Speaking at a recent conference panel, officials identified a top use case on their wish list: assisting with the classification of records and the authorization to access those records.
“I would implement AI to help me identify the types of data ... and what kind of metadata tags and labels that they should have based on what’s in that record,” said David Voelker, standardization officer of the Naval Warfare Systems Command for the U.S. Navy, at the ATARC Cyber AI Convergence Summit 2025 in June.
Voelker would like an artificial intelligence (AI) agent to generate a notional attribute-based access control, or ABAC, rule that classifies the data in such a way that only people with the proper authentication tokens can access it, based on its classification in the metadata. Security managers would be able to assign access rights to specific people through identity providers that verify users.
“If you have people that are working in the cafeteria, they may have access to the lunch menu that’s been tagged in its data. We want only the people in the cafeteria to have access to update that lunch menu,” Voelker said. “The same thing would happen for financial information that’s in the environment or aircraft design data. Say I’ve tagged it and I want to make sure that only the engineers and those folks that need access to that data can actually get access.”
Click the banner below to start implementing smarter security.
Security managers could double-check the work of the AI data tagging to ensure it is accurate and then train AI agents to improve their tagging for subsequent jobs. Security managers also would set the permissions for accessing the data based on roles, Voelker said.
Agencies Struggle With a High Volume of Records To Classify
Civilian agencies also would like to use AI to improve the classification of records. The Department of Homeland Security is “pushing” data classification use cases for AI, said Derek Mueller, cybersecurity adviser for DHS’ Cybersecurity and Infrastructure Security Agency. DHS is working through the challenges of training AI to “parse through” large amounts of data and classify whether it is sensitive, secret or top secret.
The goal is for a trained AI model to have the capabilities to scan data and recognize how it should be classified, particularly taken in context with other records, Mueller said.
“After time, you won’t really need anybody to go through that data. It’s going to know. In the future, it’s going to classify and it’s going to mark it correctly. We’re trying to train end users to trust the process,” he said.
Daniel Buchholz, Red Cell Chief of the Monitoring and Incident Response Division for the Department of State, said the government has not been good at data categorization in the past.
“You have all of this information out there, and it’s not well labeled. People don’t know how sensitive it is, how protected it is. Now, generative AI can pull those as data sources and share them out. That’s an incentive for users to start categorizing that data,” Buchholz said.
Successful cyberattacks often happen when bad actors gain access to accounts that can read sensitive data, Dr. Murat Kantarcioglu, professor and Commonwealth Cyber Initiative Faculty Fellow at Virginia Tech, told the panel.
“We recommend that you need to have AI in place to dynamically check access to data and pinpoint data access anomalies,” Kantarcioglu said. “An important part of it is the data sensitivity. If someone is accessing sensitive data in more move volume, this should be flagged.”
Click the banner below for the latest federal IT and cybersecurity insights.
Security managers also could use AI to review logs to ensure authorized users are accessing the right resources in the appropriate way, he said.
Voelker said he generates threat scores based on AI analysis of logs for his agency.
AI Agents Act as a Force Multiplier
Buchholz emphasized that his agency processes more data than its employees could ever parse manually. The State Department leverages AI as a force multiplier, for example, to examine the large volume of data in its logs.
“We have a big data lake that we pour all of these logs into,” he said. “We must make the best use of our limited resources for monitoring to apply their time to the most relevant data source.”
UP NEXT: These flexible, future-proof platforms are improving agency DX.
The ATARC panelists agreed that AI’s chief value was boosting productivity and efficiency while processing large volumes of data through repetitive tasks.
“There are many things that we do that are repetitive. But if we can automate those things, I can harvest those hours and invest that in doing things around cybersecurity,” said Col. Travis Hartman, CTO of the Army Forces Command for the U.S. Army.
