What M-25-21 is
OMB Memorandum M-25-21, "Accelerating Federal Use of AI through Innovation, Governance, and Public Trust," was issued by the Office of Management and Budget on April 3, 2025. It is the governing framework for how Executive Branch agencies adopt, govern, and manage risk for artificial intelligence in their programs and operations.
M-25-21 rescinds and replaces the prior OMB memorandum, M-24-10, "Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence." The memorandum is directed to the heads of all Executive Branch departments and agencies, including independent regulatory agencies, and it does not cover AI used as a component of a National Security System. The detailed obligations sit in its Appendix, on a schedule of deadlines measured in days from issuance.
The AI use-case inventory requirement
The most visible obligation in M-25-21 is the AI use-case inventory. Each agency must catalog its AI use cases and publicly release an AI use-case inventory consistent with OMB instructions, and keep it current. The memorandum ties this to continued accountability to the public — agencies must update their annual AI use-case inventory, maintain compliance plans, and report as requested by OMB.
The inventory is not a one-time exercise. Agencies report it annually, and the memorandum's schedule requires updates after significant modifications to a use case. For high-impact uses, agencies must be prepared to report the underlying risk-management practices to OMB as part of periodic accountability reviews, through the annual inventory, or on request. The public release of the inventory excludes elements of the Intelligence Community, and the Department of Defense is exempt from the requirement to inventory in the same public form — but for the bulk of civilian government, the inventory is the front door through which an AI tool becomes visible to oversight.
High-impact AI and the minimum practices
M-25-21 consolidates risk into a single category that matters most: high-impact AI. The memorandum defines high-impact AI as AI with an output that serves as a principal basis for decisions or actions with a legal, material, binding, or significant effect on an individual or entity's civil rights, civil liberties, or privacy; on their access to education, housing, insurance, credit, employment, and other programs; or on their access to critical government resources or services. The test is whether the AI's output "serves as a principal basis" for a consequential action — not merely whether AI sits somewhere in the pipeline.
The memorandum also lists categories of use that are presumed to be high-impact — for example, safety-critical functions of critical infrastructure — while making clear that the presumption list is not exhaustive and that the definition controls the final determination.
When a use case is high-impact, the agency must implement the minimum risk-management practices set out in Section 4(b). Those baseline practices include:
- Pre-deployment testing — develop testing and risk-mitigation plans that reflect expected real-world outcomes before the system goes live, using alternative test methods where the agency lacks access to the underlying model or data.
- An AI impact assessment — completed before deployment and updated throughout the system's lifecycle.
- Ongoing monitoring and periodic human review — testing and review to catch adverse impacts to performance, security, privacy, and civil rights.
- Human oversight, intervention, and accountability — suitable for the consequence of the decision the AI informs.
If a high-impact system is not performing at an appropriate level, the agency must have a plan to discontinue its use until it is brought into compliance, and where proper risk mitigation is not possible, the agency must cease using the AI.
Who owns it: the CAIO and governance
M-25-21 puts accountability on a named official. Within 60 days of the memorandum's issuance, the head of each agency must retain or designate a Chief AI Officer (CAIO). The CAIO promotes AI innovation, adoption, and governance across the agency, in coordination with appropriate officials, and the role may be assigned to an existing official such as a Chief Information Officer, Chief Data Officer, or Chief Technology Officer.
The CAIO's governance duties are concrete. The CAIO establishes the process for determining and documenting which use cases are high-impact, oversees compliance with the memorandum's risk-management requirements, ensures an independent review of high-impact use cases before risk is accepted, and centrally tracks high-impact use cases and their determinations. The CAIO may also waive a specific minimum practice for a particular high-impact application, but only on a written, system-specific determination. Above the agency level, OMB convenes and chairs an interagency Chief AI Officer Council to coordinate implementation.
What this means for vendors
If you sell an AI capability into a civilian agency, M-25-21 is the framework your tool is now measured against. A buyer cannot simply field your system — it has to decide whether the use case is high-impact, document that determination, and, if it is, apply the minimum practices before deployment and on an ongoing basis. The use case also has to be entered into the agency's inventory and, for high-impact uses, be ready for OMB accountability review.
That changes what a competitive offering looks like. The vendor who can hand the CAIO a clean mapping — what the tool does, whether its output serves as a principal basis for a consequential decision, what pre-deployment testing and impact-assessment evidence exists, and how human oversight is built in — removes friction the buyer would otherwise have to manufacture. A tool that arrives without that mapping is not non-compliant on its own, but it pushes the entire burden of the determination onto the agency, and that is where adoption stalls.
How dbrf builds the inventory
Mapping a tool to M-25-21 is a documentation problem with a compliance spine: classify the use case against the high-impact definition, assemble the pre-deployment testing and impact-assessment evidence, describe the human-oversight controls, and render it all in the form an agency's inventory and accountability review expect. That is the work we built dbrf.ai to do. It maps an AI capability to the M-25-21 framework — the use-case inventory fields, the high-impact determination, and the minimum-practice evidence — and produces the artifact a CAIO can take straight into governance, so the question is whether the tool is a fit for the mission rather than whether the paperwork is in order.