AI, Privacy, and the Federal State: Lessons from GAO’s March 2026 Report on Gaps in Government-Wide Guidance

Artificial intelligence is now firmly embedded in the federal policy conversation not only as a tool of administrative modernization, but also as a source of heightened privacy risk. In its March 2026 report, Artificial Intelligence: OMB Action Needed to Address Privacy-Related Gaps in Federal Guidance, the U.S. Government Accountability Office, led by Marisol Cruz Cain, argues that the federal government has not yet translated general commitments to trustworthy AI into sufficiently detailed privacy guardrails. The report is notable because it does not question AI’s promise; rather, it asks whether the federal government’s privacy architecture is keeping pace with the scale, speed, and inferential power of AI systems.

GAO’s analysis rests in part on a three-day panel of twelve experts drawn from government, industry, nonprofit, and academic settings. From that process, GAO distilled a non-exhaustive but highly useful map of AI-related privacy risk. The report highlights ten core risks, including data persistence, data re-identification, improper disclosure, increased accessibility of sensitive information, secondary use of data, and the lack of transparency in both data use and algorithmic decision-making. Particularly important is the report’s emphasis on AI’s ability to aggregate multiple datasets and infer deeply personal facts that were never explicitly collected, thereby transforming ordinary administrative data into a much more intrusive surveillance substrate.

The report also identifies thirteen practical challenges that complicate privacy protection in AI deployment. These include gaps in AI and privacy-related laws, the absence of clear best practices, limited public AI literacy, weak transparency around how sensitive data are used, inadequate technology for privacy-preserving implementation, and a shortage of federal personnel with the expertise to manage AI responsibly. GAO also underscores a central tension in contemporary AI governance: the tradeoff between performance and privacy. In many high-value contexts, such as health or finance, reducing access to sensitive data may also reduce model utility, which makes privacy governance as much an institutional design problem as a technical one.

The report’s most important conclusion is that OMB’s current government-wide AI guidance does not fully address these privacy-related risks and challenges. GAO found that OMB guidance fully addressed only two of ten selected expert-identified challenges: workforce skills and scalability of privacy-protective AI implementation. The remaining challenges were only partially addressed or not addressed at all, and OMB’s guidance did not clearly specify the types of known privacy risks agencies should consider when developing AI privacy policies. GAO therefore recommends two actions: first, that OMB update its guidance to more fully address the identified risks and challenges; and second, that OMB facilitate stronger interagency information-sharing, potentially through existing bodies such as the Chief AI Officer Council or the Federal Privacy Council. OMB did not provide comments on the draft report.

For federal contractors, agency counsel, privacy officers, and compliance leaders, the significance of this report lies in its larger message. AI governance can no longer be treated as a narrow procurement or innovation issue. It now sits squarely within the broader legal and operational framework of privacy, public trust, and institutional accountability. GAO’s report suggests that agencies and their partners should expect future scrutiny not merely about whether AI is used, but whether it is used within a sufficiently specific and auditable privacy framework.

Disclaimer: This blog post is for informational purposes only and does not constitute legal advice. It summarizes a GAO report and should not be relied upon as a substitute for reviewing the full report, applicable statutes, regulations, agency guidance, or advice from qualified counsel.