Close

New Research from CDW on Workplace Friction

Learn how IT leaders are working to build a frictionless enterprise.

Jul 13 2026
Security

Why AI Governance Is a Critical Component of Federal Cybersecurity

As agencies move AI from pilots into mission-critical operations, extending proven cybersecurity disciplines is the key to scaling adoption securely.

As federal agencies move beyond artificial intelligence pilots and integrate AI into mission-critical operations, questions around governance, oversight and risk management are becoming more urgent.

Recent actions from the Trump administration — including the executive order on combating cybercrime, fraud and predatory schemes against American citizens — and comments from National Cyber Director Sean Cairncross about forthcoming cybersecurity-focused executive orders reflect a growing emphasis on accountability and risk management in government technology.

Click the banner below to read CDW’s white paper on optimizing cyber defense with managed security services.

 

AI Expands the Cyber Risk Surface, and Governance is Crucial

Agencies can no longer treat cybersecurity and AI adoption as separate initiatives. AI introduces new dependencies on data, software, infrastructure and third-party providers, making governance a critical consideration from the outset rather than an afterthought. Studies consistently show that organizations that have been aggressive at embracing AI in the workplace but whose AI governance structures and practices have failed to keep pace suffer more AI-related breaches than those with clear governance processes, and that these breaches also tend to be more damaging.

One of AI governance’s biggest challenges is organizational rather than technical. AI initiatives are often driven by teams focused on model performance, data quality and mission outcomes, while cybersecurity teams prioritize risk management, access controls and continuous monitoring. When those efforts operate independently, visibility gaps and accountability challenges can emerge. At its heart, AI governance is about assigning clear ownership for AI outcomes and for ensuring that key stakeholders — not security professionals alone — are responsible for the performance of AI, including its security.

AI systems also create new attack surfaces. Sensitive data may be exposed through training, queries and increasingly through agentic AI. Third-party models and AI services introduce supply chain risks. Automated decision-making systems can create operational and security concerns when agencies lack transparency into how models function, what data they rely on and who is responsible for oversight.

Integrating security, governance and operational oversight throughout the AI lifecycle will be essential to managing risk while realizing AI’s potential.

ACCOMPLISH THE MISSION: Modernize your agency’s IT infrastructure.

Identity and Access Management Meets Agentic AI

At many organizations, the number of  nonhuman identities greatly exceeds the number of IDs and passwords for human employees, sometimes by a factor of 100 or more. While this trend began with Internet of Things devices, it accelerated dramatically with the adoption of agentic AI, and data shows that nearly 70% of organizations give NHI’s more access privileges than they would a human performing the same role. Many of these NHIs receive static access credentials that aren’t updated like a human user’s password, and few organizations ‘retire’ obsolete AI agents when new agents are created or the need for the agent is fulfilled.

In short, we lack the equivalent of a “digital HR process” for handling agentic AI. Coupled with the nondeterministic nature of generative AI and the propensity of agents to do things their creators didn’t intend and would prohibit, this places an even greater premium on adopting strong AI governance practices.

Do Not Create Another Governance Silo

Agencies should also resist the urge to build separate governance structures for every AI initiative. Complexity is already one of the biggest challenges facing federal technology teams. New technologies often arrive with new tools, review boards and management processes. While we currently lack a standardized model or framework for AI governance, the National Institute of Standards and Technology AI Risk Management Framework provides agencies with sound guidance and best practices, and if adopted by multiple agencies, it can facilitate identifying common problems and successful solutions.

The goal should be a consistent framework that supports innovation while maintaining security and accountability. The strongest approach is to integrate AI governance into existing cybersecurity, risk management and procurement processes.

Visibility Is the Foundation of AI oversight

For agency CIOs and CISOs, AI governance is ultimately an operational challenge. Success depends less on creating entirely new oversight structures and more on ensuring AI systems can be monitored, secured and managed within existing technology environments.

Effective governance starts with visibility. Agencies need to know what AI systems are in use, where sensitive data is flowing, who owns those systems and how risk is being monitored over time.

GET SECURE: Learn how federal agencies can boost security against threats.

AI Governance Requires Continuous Risk Management

Federal cybersecurity initiatives such as the Cybersecurity and Infrastructure Security Agency’s Secure by Design effort have increasingly emphasized security, accountability and confidence in the technologies supporting government missions. AI introduces many of the same considerations.

Organizations need to know where models originate, how they were trained, who maintains them and whether the surrounding technology ecosystem meets security requirements. As AI adoption grows, understanding the supply chain behind a model may matter as much as evaluating its output.

Build AI Into the Broader Modernization Strategy

AI adoption should be evaluated as part of broader modernization efforts. Agencies need to understand how AI capabilities fit within existing technology strategies and whether they simplify operations or create new management burdens.

Ultimately, AI governance is less about creating new oversight structures and more about extending proven cybersecurity disciplines to a new class of technology. Agencies that build visibility, accountability and continuous risk management into AI programs today will be best positioned to scale adoption securely and effectively in the years ahead.

ATHVisions/Getty Images