The 2025 AI Action Plan made something clear that information governance professionals have long understood: “high-quality data is a national strategic asset.” That designation elevates the work of data stewardship from a compliance function to a core pillar of national AI strategy. And it reframes the question federal agencies should be asking right now from “what will the regulations require?” to “how well are we managing the asset that makes AI work?”
The policy environment around AI is shifting fast. At the end of 2025, the White House issued an executive order tasking the Commerce Department, the FCC, and others to form a national AI policy framework. The administration is moving towards a unified national framework, rather than the kind of fragmented regulatory landscape that emerged with state data privacy laws.
That framework is still being written, and Congress still has to act. But agencies have work to do in the meantime.
Deregulating Tools Doesn’t Deregulate Data
The current executive order restricts state-level AI mandates, citing faster innovation and broader deployment. Federal leaders should understand what that means, and what it doesn’t.
Reducing friction on AI tools does not reduce accountability for the data those tools consume. HIPAA, the Fair Credit Reporting Act, and federal protections for personally identifiable information remain fully enforceable. If an AI system ingests citizen data and mishandles it, the absence of AI-specific regulation offers no absolution. The liability follows the data.
Experts expect the emerging national framework to reflect that same principle. The framework will likely lay out requirements around data management and security: how data leaving agency systems is protected, and how confidentiality, integrity, and availability are maintained.
Agencies that treat data governance as a priority will be far better positioned when those requirements arrive.
The Governance Priorities That Can’t Wait
Information governance professionals are now central actors in federal AI adoption. Decisions about what data is collected, how it is classified, how long it is retained, and who can access it directly determine whether AI systems are trustworthy, explainable, and legally defensible. The NIST AI Risk Management Framework already gives agencies a proven structure for managing this.
Beyond NIST, four governance priorities warrant immediate attention:
- Data minimization. AI systems are built to consume large volumes of data, but effective governance requires restraint. Agencies should collect and ingest only what a defined mission strictly requires. When a model doesn’t need PII to function, that data should be excluded by design. Minimization reduces attack surfaces, limits the exposure from potential breaches, and improves model performance by increasing data relevance.
- Need-to-keep retention policies. Retention can no longer function as passive archiving. Agencies should establish clear retention periods not just for records, but for AI training data, prompts, outputs, and user interactions. Data that no longer serves a verified legal or operational purpose should be defensibly disposed of. Retaining information on a “just in case” basis increases long-term liability without delivering proportional value.
- Privacy-preserving techniques. Before approving AI tools, agencies should evaluate the privacy architecture behind them. Techniques like anonymization and differential privacy are prerequisites for legitimate secondary data use. The goal is accurate, mission-relevant insight without exposing the individuals represented in the data.
- Human-in-the-loop oversight. Strong data governance extends beyond securing the data to validating how AI-driven outputs are used. High-stakes decisions — such as those affecting citizen services, benefits determinations, or legal standing — require human review. Removing human judgment from consequential decisions creates accountability gaps that no governance framework can paper over.
The Security Imperative
The data that powers federal AI systems is also the data adversaries want most. According to the CrowdStrike 2026 Global Threat Report, the average time for an adversary to move laterally after infiltrating an initial system is now just 27 minutes. Protecting the integrity of data assets requires defenses that match that pace. The emerging policy framework is expected to address AI-powered cyber defenses explicitly.
Build the Foundation Now
AI policy will keep evolving, and the regulatory landscape will keep shifting. But the AI Action Plan’s imperative that high-quality data is a national strategic asset is actionable today. Agencies that build rigorous data governance foundations now create the conditions for AI deployment that is responsible, scalable, and worthy of public trust.
Learn how ZL Tech helps federal agencies build the data governance bedrock responsible AI requires.
