natural language processing to automate reporting for financial markets. It processes millions of filings and generates compliance reports to improve enforcement efficiency.

Risk management

Government programs face constant risks:

  • Operational
  • Financial
  • Security
  • Environmental
  • Third-party exposure

AI in Government is already helping agencies with minimum risk management practices. For instance, automating third-party risk management with AI-enabled Governance, Risk and Compliance (GRC) platforms helps agencies assess vendor reliability and track compliance to reduce exposure.

Supply chain monitoring

The COVID-19 pandemic revealed the vulnerability of the public supply chain. AI is now helping the Government strengthen resilience with real-time monitoring.

Machine learning models predict bottlenecks to help agencies optimize their logistics. Additionally, enhanced visibility allows policymakers to proactively mitigate third-party risks in the supply chain, as they can monitor vendors and flag vulnerabilities before they escalate.

Policy cycle integration

Public policies move through cycles: setting the agenda, designing solutions, implementing programs and evaluating results. AI has a role at each stage.

Policy cycle stageAI’s roles
Agenda-settingAnalyzes citizen feedback and emerging trends to identify priorities
Solution development Models the likely impact of different policy options
ImplementationAutomates program operations
EvaluationMeasures outcomes against goals

Used thoughtfully, AI makes the policy cycle more evidence-driven and adaptive.

Citizen services

According to a 2024 Salesforce report, 75% of Americans expect Government digital technologies to match the quality of the best private sector organizations. To meet these expectations, U.S. and State Government agencies are using:

  • Chatbots to answer common questions and improve the availability of Government services
  • Digital assistants to provide personalized help and handle more complex inquiries
  • Self-service portals to let citizens complete tasks like renewing licenses on their own

Benefits of Artificial Intelligence in Government

Beyond mere modernization, embracing AI in Government delivers measurable value:

Increased efficiency and productivity

According to a 2023 McKinsey report, generative AI can automate 60%–70% of tasks and add $2.6–4.4 trillion annually to global productivity. Federal and State agencies are using AI to reduce repetitive tasks such as data entry and document reviews to free Government employees’ time for more strategic efforts. This shift in focus raises productivity without adding headcount.

Improved strategy

Insights from AI help policymakers see the bigger picture. Agencies use predictive analytics to forecast outcomes and test scenarios so they can design public policies to prevent undesirable outcomes to begin with, instead of just reacting to them.

Greater responsiveness

AI makes public services more responsive. Examples include agencies using chatbots to answer citizens’ questions and sentiment analysis tools to better listen to community concerns.

Implementation Challenges that Hinder the Strategic Use of AI in Government

While AI is already delivering results in Government agencies, several obstacles hinder its broader adoption.

Skill gaps and training

A 2024 Salesforce survey found that 60% of Public Sector IT professionals say limited AI skill is their top challenge in implementing AI.

Data biases and ethics

AI learns from data that often reflects existing societal inequities, which can perpetuate or even amplify bias.

Data management

Many agencies rely on siloed or outdated systems. In fact, the Federal Government faces a $100 billion legacy IT challenge, making it difficult to integrate and secure data effectively.

Public trust

Government agencies are expected to operate with a high degree of accountability and transparency. Public skepticism, shaped with legitimate concerns about bias and privacy, may stall or derail AI initiatives.

The Way Forward: Building Smarter, Trustworthy Public Programs

The potential of AI in Government is huge, but so are the risks. To enjoy the benefits while protecting public trust, it’s important to follow best practices for managing AI risks:

  • Treat AI as a strategic asset that drives smart, citizen-focused outcomes, rather than just a technical tool.
  • Pair AI with human oversight to address biases and provide context in decision-making, so the outcomes remain fair and ethical.
  • Invest in responsible governance frameworks to guide the development and deployment of AI within your agency.
  • Monitor AI continuously after deployment to address any unintended consequences.

Managing AI in GRC Solutions