Research newsletters, practitioner articles, and working papers from the Government IT/AI Governance Initiative. All publications are freely available for download.
All Publications — click any card to jump to full entry
ThinkCapital publications span three formats. The Government AI in Practice newsletter delivers research analysis and field observations to practitioners on a regular schedule. Short-form research articles address specific governance questions with enough depth to be useful without requiring a full working paper. The GIAG Research Series working papers and technical methods documents are the most substantive output — intended for researchers, senior practitioners, and policy audiences who need the underlying argument and evidence, not just the conclusions.
All publications are freely available. Working papers and technical methods documents may be cited with attribution for non-commercial research and professional purposes.
Subscribe to Government AI in Practice
The newsletter is published on Substack. New issues go to subscribers first, with archived issues available here. If the research questions GIAG is working on are relevant to your work, the newsletter is the fastest way to stay current.
We awarded the CRS’s bill-summary test the year’s cleanest verification data point. Why? CRS tested before deployment and disclosed a failure rate publicly. What CRS left unexamined, however, was the detail that made the test rigorous.
“Extending Congressional Research Service example into a checklist leaders can apply to their own testing claims”
For a CIO or CAIO, that distinction is the one that determines whether a testing claim from a vendor or an internal program office is evidence of governance or a description written after the fact. “We tested it” is becoming a standard line in agency AI conversations, and the phrase is carrying more weight than it should. A test that happened is a different claim from a test designed to be capable of failing. The governance value sits almost entirely in the second claim, and most testing summaries default to the first.
Congressional Research ServiceTesting criteriaLeadership checklistExternal verification
PDF · 4 pages
Issue 13
Reasonable care is a measurement problem
Government AI in Practice — July 1, 2026
The State of Colorado deployed its AI Act this week, and it is a bellwether: several states are moving from aspirational AI principles to binding legal standards, and subnational CIOs and CAIOs should read this statute as a preview of what is coming to their own agencies. Most coverage treats the effective date as a paperwork deadline. The statute does something more specific, and the specificity is the part worth their attention.
“A rebuttable presumption is a legal mechanism with a measurement requirement built into it. To claim the NIST RMF safe harbor and have it hold up, an organization needs three things in place before an inquiry starts”
Reasonable care is an outcome standard. The law grants a rebuttable presumption of compliance to organizations that follow the NIST AI RMF, but the presumption remains rebuttable.
Colorado AI ActQuality standardsLegal standardsImpact assessmentsMeasurement
PDF · 5 pages
Issue 12
Pilot Governance Does Not Scale
Government AI in Practice — June 24, 2026
NASCIO has identified the move from AI pilot to AI production as the defining challenge facing state CIOs in 2026. That framing understates the mechanism. The problem is that the governance structures agencies build during piloting are calibrated for pilot conditions, and those structures do not scale. They fail in three specific, predictable ways.
“Pilot programs and production systems are not the same governance problem. This issue is about what breaks when agencies treat them as if they are.”
Each failure mode has the same root cause. Agencies are scaling AI systems without scaling, or even revisiting, the governance mechanism built to oversee them. The mechanism was sized for pilot conditions. Nobody resized it for production. That is not a technology problem. It is a management decision that nobody is making explicitly, which means it is being made by default, in the direction of less oversight, every time a pilot graduates to production without a corresponding governance redesign.
PilotMeasurement indicatorsFailure modesPilot to ProductionAction Items
PDF · 5 pages
Issue 11
The Measurement Gap in the RMF Revision
Government AI in Practice — June 17, 2026
Examines the NIST AI RMF revision entering its public comment period against the measurement gap identified in WP-1: agencies can demonstrate that governance processes occurred without demonstrating that those processes changed anything. Proposes three additions — function-level outcome indicators, a distinction between authorization and constraint, and fidelity benchmarks — that would move the revised RMF from a documentation standard to a governance standard.
“Agencies that have completed every required AI RMF artifact but whose governance function has never delayed a deployment, modified an authorized scope, or changed a production decision score identically to one whose governance function routinely does exactly that.”
Connects the RMF revision to M-25-21's silence on naming the framework, reading it as a posture signal rather than an oversight. Covers the DHS Cumulus contract as a case study in infrastructure preceding governance architecture, and the DCISA security clearance acceleration as a case study in speed reported without validation, accuracy, or appeals data. Closes with five practitioner action items, including an audit of constraint evidence versus approval evidence, and an invitation to contribute to GIAG's NIST AI RMF comment submission.
NIST AI RMFRMF RevisionMeasurement GapM-25-21Outcome IndicatorsFidelity BenchmarksDHS CumulusCritical Infrastructure ProfileAgentic AIStream One
PDF · 4 pages · Available on Substack
Issue 10
When Oversight Requires a Decision: The Determinism Boundary in Practice
Government AI in Practice — June 10, 2026
Examines the structural governance gap created when agencies migrate from deterministic rule-based systems to generative and agentic AI without updating their oversight architecture. Introduces the Determinism Boundary as the threshold at which existing governance programs become insufficient, and presents the Three Governance Clocks framework — Detection, Intervention, and Accountability — as the diagnostic construct for assessing whether oversight is functioning in real time for live agentic deployments.
“A governance decision that most agencies have not made is which conditions require mandatory human intervention, and which conditions make human oversight counterproductive.”
Presents the Stream Two Five Intervention Criteria for mandatory human oversight (irreversibility, consequence transfer, distributional novelty, value conflict, and legal or regulatory accountability) alongside the inverse rule: where none of the five apply, automated governance is the correct model. Covers the Four-Pattern Typology from Stream One research — Structured Adopters, Reactive Compliers, Framework Borrowers, and Unstructured Experimenters — and the CAO authority gap in agentic contexts. Addresses the bifurcated policy environment created by the June 2026 national security AI memorandum and its deployment-level governance implications. Local section examines HHS child welfare predictive analytics funding as a case study in risk transfer without governance architecture. Closes with three practitioner oversight readiness tests and six diagnostic questions for use in governance review meetings.
Determinism BoundaryThree Governance ClocksAgentic AIHuman OversightFive Intervention CriteriaFour-Pattern TypologyCAO Authority GapVendor Lock-InHALT AuthorityScope DriftNIST AI RMFM-25-21National Security AI MemoMulti-Agent GovernanceStream OneStream Two
PDF · 8 pages · Available on Substack
Issue 9
The Contract Is the Governance: M-25-22 Eight Months In
Government AI in Practice — June 3, 2026
Examines the gap between what OMB Memorandum M-25-22 requires from federal AI procurement and what contract surveillance infrastructure is actually delivering eight months after the directive took effect. M-25-22 established four specific obligations: performance-based acquisition language, pre-award testing and evaluation, ongoing monitoring after deployment, and disclosure requirements when contractors use AI beyond original contract scope. The issue documents where each obligation is most likely to have been documented at award but not operationalized in production, and provides a concrete review checklist IT and AI leadership can apply to active contracts today.
“A contract that specifies delivery of an AI tool without specifying how its performance will be measured in production provides no basis for surveillance.”
Covers the parallel state-level pressure under Colorado SB 24-205 (effective June 30, 2026), which establishes a “reasonable care” outcome standard that responsible use policies alone will not satisfy. Examines Honolulu’s citizen-facing permit AI deployment as a local governance case study in unanswered contract questions. Presents three behavioral tests for governance maturity drawn from a structured US–EU framework comparison, and a measurement note on why compliance metrics systematically undercount governance failure. Closes with five practitioner questions designed for use in a contract review meeting. Recent Intelligence section covers the NIST AISIC rebranding, USDA IG cybersecurity audit, federal data strategy warnings, House NDAA AI incident disclosure provisions, and HHS predictive child welfare funding.
M-25-22AI ProcurementContract SurveillanceCOTRPre-Award TestingCPARSColorado SB 24-205Reasonable Care StandardScope DriftGovernance MaturityNIST AI RMFEU AI ActCompliance MetricsWP-3 PreviewStream OneStream Two
PDF · 6 pages · Available on Substack
Issue 8
Governance Without a Fixed Anchor: What Federal Uncertainty, the NASCIO Paradox, and Downstream Risk Mean for Government AI at Every Level
Government AI in Practice — May 27, 2026
Examines three levels of a structural governance failure made visible by NASCIO’s 2025 State CIO Survey: 88% of states have AI responsible use policies in place, while 75% of state CIOs report serious concerns about deploying GenAI in direct citizen services. Both numbers are accurate. Their coexistence is the finding. At the federal level, the withdrawal of a proposed pre-deployment review mechanism leaves subnational governance frameworks calibrated to a reference that is no longer operative — while the unanimously passed SBA AI accountability legislation provides a rare stable legislative anchor. At the state level, the NASCIO data documents three specific gaps that governance documentation is not closing: unfunded CPO authority, one-time rather than maintained AI inventories, and oversight roles with no defined authority to act. At the local level, shadow AI adoption accelerates into the governance-to-architecture gap that documentation-only state frameworks create downstream.
“The documentation layer is present, but the confidence layer does not follow from it.”
Introduces the intervention-point gap as the structural mechanism connecting governance documentation to governance failure across all three tiers. Presents three specific investments required to close it for state CIOs. Recommends NIST AI RMF 1.0 as an operational baseline for local agencies whose governance cannot depend on consistent state or federal signal. Includes a five-question practitioner diagnostic covering framework independence, inventory currency, oversight role authority, citizen-facing AI policy adequacy, and the assistive-to-agentic governance distinction. Previews GIAG Working Paper 3 (Mandate Translation, releasing June 2026), which extends the mandate-to-implementation argument in full.
NASCIO ParadoxFederal Signal UncertaintyDocumentation LayerIntervention-Point GapCPO AuthorityInventory CurrencyReviewer AuthorityShadow AISubnational GovernanceSBA AI AccountabilityScope MonitoringNIST AI RMFWP-3 PreviewStream OneStream Two
PDF · 5 pages · Available on Substack
Issue 7
The Intervention Point Problem: Where Oversight Must Sit in Government Agentic AI
Government AI in Practice — May 20, 2026
Addresses the central governance failure in agentic AI deployments: oversight positioned at the wrong point in the process. Every agency deploying AI has adopted one of two models by default — authorization-plus-audit at the edges, or human review gates at consequential decision nodes inside the process chain. Stream Two empirical findings indicate more than half of agencies are using the first model. Most have governance documents that describe the second. Documents four cases of scope drift across federal and state deployments — CBP’s Automated Targeting System, TSA’s facial recognition program, the Arkansas Medicaid care algorithm, and VA claims processing AI — in each of which authorized scope and actual operating scope diverged without oversight tracking the expansion.
“A reviewer looking at a summary of outputs from a system they cannot observe in operation is not performing oversight. They are performing sign-off.”
Also introduces the GIAG Agentic AI Assessment Tool, a working prototype that operationalizes the five-criterion framework from Working Paper Two. Any agentic AI task entered in plain language returns a structured Governance Assessment Card with criterion scores, rationale, and an intervention level recommendation from Autonomous to Human Only. Presents three structural requirements for oversight that functions as a genuine control: intervention points at decision nodes, operationally defined scope actively monitored, and reviewers equipped for the actual cognitive task. Includes a five-question practitioner diagnostic and three annotated process diagrams. Companion research note provides full citations for all four documented scope drift cases.
Intervention Point ArchitectureScope DriftAgentic AIHuman OversightAuthorization-Only ModelOperational MonitoringAssessment ToolFive CharacteristicsCBP ATSTSA Facial RecognitionMedicaid AlgorithmVA Claims AINIST AI RMFStream TwoWP-2
PDF · 6 pages · Available on Substack
Issue 6
The CAO in Practice: Authority, Designation, and the Governance Gap
Government AI in Practice — May 12, 2026
M-25-21 required federal agencies to designate a Chief AI Officer. Most did. This issue examines the gap between designation and authority: what the directive actually specifies, what it leaves to agency discretion, and what happens when a named compliance role is given no operational decision rights. The FISMA ISSO analogy frames the structural problem. The NASCIO state CIO model illustrates what defined decision rights look like in practice. The GAO-FITARA record documents how long the authority gap persisted after the federal CIO designation was established. A review of public CAO job postings confirms where agencies have drawn the line as an organizational design choice, not a regulatory requirement.
“A CAO who can require documentation but cannot delay a deployment is an ISSO with an AI-specific title. The compliance record cannot tell them apart.”
Presents the Stream One Pattern 2 update: no practitioner interviewed to date has described a case in which the CAO delayed or modified a deployment over program office objection. Includes an authority structure comparison table mapping the CAO against the federal CIO (post-FITARA) across five governance dimensions, and a three-question practitioner diagnostic for government IT leaders assessing their own CAO authority structure. Connects to Stream Two: a CAO without operational decision rights cannot exercise the intervention authority the five-characteristic framework identifies as structurally required for high-stakes agentic deployments.
M-25-21Chief AI OfficerCAO AuthorityISSO AnalogyNASCIODecision RightsFITARADeployment AuthorityIdentical Score ProblemStream OneAgentic AI
PDF · 6 pages · Available on Substack
Issue 5
The Morning After: What M-25-21 Compliance Actually Looked Like
Government AI in Practice — May 6, 2026
The April 3 OMB M-25-21 compliance deadline passed and some 400 agencies filed. This issue asks the question the compliance record cannot answer: whether any of it changed a single AI deployment decision. Examines the structural measurement failure at the center of federal AI governance policy, the FISMA parallel, and what a measurement standard built for governance outcomes rather than activity completion would require.
“Every agency that filed looks identical in the compliance record. Governance programs that changed deployment decisions and programs that changed nothing are indistinguishable in the official record. That indistinguishability is a structural feature of how the framework was designed.”
Introduces the Identical Score Problem and the Agency A/Agency B diagnostic framework. Presents early Stream One findings on four governance patterns observed across agency intake conversations. Delivers a side-by-side EU AI Act vs. NIST AI RMF comparison with direct implications for government and multinational commercial CIOs. Includes a Goal-Question-Metric framework applied to AI governance outcomes, and a practitioner self-assessment diagnostic of three questions.
M-25-21Implementation FidelityMeasurement DesignIdentical Score ProblemFISMA PatternNIST AI RMFEU AI ActChief AI OfficersGovernance OutcomesGQMStream One
PDF · 8 pages · Available on Substack
Issue 4
When AI Starts Acting: The Governance Architecture Problem
Government AI in Practice — April 28, 2026
Addresses the structural shift from advisory AI to agentic AI and what it demands of government oversight programs. When systems act rather than recommend, the governance architecture built for the previous generation becomes a liability. Most agencies have not redesigned it. This issue documents the gap and frames what redesign requires.
“The governance structures agencies built for AI recommendation systems are architecturally mismatched to AI action systems. That mismatch is where oversight fails.”
Introduces the GIAG five-characteristic diagnostic framework for distinguishing nominal oversight from substantive oversight, presents early Stream Two research findings on how agencies are managing agentic deployments in practice, and delivers a side-by-side comparison of EU AI Act and NIST AI RMF obligations with direct implications for US government practitioners. Incorporates WSJ reporting (April 24) on the federal-state regulatory tension as context for the practitioner accountability gap.
Agentic AIGovernance ArchitectureHuman OversightEU AI ActNIST AI RMFFive CharacteristicsOversight OfficersFederal-State RegulationWP-2
PDF · 6 pages · Available on Substack
Issue 3
Human Oversight Quality in Agentic AI: From Checklist to Judgment
Government AI in Practice — April 16, 2026
The centerpiece issue for GIAG Stream Two. Translates the findings of Working Paper WP-2 for government practitioners and CIO audiences, framing the human oversight quality problem as a deployment-level concern that risk registers and compliance frameworks do not currently address.
“Nominal oversight — human review that exists on paper but provides no genuine control — is more dangerous than its absence, because it creates documented accountability that is not backed by actual human judgment.”
Examines the five decision characteristics that require mandatory human intervention in agentic deployments, the reviewer quality problem, and what distinguishing genuine oversight from rubber-stamp compliance means operationally for government IT leaders.
Agentic AIHuman OversightDecision-Level GovernanceOMB M-24-10Reviewer QualityChief AI OfficersWP-2
PDF · Available on Substack
Issue 2
When Policy Moves Faster Than Organizations Can Learn
Government AI in Practice — Late March 2026
Analysis of OMB Memoranda M-25-21 and M-25-22 as the high-impact AI documentation deadline arrives. Addresses the fidelity gap between compliance documentation and operational governance capability — and why the most dangerous position is checkbox compliance, not non-compliance.
“Compliance documentation and operational governance are measuring different things. Almost no one is tracking the distance between them.”
Also covers: what M-25-21 actually requires vs. what the 365-day deadline measures; the state agency dimension; the likely near-term trajectory of federal AI governance; and a research update on active GIAG interview streams.
M-25-21M-25-22Implementation FidelityFederal ComplianceState CIOsChief AI OfficersAgentic AI
PDF · 5 pages
Issue 1
What We Don’t Know About NIST AI RMF in Practice
Government AI in Practice — March 2026
Inaugural issue. Frames three empirical questions the published literature cannot currently answer about NIST AI RMF implementation: how governance varies across agency types, what separates durable governance from audit-cycle compliance, and what meaningful oversight actually looks like when it is working.
“The RMF is the architecture. What works operationally looks more like a field manual.”
Introduces the GIAG research agenda, reports early signals from practitioner conversations, and covers what to watch in state legislative activity and the pilot-to-production gap.
NIST AI RMFFederal AgenciesHuman OversightNASCIOResearch AgendaPilot-to-Production
PDF · 4 pages
Don’t miss an issue
Get new issues delivered to your inbox as soon as they publish.
Research Articles
5 Articles
Short-form analytical pieces on specific government IT and AI governance questions, distributed through professional networks. Each develops a focused argument grounded in the same measurement discipline as the longer GIAG working papers.
Research Article
Global Governance Archetypes: What Global AI Governance Means for US Government Leaders
June 15, 2026
The three-jurisdiction analysis in the companion article identified the EU, China, and US as structurally distinct governance archetypes. This article extends that framework to a fourth: the Gulf Cooperation Council model, led by the UAE, in which AI governance is organized around national economic strategy and state capacity-building rather than risk regulation. It also introduces ISO/IEC 42001 as the voluntary cross-jurisdictional baseline that vendors across all four jurisdictions can claim and US agencies can specify as a procurement floor.
“Gulf sovereign wealth funds and government-affiliated investment vehicles are active participants in global AI company equity. Standard vendor compliance documentation will not surface Gulf investment exposure. The appropriate response is structured due diligence, not categorical exclusion.”
Examines all four archetypes across six governance dimensions in an extended comparison table, maps the two-to-five year regulatory trajectory for each model, and identifies three operational implications for CIOs and CAIOs. Provides five diagnostic questions for evaluating international vendor compliance documentation — covering jurisdictional governance regime, ISO 42001 certification status, EU conformity assessment independence, Gulf investment exposure, and verification model. No additional policy authority required to act on any of the five.
Gulf Cooperation CouncilUAE AI StrategyISO/IEC 42001EU AI ActChina CACFour ArchetypesProcurement GovernanceVerification AsymmetryGulf Investment Due DiligenceSix Governance DimensionsTwo-to-Five Year TrajectorySovereign Wealth FundsCIOCAIOGIAG Series Article 3
PDF · 10 pages
Research Article
Three Jurisdictions, Three Models: What Global AI Governance Means for US Government Leaders
June 12, 2026
US agencies evaluating AI vendor compliance claims without understanding which external governance requirements apply to that vendor are evaluating an incomplete picture. A vendor subject to EU AI Act high-risk obligations has undergone independent conformity assessment against binding technical standards. A vendor operating under China’s CAC generative AI registration regime has completed government-reviewed security assessments and is subject to active administrative enforcement. A vendor operating exclusively under voluntary US frameworks has self-attested. These are not equivalent compliance postures, and no current US instrument requires agencies to distinguish between them.
“The verification asymmetry across the three models creates a procurement evaluation gap that the proposed Great American Artificial Intelligence Act will not resolve alone, even if the bill passes in its current form.”
Examines the EU AI Act, China’s CAC enforcement regime, and the current US federal posture across six governance dimensions. Presents a structured three-jurisdiction comparison table covering legal authority, risk classification, pre-deployment requirements, enforcement body, maximum financial penalty, and verification model. Includes a procurement scenario mapping three vendor compliance postures against the evaluation gap, and five diagnostic questions CIOs and CAIOs can apply immediately without waiting for new policy authority.
EU AI ActChina CACGAAIAISO/IEC 42001Procurement GovernanceVerification AsymmetryVendor ComplianceJurisdictional AnalysisCAISISix Governance DimensionsCIOCAIOFederal ProcurementState AgenciesGIAG Series Article 2
PDF · 11 pages
Research Article
The Federal AI Governance Stack: What the GAAIA, the AI Action Plan, and CISA’s Forthcoming Directive Mean Together
June 11, 2026
Federal agencies now face simultaneous compliance demands from three instruments operating on independent timelines: America’s AI Action Plan (July 2025), the draft Great American Artificial Intelligence Act (introduced June 2026), and a forthcoming CISA binding operational directive on AI and cybersecurity. Each instrument is consequential individually. Together they create a governance requirement set whose interactions are not addressed by any of the three documents, and whose combined effect on agency planning is materially different from what any single instrument would produce alone.
“CISA’s forthcoming BOD operates through existing regulatory authority and does not require Congressional action. It will create binding obligations for federal civilian agencies on its own timeline, regardless of the GAAIA’s legislative trajectory.”
The article identifies six specific open questions that remain unresolved across the three instruments, assesses the organizational risk each question creates for CIOs, CAIOs, CISOs, CDOs, CTOs, and program managers, and provides a sequenced 120-day action framework calibrated to enforcement certainty: CISA BOD and IG oversight obligations are certain now; GAAIA enforcement is contingent. Grounded in GIAG Stream One research on NIST AI RMF implementation fidelity and Stream Two research on human oversight quality in agentic AI deployments.
GAAIAAI Action PlanCISA BODNIST AI RMFCAISICAIO AuthorityAgentic AIFederal GovernanceState Preemption120-Day FrameworkStream OneStream Two
PDF · 11 pages
Research Article
Your AI Governance Framework Won’t Save You. Your Contract Might.
March 23, 2026
The Pentagon–Anthropic–OpenAI sequence of late February and early March 2026 as a live case study in AI governance architecture. The dispute was not resolved by NIST RMF compliance, OMB memoranda, or any risk management documentation. It was resolved by contract language.
“The operational governance that actually constrains AI behavior in deployment does not live in policy frameworks. It lives in contract terms, technical configurations, and vendor relationships.”
Examines the supply chain risk designation as a governance architecture story, and draws the implication for every CIO whose AI contract language has not received the same scrutiny as their risk documentation.
The AI Threshold Problem Government IT Can’t Measure
February 6, 2026
Government IT leaders face competing mandates to modernize with AI while maintaining digital sovereignty. The problem is not lack of metrics — agencies are accumulating AI KPIs — but that measurement frameworks built for earlier technology generations cannot price what sovereignty actually costs.
“At what threshold does AI process automation become mission-critical enough to require sovereign controls? You can’t measure jurisdictional control in the same framework you use to measure server utilization.”
Develops the threshold question that matters for state CIO investment decisions and argues for measurement frameworks built around decision logic rather than activity metrics.
AI ThresholdsDigital SovereigntyMeasurementState CIOsROI FrameworksMission-Critical AI
PDF · 1 page
Working Papers & Technical Methods
GIAG Research Series
The GIAG Research Series documents the theoretical and empirical foundations of the initiative’s research streams. Working papers develop the core arguments. Technical methods papers document the measurement approaches applied. These are the reference documents underlying the newsletter analysis and practitioner articles.
Working Paper • WP-4
Compound Failure in Governance
GIAG Research Series — July 2026 · Stream Two
This is GIAG Working Paper No. 4, part of the Government IT and AI Governance Initiative research series, published by ThinkCapital LLC. Compound Failure refers to the interaction of implementation fidelity, oversight design, and decision visibility in government AI deployment.
“Government AI governance frameworks are typically assessed one stage at a time: authorization, specification, deployment review, operational oversight, and audit. Reliability engineering treats multi- stage systems differently. Failure compounds multiplicatively across stages”
A government artificial intelligence deployment can pass every governance checkpoint built for it and still produce an outcome no one can defend. That is not a hypothetical. It happened in Arkansas, where a care-hours algorithm cut authorized hours for thousands of people with disabilities, and every one of the five governance stages built to catch that kind of error was nominally in place when it happened. Authorization existed, specification was completed, deployment review occurred, operational oversight was running, and audits were happening. The system failed anyway.
Compound failureGovernance frameworksDecision chainsOversightEU AI ActISO/IEC 42001NIST AI RMF
Working Paper • WP-3
Mandate Translation: How Federal AI Governance Requirements Arrive at State and Local Agencies
GIAG Research Series — June 2026 · Stream One: NIST AI RMF Implementation Fidelity
Examines the mandate translation problem across federal, state, and local government tiers. Federal AI governance requirements are designed for the federal civilian agency environment, and state and local governments inherit the reference model without inheriting the statutory authority, dedicated funding, or governance architecture that makes the model operational.
“Federal AI governance mandates do not arrive at state and local agencies as instructions. They arrive as signals. An instruction carries authority, a compliance deadline, an enforcement mechanism, and a resource allocation. A signal carries only an expectation.”
Documents a four-agency federal audit pattern (SBA, USDA, IRS, VA) showing the same documentation-without-architecture gap inside the agencies M-25-21 directly binds, then traces the gap downstream through state responsible-use policies with unfunded CPO roles and undefined reviewer authority, to local-tier shadow AI concentrated where governance capacity is thinnest. Closes with a three-dimension diagnostic framework, authority integrity, operational capacity, and scope currency, and six practitioner questions for assessing the gap between governance documentation and governance architecture at any agency.
Mandate TranslationM-25-21State and Local GovernmentNASCIOCPO AuthorityShadow AIInventory CurrencyDiagnostic Framework
Working Paper • WP-2
When Humans Must Intervene: A Decision-Grounded Framework for Human Oversight in Government and Commercial Agentic AI Deployments
GIAG Research Series — April 2026 · Stream Two: Human Oversight Quality
Establishes a decision-level standard for mandatory human intervention in agentic AI deployments — one that operates independently of system risk classification. Identifies five decision characteristics that consistently require a human in the execution chain before action proceeds: irreversibility, consequence transfer, distributional novelty, value conflict, and legal or regulatory significance. Any one criterion is sufficient to trigger mandatory review.
“Nominal oversight — human review that exists on paper but provides no genuine control — is more dangerous than its absence, because it creates documented accountability that is not backed by actual human judgment.”
Provides a five-phase implementation framework for building durable intervention architecture in government and commercial settings, with direct attention to the reviewer quality problem: the gap between oversight presence and oversight substance. Proposes measurement criteria for distinguishing genuine human control from rubber-stamp compliance. Designed to be operationally deployable at the decision-type level without changes to existing AI system architecture.
Agentic AIHuman OversightDecision-Level GovernanceIrreversibilityConsequence TransferDistributional NoveltyNIST AI RMFOMB M-24-10EU AI ActReviewer QualityImplementation Framework
Working Paper • WP-1
Implementation Fidelity: Why AI RMF Adoption Metrics Are Measuring the Wrong Thing
GIAG Research Series — March 2026
Defines implementation fidelity as the degree to which a governance framework changes actual decision behavior — and distinguishes it from documentation compliance, adoption rates, and reporting scores, which current practice conflates with it.
“Current AI RMF adoption metrics count governance documentation activity. They measure the governance equivalent of lines of code: technically precise, functionally uninformative about what the governance system delivers.”
Draws on the software measurement community’s resolution of the lines-of-code problem to argue that the same conceptual move is required in AI governance. Develops the measurement framework for GIAG Stream One and introduces three concepts that current practice incorrectly treats as proxies for implementation fidelity.
NIST AI RMFImplementation FidelityGovernance MetricsMeasurement FrameworksFunction PointsCapers JonesM-25-21
Technical Methods • D-2
GIAG Tools and Methodologies
GIAG Research Series — May 2026
Documents the assessment tools and methodological infrastructure developed for the GIAG research program, including the Human Oversight Quality Index (HOQI), the AI Governance Assessment (AGA), the Risk Tiering Wizard, and the RMF Fidelity Checker. Covers design rationale, measurement logic, and practitioner use guidance for each tool.
“Practitioner tools are only as useful as the measurement logic behind them. This document makes that logic explicit, so tools can be evaluated, critiqued, and extended rather than used as black boxes.”
Each tool is documented with its theoretical basis, the governance question it addresses, the data it requires, and the interpretation guidance practitioners need to act on its output. Includes worked examples drawn from Stream One and Stream Two research cases.
Functional Sizing as a Foundation for AI Governance Measurement
GIAG Research Series — March 2026 · Applying Function Point Analysis and COSMIC to AI System Scope and Complexity
Documents the application of Function Point Analysis and the COSMIC functional size measurement method to the problem of AI system scope characterization. Argues that governance frameworks built on adoption metrics fail at the same structural level that pre-FPA software metrics failed.
“Adoption rates, documentation scores, and compliance checklists in AI governance represent the same category of failure as lines-of-code metrics. They describe activity at the implementation layer without reaching the functional layer where governance either works or does not work.”
Applies Albrecht’s FPA methodology — validated by Capers Jones at Software Productivity Research across 250+ enterprise assessments — to AI system scope characterization, then develops COSMIC-based extensions for the internal computational behavior that FPA alone does not address.
Function Point AnalysisCOSMICSoftware MeasurementAI ScopeGovernance MetricsIFPUGSPR
Citation and use. Working papers and technical methods documents are copyright ThinkCapital LLC. They may be cited and shared for non-commercial research and professional purposes with attribution. Suggested format: Bragen, M. (2026). [Title]. ThinkCapital GIAG Research Series. ThinkCapital LLC. thinkcapital.org/publications.html — For other uses, contact via the Engage page.
Commentary Archive
Monthly — Substack & LinkedIn
Monthly compiled archives of short-form posts from the Government AI in Practice Substack and LinkedIn commentary stream. Each archive collects the prior month’s posts in a single PDF — typically 15–30 entries per month. Longer pieces and newsletter issues are cataloged separately above.
Commentary Archive • June 2026
Substack & LinkedIn Posts — June 2026
Government AI in Practice — Compiled June 30, 2026 · 19 posts · Substack and LinkedIn
LinkedIn commentary from the Government AI in Practice newsletter published throughout June 2026, produced under the GIAG research initiative. The month traces federal AI governance from procurement obligations under M-25-22 through the convergent Federal AI Governance Stack (the AI Action Plan, the GAAIA discussion draft, and CISA's forthcoming directive), a comparative look at global governance models, and a run of federal Inspector General findings showing that even directly mandated agencies struggle to translate governance requirements into practice, closing with Colorado's SB 24-205 "reasonable care" standard.
“even directly mandated agencies struggle to translate governance requirements into practice”
AI GovernanceNIST AI RMFGA AIAColorado AI ActInspector General audits
PDF · 19 posts
Commentary Archive • May 2026
Substack & LinkedIn Posts — May 2026
Government AI in Practice — Compiled May 2026 · 19 posts · Substack and LinkedIn
Monthly compilation of short-form commentary from the Government AI in Practice Substack and LinkedIn streams. This archive covers Issues 5 through 8, spanning the M-25-21 post-compliance analysis, the CAO authority gap and FITARA precedent, the intervention point problem in agentic AI oversight, and the NASCIO paradox in state governance. 19 posts across four newsletter weeks, including LinkedIn post series and newsletter article excerpts.
“Agency A has governance outputs. Agency B has governance outcomes. The compliance architecture measures only the former.”
M-25-21CAO AuthorityFITARA PrecedentGQM FrameworkIdentical Score ProblemNASCIOIntervention PointAgentic AIScope DriftCPO AuthorityShadow AINIST AI RMFEU AI ActStream OneStream Two
PDF · 19 posts
Commentary Archive • April 2026
Substack & LinkedIn Posts — April 2026
Government AI in Practice — Compiled April 27, 2026 · 16 posts · Substack and LinkedIn
Monthly compilation of short-form commentary from the Government AI in Practice Substack and LinkedIn streams. This first archive spans mid-March through April 2026, covering M-25-21 deadline dynamics, the compliance-versus-governance distinction, risk register structural failures, scope expansion as incremental accommodation, and the moment AI becomes load-bearing infrastructure.
“Federal agencies can satisfy every NIST AI RMF documentation requirement and still operate a governance program that has never changed a single deployment decision.”
NIST AI RMFM-25-21Risk RegistersAgentic AIScope ExpansionLoad-Bearing InfrastructureImplementation FidelityGovernance Metrics
GIAG is conducting structured interviews with government IT leaders, AI governance practitioners, and policy implementers with direct experience in federal, state, or local government AI deployment or oversight.
Participation is a single 30–45 minute interview. Participants receive early access to preliminary findings and may be acknowledged by name or participate anonymously.
Accounts of difficulty or partial implementation are as valuable as accounts of success. Direct experience within the past 18 months is the primary qualifier.
GIAG Research Program
Download Publication
Used only to deliver this publication and occasional GIAG research
updates. No spam. Unsubscribe at any time.
✓
Link sent
Your download link has been sent to .
The link is valid for 24 hours.
Don't see it in a minute or two? Check your Spam or
Junk folder. If it's there, mark it “Not Spam” and add
research@thinkcapital.org to your contacts so future
publications arrive directly in your inbox.
Substack & LinkedIn Posts — June 2026
Government AI in Practice — Compiled June 30, 2026 · 19 posts · Substack and LinkedIn
LinkedIn commentary from the Government AI in Practice newsletter published throughout June 2026, produced under the GIAG research initiative. The month traces federal AI governance from procurement obligations under M-25-22 through the convergent Federal AI Governance Stack (the AI Action Plan, the GAAIA discussion draft, and CISA's forthcoming directive), a comparative look at global governance models, and a run of federal Inspector General findings showing that even directly mandated agencies struggle to translate governance requirements into practice, closing with Colorado's SB 24-205 "reasonable care" standard.