ARTICLE
6 May 2025

Trump Administration Issues Guidance On Use, Deployment, And Procurement Of AI

NM
Nelson Mullins Riley & Scarborough LLP

Contributor

Nelson Mullins Riley & Scarborough LLP logo

Flexibility, practical business sense, and tireless advocacy are among Nelson Mullins’ service hallmarks. Our growth over the past 120 years continues to be client-focused.

Our culture and multidisciplinary platform provide our community of clients trusted advice to meet a broad range of business needs and our team members an opportunity to be part of a Firm that values relationships, collaboration, thinking ahead, leadership within our profession, and helping those in need through pro bono and community service.

Explore Firm Details
This is part of a series from Nelson Mullins' AI Task Force. We will continue to provide additional insight on both domestic and international matters across various industries spanning both the public and private sectors.
United States Technology
Franklin Chou and Jason I. Epstein

This is part of a series from Nelson Mullins' AI Task Force. We will continue to provide additional insight on both domestic and international matters across various industries spanning both the public and private sectors.

On April 3, 2025, the Office of Management and Budget (OMB) released two related memoranda— M-25-21 and M-25-22—that mark a significant shift in the federal government's approach to artificial intelligence (AI) adoption. Replacing Biden-era directives M-24-10 and M-24-18, respectively, these memoranda reflect the Trump administration's policy preference for streamlined innovation, decentralized governance, and private-sector collaboration over prescriptive regulatory mandates. This article summarizes each memorandum and outlines key compliance considerations for companies under the new directives.

I. Overview of the Memos

M-25-21 governs how federal agencies use and deploy AI systems. M-25-21 represents a strategic pivot toward accelerating AI adoption with a stronger focus on measurable outcomes and public value. The memo emphasizes removing bureaucratic barriers and empowering agencies to integrate AI into mission-critical operations more quickly. It introduces requirements for agency-level AI strategies, the designation of Chief AI Officers, and the creation of AI Governance Boards. For "high-impact AI" systems—those with significant effects on individuals' rights or safety—M-25-21 sets out minimum risk management practices such as pre-deployment testing, human oversight, and feedback incorporation. This more permissive approach may create opportunities for innovation but also shifts greater responsibility to vendors and agencies to ensure AI systems are used responsibly and transparently.

M-25-22 addresses how agencies procure AI solutions from external vendors. It adopts a more pragmatic, business-friendly stance, aiming to streamline acquisition processes and remove barriers to timely AI deployment. While the Biden-era M-24-18 included more stringent requirements around fairness, transparency, and ethical AI, M-25-22 focuses on flexibility, cost-effectiveness, and maximizing agency discretion—while still signaling expectations around competition, data governance, and U.S.-origin technologies.

For businesses, the opportunity is clear—but so are the stakes. The memos' shift towards a more flexible, permissive, and outcome-oriented framework gives forward-thinking vendors room to innovate, tailor solutions to agency-specific needs, and move more quickly through the procurement pipeline. Agencies are empowered to prioritize operational results over strict compliance checklists, which may reduce friction for nimble AI providers with modular, transparent, U.S.-made offerings with flexible contractual provisions that prioritize customer portability. Effective, transparent, and explainable AI products are still most valued under this new framework—after all, the goal remains to increase AI adoption—but the underlying requirements to avoid unlawful bias, unlawful discrimination, and harmful outcomes and encourage transparent AI are implied more than prescribed. For offerings that rely on proprietary technology, murky data rights, or complex, multi-year pricing structures that suggest "forever customer" rather than "best value"—expect friction. Businesses may also face new hurdles including fragmented implementation across federal agencies, evolving risk management expectations that fall outside the boundaries of existing frameworks, and a procurement ecosystem that eschews "vendor lock in" (signaling a preference for easily replaceable solutions to accelerate innovation and cost-efficiency).

II. Key Policy Directives

A. M-25-21: Use of AI by Federal Agencies

M-25-21 directs all executive agencies (including independent regulatory agencies) to:

  1. Create and designate the role of a Chief AI Officer (CAIO) at each agency to foster innovation, acceptance, and adoption of AI across all levels. M-25-21 at 10. Such an innovative role may be performed by an existing leadership role such as Chief Information Officer, Chief Data Officer, Chief Technology Officer, or other similar official with relevant or complementary authorities and responsibilities. Appointing a CAIO at each agency is expected to increase interagency and intra-agency coordination by maximizing efficiency through expanded lines of communication while simultaneously reducing bureaucracy and costs to the American people. Id. at 13.
  2. Accelerate AI innovation by leveraging existing tools, processes, and resources to avoid the creation of additional bureaucracy. Id. at 6.
  3. Maximize reuse of existing solutions, repurpose legacy tools, and promote interagency sharing of commonly used packages and functions to promote innovation and reduce costs to taxpayers with minimal invention. Id. at 7.
  4. Develop and promulgate minimum viable risk management practices confined to "high impact" AI use cases to ensure that AI use across federal agencies is trustworthy, secure, and accountable. Id. at 13. Notably, M-25-21 does not reference the National Institute of Standards and Technology's AI Risk Management Framework (AI RMF), released Jan. 26, 2023, or ISO/IEC 42001:2023, which provides international guidance on AI management systems. This omission suggests a more agency-led, flexible approach to risk governance—potentially at the cost of broader standardization across the federal enterprise.

B. External Acquisition of AI by Federal Agencies

Effective Oct. 1, 2025, M-25-22 updates the federal acquisition framework for AI technologies, aiming to modernize procurement by emphasizing agility, competition, innovation, and responsible data stewardship. The memorandum directs agencies to:

  1. Promote cost-effectiveness and competition by entering into contracts that avoid vendor lock in, including, for example, mandating knowledge transfer, data and model portability, and clear ownership terms to ensure that the federal government can swiftly pivot between vendors to take advantage of potential reductions in cost in mission critical applications. M 25-22 at 5.
  2. Maximize acquisition of U.S.-made AI products and services. Id. at 4.
  3. Promote cross-functional collaboration during the procurement process, drawing from legal, IT, cybersecurity, privacy, civil rights, budgeting, program evaluation, and related disciplines to inform acquisition decisions and ensure alignment with broader agency missions. Id. at 7 (citing footnote 13, which appears to refer to footnote 14).
  4. Retain and maximize the value of government data by requiring agencies to revisit and, where necessary, update policies governing licensing, ownership, and control of government data—particularly when such data "is used to train, fine-tune, or develop AI systems or services." Id. at 5. (This dovetails with the administration's goal to avoid vendor lock in, as described above.)

III. Business Compliance and Strategic Considerations

For companies looking to engage with the federal government on AI offerings, both memos carry important implications:

A. Under M-25-21 (Use of AI)

  1. Focus on Practical Applications and Measurable Outcomes:
    • Businesses should emphasize the tangible benefits of their AI solutions, demonstrating how they can improve operational efficiency and public service delivery.
    • Provide clear metrics and performance indicators to quantify the impact of AI deployments.
    • Highlight AI solutions that can easily be integrated into existing government workflows.
  2. Data Governance and Quality Assurance:
    • Offer robust data management solutions that ensure data quality, integrity, and security for AI applications.
    • Provide tools and services to facilitate data cleansing, validation, and enrichment.
    • Offer solutions that provide data lineage tracking to increase transparency.
  3. Transparency and Explainability:
    • Develop AI solutions that provide clear and understandable explanations of their decision-making processes.
    • Implement mechanisms for auditing and monitoring AI systems to ensure accountability and transparency.
    • Provide documentation that explains the AI model and the data that the model was trained upon.
  4. Security and Resilience:
    • Design AI systems with robust security features to protect against cyber threats and unauthorized access.
    • Implement redundancy and failover mechanisms to ensure system resilience and minimize downtime.
    • Ensure that AI systems are compliant with federal security standards.
  5. Focus on Accessibility and Inclusivity:
    • Develop AI solutions with accessibility in mind, to allow for all members of the public to be able to interact with the AI.
    • Ensure that the AI does not create or propagate bias against any specific group of people.
  6. Compliance with Directives:
    • Businesses should be prepared to provide information regarding the U.S. origin of AI products.
    • Businesses should ensure that they can provide adequate documentation for pre-deployment testing, AI impact assessments, and ongoing monitoring.
    • Businesses should develop solutions that include human oversight, intervention, and accountability features.
    • Businesses should be prepared to offer consistent remedies or appeals and incorporate feedback from end-users and the public.

B. Under M-25-22 (Procurement of AI)

  1. Interoperability and Documentation:
    • Provide well-defined and well documented APIs to support technical compatibility and interoperability within government systems to help promote mobility of data sets and models and avoid vendor lock in.
    • Provide thorough documentation of model development, source code, and testing to facilitate continuity and vendor transitions.
  2. Economic and Commercial Terms:
    • Provide clear and detailed pricing structures that avoid bulk discounts, tying arrangements, or exclusivity clauses, to promote fair competition and prevent agencies from being locked into unfavorable pricing models. See especially M-25-22 at 9.
    • Guarantee equal access for downstream commercial partners and avoid preferential treatment.
    • Offer contract terms that allow for modularity and scalability, enabling agencies to easily adapt and integrate AI solutions with existing systems, thus preventing dependence on a single vendor's proprietary technology.
  3. Data and Intellectual Property Rights:
    • Companies must establish clear and unambiguous terms regarding intellectual property ownership and data usage rights, particularly concerning government data used in AI training and development. This will allow companies to retain appropriate control over their intellectual property (IP) and mitigate the risk of vendor lock-in.
    • Given the government's evolving approach to data and model ownership, this may create a "moving target" for companies' IP ownership and licensing strategy. This necessitates careful contractual language and clear delineation of IP rights. If not already implemented as a part of general corporate governance and hygiene, companies should conduct regular internal evaluations of any advancements in their products or services, as well as changes to their AI models and data handling practices, to ensure adequate protection of their IP portfolio. Companies engaged under government contracts should be prepared to share with and justify those evaluations to the government.
    • Implementing a robust data governance framework is imperative.
  4. Emphasize U.S.-origin
    • Provide clear documentation of the origin and domestic production of AI products and services, to allow for the government to easily ensure that the AI is U.S. made.
    • Ensure compliance with any applicable domestic preference requirements, to help the government easily ensure that the AI is U.S. made.

IV. Final Thoughts

M-25-21 and M-25-22 together set the stage for a new era of AI in federal government: one that moves faster, demands clearer accountability from agencies and vendors alike, and seeks to promote domestic innovation without slowing it down with unnecessary red tape. Now is the time for vendors to reassess their federal contracting posture, review internal compliance frameworks, and align product roadmaps to the forward-leaning tone set by M-25-21 and M-25-22.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Franklin Chou
Franklin Chou
Photo of Jason I. Epstein
Jason I. Epstein
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More