Changeflow GovPing Government & Legislation GAO Report: OMB Needs to Address AI Privacy Gaps
Priority review Guidance Amended Final

GAO Report: OMB Needs to Address AI Privacy Gaps

Favicon for www.gao.gov GAO Reports
Published March 26th, 2026
Detected March 26th, 2026
Email

Summary

A GAO report released on March 26, 2026, found that the Office of Management and Budget's (OMB) government-wide AI guidance does not fully address privacy risks and challenges associated with AI adoption by federal agencies. The report recommends that OMB provide agencies with more direction on these issues.

View original document View source feed page

What changed

The Government Accountability Office (GAO) has released a report (GAO-26-107681) identifying significant privacy gaps in the Office of Management and Budget's (OMB) guidance for federal agencies using Artificial Intelligence (AI). The report highlights that while AI offers benefits, it poses risks such as revealing sensitive personal information and that agencies often lack the tools to mitigate these risks. GAO's review found that OMB's current AI guidance does not adequately address many of the identified privacy-related risks and challenges, specifically failing to detail the types of risks agencies should consider and not fully covering eight out of ten expert-identified challenges.

This report implies a need for enhanced direction from OMB to ensure federal agencies properly protect sensitive data when implementing AI. The GAO recommends that OMB provide more specific guidance and potentially leverage existing councils like the Chief AI Officer Council or Federal Privacy Council for interagency knowledge sharing. Without this additional direction, federal agencies face increased risks of disclosing sensitive data and compromising privacy, necessitating a review of current AI implementation strategies and potential updates to internal policies and procedures.

What to do next

  1. Review OMB's AI guidance for identified privacy gaps.
  2. Assess agency AI use cases for potential privacy risks and challenges.
  3. Develop or update internal policies to address AI-related privacy concerns.

Source document (simplified)

GAO-26-107681 Published: Mar 26, 2026. Publicly Released: Mar 26, 2026.

Fast Facts

Federal agencies are increasingly adopting AI as its capabilities improve. However, AI technology poses privacy-related risks and challenges.

For example, using AI may reveal personal and private information in raw data sets. At the same time, agencies don't always have the tools and resources to ensure privacy protection while using AI.

The Office of Management and Budget's government-wide AI guidance doesn't fully address all the major privacy-related risks and challenges. We recommended that OMB give agencies more direction in addressing these risks and challenges.

Highlights

What GAO Found

GAO convened a panel of experts who identified privacy risks and challenges associated with the use of artificial intelligence (AI), which align with GAO’s prior reporting on AI use. For example, the experts noted that using AI may reveal sensitive information in raw data sets, potentially exposing personal and private information, among other privacy risks. At the same time, the experts identified several challenges that federal agencies face in addressing these risks. These include the lack of technology to implement AI with appropriate privacy protections and the potential performance tradeoff when adjusting or removing certain data for the sake of privacy.

The Office of Management and Budget (OMB)’s government-wide AI guidance does not fully address all the identified privacy-related risks and challenges. Specifically, OMB’s guidance does not specify the types of known privacy-related risks that agencies should consider when establishing policies to address privacy in AI. OMB’s guidance provides direction on addressing two challenges identified by the panelists: the need for enhanced skills among the federal workforce to effectively implement AI and the ability to accelerate and scale the implementation of AI systems with privacy protections. However, the guidance does not fully address the remaining eight challenges.

Extent to Which the Office of Management and Budget’s Government-wide Guidance Addressed 10 Selected Expert-identified Privacy-related Challenges When Using Artificial Intelligence (AI), as of January 2026

Given the risks and challenges, additional guidance from OMB could help ensure agencies take appropriate steps to protect the privacy of sensitive data when using AI. OMB could also use existing mechanisms, such as the Chief AI Officer Council or Federal Privacy Council, as forums for interagency information-sharing about strategies or best practices for addressing AI-related privacy challenges. Without this additional direction, risks are increased that agencies’ use of AI would disclose sensitive data, or compromise privacy in other ways.

Why GAO Did This Study

AI is rapidly evolving and has significant potential to transform society and people’s lives. Further, surges in AI capabilities have led to a wide range of innovations with substantial promise for improving the operations of government agencies. However, AI can also pose significant risks to individuals, groups, and organizations. As a result, when agencies use AI to carry out their missions, they need to consider privacy-related risks and challenges. They also need to ensure that they have implemented appropriate risk management and privacy controls to protect the private information of the American public.

In this report, GAO (1) describes the risks and challenges associated with protecting privacy when using AI and (2) examines the extent to which OMB addressed these risks and challenges in government-wide guidance.

To do so, GAO assembled a panel of experts and compiled a non-exhaustive list of privacy risks and challenges associated with AI. GAO also reviewed OMB’s AI-related guidance to determine if it highlighted the specific types of privacy risks identified by the experts. Further, GAO compared OMB’s AI-related government-wide guidance to 10 selected challenges to determine if they could be addressed by the contents of the guidance.

Recommendations

GAO is making two recommendations to OMB to fully address the identified risks and challenges via updated guidance or by facilitating additional information sharing. GAO provided OMB with a copy of the draft report for its review and comment. OMB did not provide comments.

Recommendations for Executive Action

| Agency Affected | Recommendation | Status |
| --- | --- | --- |
| Office of Management and Budget | The Director of OMB should specify examples of known privacy-related risks that agencies should consider when updating their policies as they pertain to AI. (Recommendation 1) | Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information. |
| Office of Management and Budget | The Director of OMB should facilitate additional information sharing or issue government-wide guidance related to:

  • how agencies should consider privacy when evaluating and auditing AI models that contain sensitive information;
  • storing data in a manner where sensitive data can be separated from the dataset;
  • clear rules, norms, and best practices with respect to privacy that agencies should use when developing AI solutions internally;
  • performance metrics agencies can use to assess privacy-related impacts when using AI;
  • actions agencies can take to ensure that members of the public who interact with their AI technologies understand what they are consenting to;
  • technological tools agencies can use to protect sensitive data when using AI;
  • incorporating AI-specific considerations into privacy impact assessments, including identifying risks and informing the public about how PII is involved in the use of AI; and
  • potential tradeoffs between privacy and performance agencies can consider when using AI. (Recommendation 2) | Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information. |

Full Report

View Full Report Online

Highlights Page (1 page)

Full Report (52 pages)

GAO Contacts

Marisol Cruz Cain Director Information Technology and Cybersecurity cruzcainm@gao.gov

Media Inquiries

Sarah Kaczmarek Managing Director Office of Public Affairs media@gao.gov

Public Inquiries

Contact Us

Topics

Information Security Privacy Artificial intelligence Personally identifiable information Privacy protection Sensitive data Federal agencies Compliance oversight IT infrastructure Federal workforce Civil liberties

Multimedia

Blog Post

The Federal Government Has Increased Its AI Use. But Is Enough Being Done to Secure Privacy?

Thursday, March 26, 2026

The federal government is turning to artificial intelligence (AI) as a tool for creating...

Related changes

Favicon for www.gao.gov GAO Report: Offshore Wind Projects Use U.S. and Foreign Vessels
Routine Mar 26, 2026 GAO Reports Government & Legislation
Favicon for www.gao.gov GAO Report on Federal Real Property Funding Challenges
Priority review Mar 26, 2026 GAO Reports Government & Legislation
Favicon for www.gao.gov GAO: Education Needs to Strengthen Student Loan and College Accountability
Priority review Mar 26, 2026 GAO Reports Government & Legislation
Favicon for www.federalregister.gov EPA Modifies Privacy Act System of Records
Priority review Mar 26, 2026 FR: Environmental Protection Agency Environment
Favicon for iapp.org DataGrail AI Agent Automates Privacy Compliance
Priority review Mar 26, 2026 IAPP Privacy News Data Privacy & Cybersecurity
Favicon for iapp.org Brazil Court Limits Identifiable Data Sharing Without Consent
Priority review Mar 26, 2026 IAPP Privacy News Data Privacy & Cybersecurity

Source

Favicon for www.gao.gov
GAO Reports gao.gov/rss/reports.xml
Government & Legislation
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
GAO
Published
March 26th, 2026
Instrument
Guidance
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
GAO-26-107681

Who this affects

Applies to
Government agencies
Industry sector
9211 Government & Public Administration
Activity scope
AI Implementation Data Privacy Protection
Geographic scope
United States US

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Compliance frameworks
NIST CSF NIST 800-53
Topics
Artificial Intelligence Government Operations

Browse Categories

Agriculture & Food Safety 62 AI Regulation 3 Banking & Finance 241 Consumer Protection 41 Courts & Legal 324 Data Privacy & Cybersecurity 65 Defense & National Security 49 Education 20 Energy 105 Environment 84 Government & Legislation 265 Healthcare 134 Housing 16 Immigration 9 Insurance 56 Labor & Employment 114 Legal & Courts 1 Pharma & Drug Safety 101 Securities & Markets 81 Tax 64 Tax & Revenue 1 Telecom & Technology 48 Trade & Sanctions 124 Transportation 56

Get Government & Legislation alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when GAO Reports publishes new changes.

Free. Unsubscribe anytime.