The M-25-21 Deadline Passed. Here's What Agencies Need to Do Now.

April 2026. The 365-day clock on OMB Memorandum M-25-21 has run out. Federal agencies were supposed to have full compliance documentation in place for every high-impact AI use case. Chief AI Officers designated. AI Governance Boards operational. Compliance plans posted publicly. Risk assessments, pre-deployment testing, human oversight protocols, monitoring, and appeals mechanisms — all documented, all defensible.

That was the requirement. Here's what actually happened.

What M-25-21 required

M-25-21 — Accelerating Federal Use of AI through Innovation, Governance, and Public Trust — landed on April 3, 2025, and it moved fast. The deadlines were stacked deliberately:

• 60 days (June 2025): Designate a Chief AI Officer at every CFO Act agency.
• 90 days (July 2025): Establish an AI Governance Board — cross-functional, including IT, cybersecurity, data, and budget leadership.
• 180 days (September 30, 2025): Submit a compliance plan to OMB and post it publicly on the agency website. Most agencies were required to publish at [agency].gov/ai — though as of April 2026, many of those pages still don't exist.
• 365 days (April 2026): Full compliance documentation for all high-impact AI — meaning any AI system used as a principal basis for decisions affecting rights, safety, or legal status.

The deliverables weren't optional or aspirational. Agencies needed an annually updated AI use case inventory, documented risk assessments for high-impact systems, pre-deployment testing evidence, human oversight mechanisms, incident monitoring, appeals processes, and documented waiver approvals for any non-compliant system still in operation.

This was not a maturity model. It was a compliance mandate with dates.

What most agencies actually did

Some agencies made real progress. CAIOs were designated. Governance Boards were stood up — at least on paper. Multiple agencies filed compliance plans by the September 30 deadline, including the VA, EAC, NIGC, CSOSA, and AbilityOne.

But filing a plan and operationalizing governance are two different things. The VA described its own governance posture as "nascent but growing" — an honest assessment that applies to far more agencies than admitted it publicly. GAO had already found that 15 of 20 reviewed agencies had inaccurate or incomplete AI use case inventories, issuing 35 recommendations to 19 agencies. Those inventories were supposed to be the foundation. Many agencies built compliance plans on a foundation they hadn't finished laying.

The September 2025 plans, by and large, were aspirational documents. They described what agencies intended to build, not what they had built. Governance structures were named but not staffed. Risk assessment processes were outlined but not executed. Monitoring was referenced but not implemented. The plans exist. The operational governance behind them, in most cases, does not.

The compounding problem

M-25-21 was not the only mandate running. M-25-22 — Driving Efficient Acquisition of Artificial Intelligence in Government — required agencies to update their internal AI acquisition policies by December 29, 2025. That meant revised contract terms for every AI solicitation: performance validation, interoperability provisions, vendor lock-in protections, government data ownership, and a prohibition on training commercial AI on non-public government data.

Many agencies were still developing those policies when the deadline passed. Which means they are now purchasing AI systems under contracts that may lack required terms — a retroactive compliance gap that compounds daily with every new procurement.

It gets worse. GSAR 552.239-7001 is building acquisition requirements that assume M-25-21 compliance as a foundation. If the foundation doesn't exist — if an agency can't identify which of its AI systems are high-impact, because its inventory is incomplete — then the acquisition controls built on top of that foundation are operating in a vacuum.

And in March 2026, GAO published findings that OMB's AI guidance fails to fully address 8 of 10 AI privacy challenges. GAO recommended that OMB issue additional guidance on auditing AI models and performance metrics. The framework agencies are trying to comply with is itself incomplete. Agencies need to operationalize compliance against guidance that the government's own auditor has flagged as insufficient.

This is what cascading compliance failure looks like. Miss the inventory, and the risk assessments have no scope. Miss the risk assessments, and the compliance plan has no substance. Miss the compliance plan, and the acquisition policies have no anchor. Each gap feeds the next.

The four-step remediation path

The deadline passed. The mandate didn't. Agencies that are behind can still close the gap — but not with another aspirational plan. They need a structured remediation sprint.

Step 1: Inventory

Catalog every AI system in operation. Every one. Not just the ones the IT office knows about — the ones procurement bought, the ones a program office piloted, the ones embedded in vendor platforms that nobody classified as AI. For each system, determine whether it qualifies as high-impact under M-25-21: is it used as a principal basis for decisions affecting individual rights, safety, or legal status? The inventory is the scope. Without it, everything that follows is guesswork.

Step 2: Gap assessment

Map every inventoried system against the full set of M-25-21 requirements. For high-impact systems: Does a risk assessment exist? Has pre-deployment testing been documented? Is there a human oversight mechanism? Is monitoring in place? Is there an appeals process? For each requirement, the answer is either "documented and defensible" or it isn't. This assessment produces the remediation backlog — the specific list of artifacts, processes, and controls that need to be built.

Step 3: Sprint to compliance

Thirty days. Focused effort. Produce the documentation and governance artifacts that close the gaps identified in Step 2. This is not about creating perfect governance — it's about creating defensible governance. Risk assessments that reflect actual system behavior. Testing documentation that covers the right failure modes. Oversight protocols that name real people with real authority. Monitoring plans with defined thresholds and escalation paths. The goal is to move from "we have a plan" to "we have evidence."

Step 4: Sustained governance

This is where most agencies will struggle, because it requires a shift from project mode to operating mode. Compliance is not a deliverable — it's a posture. That means NIST AI RMF implementation as an ongoing operating framework, not a one-time mapping exercise. Continuous monitoring with defined triggers. Incident response protocols that have been tested. Regular inventory updates as new systems are deployed and existing systems are modified. Governance that survives the departure of whoever built it.

One-time compliance efforts decay. Sustained governance compounds.

The clock is still ticking

Congress requested in February 2026 that GAO conduct a comprehensive review of federal and state AI regulations to identify gaps and inform legislation. The IGs are watching. The auditors are coming. And when they arrive, they won't be asking whether an agency had a compliance plan on September 30, 2025. They'll be asking whether that plan became operational — whether the governance described on paper exists in practice.

The deadline passed. The mandate didn't. Agencies that act now can turn a compliance gap into a governance advantage — the ones that wait will explain to their IG why they didn't.