The M-25-21 Compliance Theater Crisis: What Agencies Built vs. What They Actually Have

Agencies filed their M-25-21 compliance plans by September 30, 2025. The plans were posted publicly. The boxes were checked. Leadership signed off. And across federal government, there was a collective exhale: we're compliant.

Except compliance isn't a plan. It's a state. And the distance between filing a plan that describes what you intend to build and actually building it is where most agencies are stuck right now — seven months later, with the 365-day full compliance deadline in the rearview mirror.

The plans described what agencies intended to do. The question is: did they do it? In most cases, no. What they did instead has a name. It's called compliance theater.

Three flavors of compliance theater

Not all compliance failures look the same. Some agencies genuinely tried and fell short on execution. Others performed the motions without the substance. Across federal government, the failures cluster into three patterns.

The aspirational governance board

The compliance plan said: "The agency will establish an AI Governance Board comprising representatives from IT, cybersecurity, data, legal, privacy, and budget." The CAIO was designated. The charter was drafted.

Then nothing happened. The board never met. Or it met once — a kickoff meeting where members introduced themselves, discussed the mandate in general terms, and agreed to reconvene. The reconvening didn't happen. Members had day jobs. Nobody owned the agenda. The charter described a decision-making body, but there were no decisions to make because nobody brought decisions to the table.

This is the most common failure mode. The governance structure exists on paper. It has members, a charter, and a mandate. What it doesn't have is a cadence, an intake process, or a track record of actual governance decisions. An IG auditor will ask for meeting minutes and decision logs. Producing a charter and an attendance sheet from a single kickoff is not the same thing.

The inventory fiction

M-25-21 required agencies to maintain an annually updated AI use case inventory. Most agencies built one. The method was almost universal: the CAIO's office sent an email to every bureau and program office asking teams to self-report their AI use cases.

Some teams responded thoroughly. Some responded with whatever they thought qualified. Some didn't respond at all.

The resulting inventory reflects who answered the email, not what AI the agency actually runs. The program office that piloted a machine learning tool for workload prediction and never told IT? Not in the inventory. The vendor platform with embedded AI features that procurement didn't classify as AI? Not in the inventory. The research division that's been using large language models for document analysis since 2024? Maybe in the inventory, maybe not — depends on whether someone in that division saw the email and understood it applied to them.

GAO found that 15 of 20 reviewed agencies had inaccurate or incomplete inventories. That's not a sampling error. That's a systemic methodology problem. Self-reported inventories will always undercount, and the undercounting is not random — it's biased toward missing exactly the use cases that are hardest to govern: the ones nobody in central IT knows about.

The policy PDF

The agency published a responsible AI policy. It references NIST AI RMF principles. It articulates commitments to fairness, transparency, accountability, and human oversight. It was reviewed by legal, approved by the CAIO, and posted on the agency website.

No one was trained on it. No system was evaluated against it. No process exists to determine whether a specific AI deployment complies with it. It's a document that satisfies a requirement to have a document. It is not governance.

A responsible AI policy without an implementation mechanism is a mission statement. Mission statements don't prevent harm, don't survive audit, and don't help the program manager who needs to know whether their system requires a risk assessment before deployment. The policy says yes. Nobody told the program manager that, and nobody built the intake process that would catch it.

Why this matters now

Compliance theater was survivable when nobody was checking. That window is closing.

GAO's findings on incomplete inventories weren't advisory — they came with 35 specific recommendations to 19 agencies. IG offices are initiating their own reviews. The Government Accountability Office published findings in March 2026 that OMB's AI guidance fails to fully address 8 of 10 AI privacy challenges, which means the scrutiny is intensifying, not fading.

More immediately: GSAR 552.239-7001 is building acquisition requirements that assume M-25-21 compliance as a foundation. Agencies that didn't build the foundation are now acquiring AI systems under a framework that presupposes governance structures they don't operationally have. Every new procurement compounds the gap.

And the compliance plans themselves are public documents. They're posted on agency websites. They describe specific commitments with specific timelines. When an IG reviews whether an agency met its own commitments, the agency wrote the test it's being graded against. If the plan said "the AI Governance Board will meet monthly beginning Q1 2026" and the board hasn't met since October, that's not a subjective finding. It's a factual one. The agency defined success, published it, and didn't achieve it.

The fix isn't more documents

The instinct, when compliance gaps are identified, is to produce more documentation. Updated policies. Revised governance charters. New inventory templates. More paper to cover the paper that didn't work.

That instinct is wrong. The problem was never insufficient documentation. The problem is that documentation without operational backing is fiction. The fix is operational governance: someone who goes system by system, tests whether controls actually function, and builds the evidence trail that survives audit.

That means: physically verify the inventory by cross-referencing procurement records, IT asset management, and program office interviews — not just re-sending the email. Attend the governance board meetings and ensure they produce documented decisions, not just attendance. Take the responsible AI policy and map each principle to a specific control, a specific owner, and a specific evaluation cadence. Run the gap assessment that compares what the compliance plan promised against what actually exists today.

This is not strategy work. It's operational work. It requires someone who understands both the regulatory requirements and the bureaucratic reality of how federal agencies actually function — where the systems hide, why the emails don't get answered, and what it takes to turn a governance aspiration into a governance fact.

The curtain goes up

Compliance theater is comfortable. It produces the artifacts that look like governance. It satisfies the immediate pressure to demonstrate action. It lets everyone move on to the next priority.

It's comfortable until the curtain goes up. Until the IG asks for evidence that the governance board made decisions. Until GAO cross-references the inventory against procurement records and finds the gaps. Until a system that wasn't in the inventory produces an outcome that harms someone, and the agency has to explain why it didn't know the system existed.

The IG is in the audience. The question is whether what's on stage is real.