ai risk today logo svg bl font
Menu
SUBSCRIBE
SUBSCRIBE
ai risk today logo svg bl font
Menu
Audit Of The USDA Finds Most AI Systems Lacked Required Security Approval
The USDA Inspector General audit found that most approved AI systems operating across the agency lacked required cybersecurity authorization and oversight controls (photo credit: Adam Fagen).

Audit Of The USDA Finds Most AI Systems Lacked Required Security Approval

The U.S. Department of Agriculture’s Inspector General found that most AI systems operating across the agency have not completed required cybersecurity reviews, creating potential exposure to data breaches and operational risks.

 

Key Takeaways

  • 89% of approved AI use cases lacked an Authorization to Operate (ATO), a required federal cybersecurity approval process. <needs to be explained>
  • The USDA did not complete risk assessments for all connected AI systems.
  • The agency did not fully implement generative AI guidance or update internal policies required under federal Office of Management and Budget (OMB) directives.
  • The Inspector General said the USDA prioritized deploying AI systems before implementing required security and governance controls.

The U.S. Department of Agriculture (USDA) Office of Inspector General released an audit finding that the USDA failed to fully implement AI cybersecurity and governance controls used across the department, creating potential security and compliance risks.

89% of AI systems lack the required cybersecurity authorization

According to the report, 73 of the 82 (89%) approved AI use cases did not have an Authorization to Operate (ATO). An ATO is a federal approval process that evaluates whether systems have adequate cybersecurity protections and supporting documentation. An ATO is required before a software system is allowed to connect to government networks. 

These 73 systems were not recorded in the USDA’s cybersecurity tracking system.

The report did not publicly identify the specific AI systems involved or whether the systems processed sensitive or classified information.

Two out of nine approved AI systems were not reviewed for risks

The Inspector General found that the CIO’s office at the USDA did not complete cyber risk assessments for all approved AI systems. Further, the two systems were missing cybersecurity documentation. 

The USDA neglected AI governance, missed deadlines

The audit found that the USDA did follow all federal AI security directives issued by the Office of Management and Budget (OMB). The directives require agencies to inventory AI systems, complete risk reviews before deployment, document data handling practices, and apply cybersecurity controls before systems connect to government networks.

According to the report, the USDA did not update internal IT and cybersecurity policies to address AI-specific risks. These included procedures for AI risk assessments, AI system inventories, security reviews, and ensuring systems completed the federal Authorization to Operate (ATO) process. The audit also found that the USDA did not finalize guidance governing employee use of generative AI systems by the required federal deadlines.

The Inspector General stated that USDA “prioritized AI implementation over cybersecurity and governance controls.”

What the Inspector General recommends

  • Create department-wide procedures for AI impact assessments
  • Update the USDA cybersecurity and IT policies to address AI systems
  • Maintain a continuously updated inventory of all AI systems
  • Require risk assessments and cybersecurity reviews before AI systems connect to USDA networks

According to the report, the USDA’s Office of the Chief Information Officer agreed with the findings and recommendations.

Clayton Rifkind

Clayton Rifkind is the Founder and Senior Editor of AI Risk Today. He also advises on content development for esgtoday.com, a leading source of ESG investment news and research for institutional investors and corporate leaders. He has 20+ years experience in B2B technology marketing, leading strategy and execution of go-to-market plans across software, enterprise platforms, and mobile applications. He also founded two marketing consultancies, advising startups and Fortune 1000 companies, including Autodesk, Intel, and Microsoft. Clayton began his career in the San Francisco advertising scene, working with brands such as Hewlett-Packard, Intel, Microsoft, Symantec, and Wells Fargo.

Essential AI Risk Intelligence

Daily insights on AI governance, regulation, and enterprise risk management. Trusted by Chief Risk Officers and compliance leaders globally.

SUBSCRIBE

By subscribing, you agree to receive our daily newsletter. Unsubscribe anytime.

Advertise with AI RIsk Today, Today!