All writing
GovernanceFederal

AI Governance for State Agencies: What's Different

Federal mandates get the headlines. But state agencies are adopting AI with fewer guardrails, less guidance, and the same risks. The governance gap at the state level is real and largely unaddressed.

Consider a state regulatory agency using AI to flag permit applications for review. The system works — in the sense that it produces outputs and humans act on them. But ask the three questions — who owns this system, where's the documentation trail, what happens when it's wrong — and the answers are familiar. A team name, not a person. A README from six months ago. And a pause that tells you nobody has thought about the failure mode.

I'd seen this exact pattern dozens of times in enterprise AI programs. But there was a difference. This agency didn't just use AI to process paperwork. It used AI to inform regulatory decisions — the kind that determine whether a company gets a permit, whether a facility gets inspected, whether an enforcement action gets triggered. The governance gap wasn't just an operational risk. It was a public accountability risk.

That's when I started paying attention to how different the state agency context is from everything else I'd worked in — federal examination, enterprise AI, private sector governance. The risks are similar. The constraints are different. And almost nobody is talking about it.

The federal framework doesn't just transfer down

Federal agencies have M-25-21. They have the NIST AI RMF. They have the AI Bill of Rights. They have OMB guidance on AI use case inventories, risk tiers, and minimum governance requirements. Whether individual agencies have actually operationalized any of this is a separate question — many haven't — but at least the expectations exist.

State agencies have less. Some states have executive orders. A few have enacted AI legislation. Most have general IT governance frameworks and procurement policies that were written before generative AI existed and haven't been updated to account for the specific risks that AI introduces.

The result is that a state agency deploying AI into a public-facing function — say, an environmental permitting system that uses AI to flag applications for review — is often operating without a defined governance framework for that specific technology. There's no state-level equivalent of OMB telling agencies "you must inventory your AI use cases, risk-tier them, and implement controls by this date."

That doesn't mean the risks are lower. It means the risks are less visible.

State agencies are regulators, not just service providers

This is the part that most AI governance advice misses. When people talk about AI governance in government, they usually mean "the government using AI to deliver services." That's real and important. But state regulatory agencies have a second layer that makes the governance question harder.

A state environmental agency isn't just using AI to process paperwork. It's using AI to make or inform regulatory decisions — decisions that affect whether a company gets a permit, whether a facility gets inspected, whether an enforcement action gets triggered. The AI is embedded in the agency's oversight function, which means the governance question isn't just "is this system accurate?" It's "can this agency defend its regulatory decisions when the system it used to inform those decisions is a black box?"

I spent four years at the FDIC asking banks a version of that question. Can you explain this decision? Can you trace it? Can you evidence the process that led to it? When the decision is a loan approval, the stakes are high. When the decision is an environmental enforcement action or a permit denial, the stakes are different but the accountability requirement is the same.

A state regulatory agency that can't explain how its AI contributed to a regulatory decision is in the same position as a bank that can't explain how its model contributed to a lending decision. The technology is different. The exposure is the same.

Public records and transparency change the equation

State agencies operate under public records laws that most private companies don't face. When an AI system contributes to a decision that affects a citizen or a business, the record of that decision — including how the AI was involved — is potentially subject to public records requests, litigation discovery, and legislative oversight.

This creates a governance requirement that doesn't exist in private enterprise: the AI system's involvement in decisions has to be documentable and explainable not just for internal review, but for external scrutiny by citizens, attorneys, journalists, and legislators who may not understand the technology and will judge the agency by whether it can explain itself clearly.

Most AI governance frameworks are designed for internal accountability. State agencies need governance that can also survive external transparency requirements. That's a harder standard.

What state agency AI governance actually needs

I'm not going to pretend there's a universal framework for this. Every state is different, every agency's risk profile is different, and the right governance structure depends on what AI is actually being used for and what decisions it's informing. But having examined regulated institutions and observed AI governance take shape inside a Fortune 50, I can tell you what the minimum viable governance looks like:

Start with an inventory of what you're running. Every AI system, every vendor model, every automated decision tool. If you don't have a complete list, you're governing what you know about and ignoring what you don't.

Risk-tier each system by its function, not by the technology. An AI system that helps schedule building maintenance is not the same as an AI system that informs enforcement decisions. The governance should match the regulatory stakes, not the model's complexity.

Name an accountable person — not a committee, not a department — for each high-risk system. That person should be able to explain what the system does, what controls are in place, and what happens when something goes wrong.

Build documentation that can survive a public records request. Every decision the AI informs should be traceable, with the AI's role, the human review that occurred, and the basis for the final decision all on the record. In a regulatory context, that's not optional. It's the cost of using the technology.

And run monitoring that produces evidence, not dashboards. Someone reviews performance on a defined schedule. The review is documented. The findings are acted on. A dashboard that nobody opens on a cadence is not monitoring. It's furniture.

The gap is closable

State agencies aren't starting from zero. They have audit functions, compliance teams, procurement oversight, and IT governance. The discipline exists. What's missing is the application of that discipline to AI specifically — the recognition that an AI system deployed in a regulatory function carries risks that general IT governance wasn't designed to address.

The federal government is learning this the hard way, with M-25-21 compliance deadlines that most agencies failed to operationalize. State agencies have the opportunity to learn from that experience rather than repeat it — to build governance that's practical and proportional before the mandate arrives, rather than scrambling to demonstrate compliance after the deadline has passed.

The agencies that do this well won't be the ones with the most advanced AI. They'll be the ones that can explain what their AI does, who's responsible for it, and what happens when it's wrong. That's what examination readiness looks like, regardless of whether the examiner is federal, state, or a reporter with a public records request.