GIAG Research Output • 2026

Publications

Research newsletters, practitioner articles, and working papers from the Government IT/AI Governance Initiative. All publications are freely available for download.

All Publications — click any card to jump to full entry

Government AI in Practice Newsletters
Issue 14  •  July 8, 2026

Rigorous Testing: Frameworks Over Results

Issue 13  •  July 1, 2026

Reasonable care is a measurement problem

Issue 12  •  June 24, 2026

Pilot Governance Does Not Scale

Issue 11  •  June 17, 2026

The Measurement Gap in the RMF Revision

Issue 10  •  June 10, 2026

When Oversight Requires a Decision: The Determinism Boundary in Practice

Issue 9  •  June 3, 2026

The Contract Is the Governance: M-25-22 Eight Months In

Issue 8  •  May 27, 2026

Governance Without a Fixed Anchor: Federal Uncertainty, the NASCIO Paradox, and Downstream Risk

Issue 7  •  May 20, 2026

The Intervention Point Problem: Where Oversight Must Sit in Government Agentic AI

Issue 6  •  May 12, 2026

The CAO in Practice: Authority, Designation, and the Governance Gap

Issue 5  •  May 6, 2026

The Morning After: What M-25-21 Compliance Actually Looked Like

Issue 4  •  April 28, 2026

When AI Starts Acting: The Governance Architecture Problem

Issue 3  •  April 16, 2026

Human Oversight Quality in Agentic AI

Issue 2  •  Late March 2026

When Policy Moves Faster Than Organizations Can Learn

Issue 1  •  March 2026

What We Don’t Know About NIST AI RMF in Practice

Research Articles
Research Article

Global Governance Archetypes

June 15, 2026

Research Article

Three Jurisdictions, Three Models

June 12, 2026

Research Article

The Federal AI Governance Stack

June 11, 2026

Research Article

Your AI Governance Framework Won’t Save You. Your Contract Might.

March 23, 2026

Research Article

The AI Threshold Problem Government IT Can’t Measure

February 6, 2026

Working Papers
Working Paper • WP-4

How Governance Structures Survive While Individual Decisions Do Not

GIAG Research Series — July 2026

Working Paper • WP-3

Mandate Translation: How Federal AI Governance Requirements Arrive at State and Local Agencies

GIAG Research Series — June 2026

Working Paper • WP-2

When Humans Must Intervene

GIAG Research Series — April 2026

Working Paper • WP-1

Implementation Fidelity: Why AI RMF Adoption Metrics Are Measuring the Wrong Thing

GIAG Research Series — March 2026

Technical Methods
Technical Methods • D-2

GIAG Tools and Methodologies

GIAG Research Series — May 2026

Technical Methods • D-1

Functional Sizing as a Foundation for AI Governance Measurement

GIAG Research Series — March 2026

Commentary
Commentary Archive • June 2026

Substack & LinkedIn Posts — June 2026

Government AI in Practice — June 2026

Commentary Archive • May 2026

Substack & LinkedIn Posts — May 2026

Government AI in Practice — May 2026

Commentary Archive • April 2026

Substack & LinkedIn Posts — April 2026

Government AI in Practice — April 27, 2026

What We Publish and Why

ThinkCapital publications span three formats. The Government AI in Practice newsletter delivers research analysis and field observations to practitioners on a regular schedule. Short-form research articles address specific governance questions with enough depth to be useful without requiring a full working paper. The GIAG Research Series working papers and technical methods documents are the most substantive output — intended for researchers, senior practitioners, and policy audiences who need the underlying argument and evidence, not just the conclusions.

All publications are freely available. Working papers and technical methods documents may be cited with attribution for non-commercial research and professional purposes.

Subscribe to Government AI in Practice

The newsletter is published on Substack. New issues go to subscribers first, with archived issues available here. If the research questions GIAG is working on are relevant to your work, the newsletter is the fastest way to stay current.

Subscribe on Substack →

Research Newsletter

14 Issues

Don’t miss an issue

Get new issues delivered to your inbox as soon as they publish.

Research Articles

5 Articles

Short-form analytical pieces on specific government IT and AI governance questions, distributed through professional networks. Each develops a focused argument grounded in the same measurement discipline as the longer GIAG working papers.

Research Article

Global Governance Archetypes: What Global AI Governance Means for US Government Leaders

June 15, 2026

The three-jurisdiction analysis in the companion article identified the EU, China, and US as structurally distinct governance archetypes. This article extends that framework to a fourth: the Gulf Cooperation Council model, led by the UAE, in which AI governance is organized around national economic strategy and state capacity-building rather than risk regulation. It also introduces ISO/IEC 42001 as the voluntary cross-jurisdictional baseline that vendors across all four jurisdictions can claim and US agencies can specify as a procurement floor.

“Gulf sovereign wealth funds and government-affiliated investment vehicles are active participants in global AI company equity. Standard vendor compliance documentation will not surface Gulf investment exposure. The appropriate response is structured due diligence, not categorical exclusion.”

Examines all four archetypes across six governance dimensions in an extended comparison table, maps the two-to-five year regulatory trajectory for each model, and identifies three operational implications for CIOs and CAIOs. Provides five diagnostic questions for evaluating international vendor compliance documentation — covering jurisdictional governance regime, ISO 42001 certification status, EU conformity assessment independence, Gulf investment exposure, and verification model. No additional policy authority required to act on any of the five.

Gulf Cooperation Council UAE AI Strategy ISO/IEC 42001 EU AI Act China CAC Four Archetypes Procurement Governance Verification Asymmetry Gulf Investment Due Diligence Six Governance Dimensions Two-to-Five Year Trajectory Sovereign Wealth Funds CIO CAIO GIAG Series Article 3
PDF  ·  10 pages
Research Article

Three Jurisdictions, Three Models: What Global AI Governance Means for US Government Leaders

June 12, 2026

US agencies evaluating AI vendor compliance claims without understanding which external governance requirements apply to that vendor are evaluating an incomplete picture. A vendor subject to EU AI Act high-risk obligations has undergone independent conformity assessment against binding technical standards. A vendor operating under China’s CAC generative AI registration regime has completed government-reviewed security assessments and is subject to active administrative enforcement. A vendor operating exclusively under voluntary US frameworks has self-attested. These are not equivalent compliance postures, and no current US instrument requires agencies to distinguish between them.

“The verification asymmetry across the three models creates a procurement evaluation gap that the proposed Great American Artificial Intelligence Act will not resolve alone, even if the bill passes in its current form.”

Examines the EU AI Act, China’s CAC enforcement regime, and the current US federal posture across six governance dimensions. Presents a structured three-jurisdiction comparison table covering legal authority, risk classification, pre-deployment requirements, enforcement body, maximum financial penalty, and verification model. Includes a procurement scenario mapping three vendor compliance postures against the evaluation gap, and five diagnostic questions CIOs and CAIOs can apply immediately without waiting for new policy authority.

EU AI Act China CAC GAAIA ISO/IEC 42001 Procurement Governance Verification Asymmetry Vendor Compliance Jurisdictional Analysis CAISI Six Governance Dimensions CIO CAIO Federal Procurement State Agencies GIAG Series Article 2
PDF  ·  11 pages
Research Article

The Federal AI Governance Stack: What the GAAIA, the AI Action Plan, and CISA’s Forthcoming Directive Mean Together

June 11, 2026

Federal agencies now face simultaneous compliance demands from three instruments operating on independent timelines: America’s AI Action Plan (July 2025), the draft Great American Artificial Intelligence Act (introduced June 2026), and a forthcoming CISA binding operational directive on AI and cybersecurity. Each instrument is consequential individually. Together they create a governance requirement set whose interactions are not addressed by any of the three documents, and whose combined effect on agency planning is materially different from what any single instrument would produce alone.

“CISA’s forthcoming BOD operates through existing regulatory authority and does not require Congressional action. It will create binding obligations for federal civilian agencies on its own timeline, regardless of the GAAIA’s legislative trajectory.”

The article identifies six specific open questions that remain unresolved across the three instruments, assesses the organizational risk each question creates for CIOs, CAIOs, CISOs, CDOs, CTOs, and program managers, and provides a sequenced 120-day action framework calibrated to enforcement certainty: CISA BOD and IG oversight obligations are certain now; GAAIA enforcement is contingent. Grounded in GIAG Stream One research on NIST AI RMF implementation fidelity and Stream Two research on human oversight quality in agentic AI deployments.

GAAIA AI Action Plan CISA BOD NIST AI RMF CAISI CAIO Authority Agentic AI Federal Governance State Preemption 120-Day Framework Stream One Stream Two
PDF  ·  11 pages
Research Article

Your AI Governance Framework Won’t Save You. Your Contract Might.

March 23, 2026

The Pentagon–Anthropic–OpenAI sequence of late February and early March 2026 as a live case study in AI governance architecture. The dispute was not resolved by NIST RMF compliance, OMB memoranda, or any risk management documentation. It was resolved by contract language.

“The operational governance that actually constrains AI behavior in deployment does not live in policy frameworks. It lives in contract terms, technical configurations, and vendor relationships.”

Examines the supply chain risk designation as a governance architecture story, and draws the implication for every CIO whose AI contract language has not received the same scrutiny as their risk documentation.

Procurement M-25-22 Contract Governance Vendor Risk Supply Chain CIO Decision-Making
PDF  ·  2 pages
Research Article

The AI Threshold Problem Government IT Can’t Measure

February 6, 2026

Government IT leaders face competing mandates to modernize with AI while maintaining digital sovereignty. The problem is not lack of metrics — agencies are accumulating AI KPIs — but that measurement frameworks built for earlier technology generations cannot price what sovereignty actually costs.

“At what threshold does AI process automation become mission-critical enough to require sovereign controls? You can’t measure jurisdictional control in the same framework you use to measure server utilization.”

Develops the threshold question that matters for state CIO investment decisions and argues for measurement frameworks built around decision logic rather than activity metrics.

AI Thresholds Digital Sovereignty Measurement State CIOs ROI Frameworks Mission-Critical AI
PDF  ·  1 page

Working Papers & Technical Methods

GIAG Research Series

The GIAG Research Series documents the theoretical and empirical foundations of the initiative’s research streams. Working papers develop the core arguments. Technical methods papers document the measurement approaches applied. These are the reference documents underlying the newsletter analysis and practitioner articles.

Working Paper  •  WP-4

Compound Failure in Governance

GIAG Research Series  —  July 2026  ·  Stream Two

This is GIAG Working Paper No. 4, part of the Government IT and AI Governance Initiative research series, published by ThinkCapital LLC. Compound Failure refers to the interaction of implementation fidelity, oversight design, and decision visibility in government AI deployment.

“Government AI governance frameworks are typically assessed one stage at a time: authorization, specification, deployment review, operational oversight, and audit. Reliability engineering treats multi- stage systems differently. Failure compounds multiplicatively across stages”

A government artificial intelligence deployment can pass every governance checkpoint built for it and still produce an outcome no one can defend. That is not a hypothetical. It happened in Arkansas, where a care-hours algorithm cut authorized hours for thousands of people with disabilities, and every one of the five governance stages built to catch that kind of error was nominally in place when it happened. Authorization existed, specification was completed, deployment review occurred, operational oversight was running, and audits were happening. The system failed anyway.

Compound failure Governance frameworks Decision chains Oversight EU AI Act ISO/IEC 42001 NIST AI RMF
Working Paper  •  WP-3

Mandate Translation: How Federal AI Governance Requirements Arrive at State and Local Agencies

GIAG Research Series  —  June 2026  ·  Stream One: NIST AI RMF Implementation Fidelity

Examines the mandate translation problem across federal, state, and local government tiers. Federal AI governance requirements are designed for the federal civilian agency environment, and state and local governments inherit the reference model without inheriting the statutory authority, dedicated funding, or governance architecture that makes the model operational.

“Federal AI governance mandates do not arrive at state and local agencies as instructions. They arrive as signals. An instruction carries authority, a compliance deadline, an enforcement mechanism, and a resource allocation. A signal carries only an expectation.”

Documents a four-agency federal audit pattern (SBA, USDA, IRS, VA) showing the same documentation-without-architecture gap inside the agencies M-25-21 directly binds, then traces the gap downstream through state responsible-use policies with unfunded CPO roles and undefined reviewer authority, to local-tier shadow AI concentrated where governance capacity is thinnest. Closes with a three-dimension diagnostic framework, authority integrity, operational capacity, and scope currency, and six practitioner questions for assessing the gap between governance documentation and governance architecture at any agency.

Mandate Translation M-25-21 State and Local Government NASCIO CPO Authority Shadow AI Inventory Currency Diagnostic Framework
Working Paper  •  WP-2

When Humans Must Intervene: A Decision-Grounded Framework for Human Oversight in Government and Commercial Agentic AI Deployments

GIAG Research Series  —  April 2026  ·  Stream Two: Human Oversight Quality

Establishes a decision-level standard for mandatory human intervention in agentic AI deployments — one that operates independently of system risk classification. Identifies five decision characteristics that consistently require a human in the execution chain before action proceeds: irreversibility, consequence transfer, distributional novelty, value conflict, and legal or regulatory significance. Any one criterion is sufficient to trigger mandatory review.

“Nominal oversight — human review that exists on paper but provides no genuine control — is more dangerous than its absence, because it creates documented accountability that is not backed by actual human judgment.”

Provides a five-phase implementation framework for building durable intervention architecture in government and commercial settings, with direct attention to the reviewer quality problem: the gap between oversight presence and oversight substance. Proposes measurement criteria for distinguishing genuine human control from rubber-stamp compliance. Designed to be operationally deployable at the decision-type level without changes to existing AI system architecture.

Agentic AI Human Oversight Decision-Level Governance Irreversibility Consequence Transfer Distributional Novelty NIST AI RMF OMB M-24-10 EU AI Act Reviewer Quality Implementation Framework
Working Paper  •  WP-1

Implementation Fidelity: Why AI RMF Adoption Metrics Are Measuring the Wrong Thing

GIAG Research Series  —  March 2026

Defines implementation fidelity as the degree to which a governance framework changes actual decision behavior — and distinguishes it from documentation compliance, adoption rates, and reporting scores, which current practice conflates with it.

“Current AI RMF adoption metrics count governance documentation activity. They measure the governance equivalent of lines of code: technically precise, functionally uninformative about what the governance system delivers.”

Draws on the software measurement community’s resolution of the lines-of-code problem to argue that the same conceptual move is required in AI governance. Develops the measurement framework for GIAG Stream One and introduces three concepts that current practice incorrectly treats as proxies for implementation fidelity.

NIST AI RMF Implementation Fidelity Governance Metrics Measurement Frameworks Function Points Capers Jones M-25-21
Technical Methods  •  D-2

GIAG Tools and Methodologies

GIAG Research Series  —  May 2026

Documents the assessment tools and methodological infrastructure developed for the GIAG research program, including the Human Oversight Quality Index (HOQI), the AI Governance Assessment (AGA), the Risk Tiering Wizard, and the RMF Fidelity Checker. Covers design rationale, measurement logic, and practitioner use guidance for each tool.

“Practitioner tools are only as useful as the measurement logic behind them. This document makes that logic explicit, so tools can be evaluated, critiqued, and extended rather than used as black boxes.”

Each tool is documented with its theoretical basis, the governance question it addresses, the data it requires, and the interpretation guidance practitioners need to act on its output. Includes worked examples drawn from Stream One and Stream Two research cases.

HOQI AGA Risk Tiering RMF Fidelity AI Governance Tools Practitioner Methods
Technical Methods  •  D-1

Functional Sizing as a Foundation for AI Governance Measurement

GIAG Research Series  —  March 2026  ·  Applying Function Point Analysis and COSMIC to AI System Scope and Complexity

Documents the application of Function Point Analysis and the COSMIC functional size measurement method to the problem of AI system scope characterization. Argues that governance frameworks built on adoption metrics fail at the same structural level that pre-FPA software metrics failed.

“Adoption rates, documentation scores, and compliance checklists in AI governance represent the same category of failure as lines-of-code metrics. They describe activity at the implementation layer without reaching the functional layer where governance either works or does not work.”

Applies Albrecht’s FPA methodology — validated by Capers Jones at Software Productivity Research across 250+ enterprise assessments — to AI system scope characterization, then develops COSMIC-based extensions for the internal computational behavior that FPA alone does not address.

Function Point Analysis COSMIC Software Measurement AI Scope Governance Metrics IFPUG SPR
Citation and use. Working papers and technical methods documents are copyright ThinkCapital LLC. They may be cited and shared for non-commercial research and professional purposes with attribution. Suggested format: Bragen, M. (2026). [Title]. ThinkCapital GIAG Research Series. ThinkCapital LLC. thinkcapital.org/publications.html — For other uses, contact via the Engage page.

Commentary Archive

Monthly — Substack & LinkedIn

Monthly compiled archives of short-form posts from the Government AI in Practice Substack and LinkedIn commentary stream. Each archive collects the prior month’s posts in a single PDF — typically 15–30 entries per month. Longer pieces and newsletter issues are cataloged separately above.

Commentary Archive  •  June 2026

Substack & LinkedIn Posts — June 2026

Government AI in Practice  —  Compiled June 30, 2026  ·  19 posts  ·  Substack and LinkedIn

LinkedIn commentary from the Government AI in Practice newsletter published throughout June 2026, produced under the GIAG research initiative. The month traces federal AI governance from procurement obligations under M-25-22 through the convergent Federal AI Governance Stack (the AI Action Plan, the GAAIA discussion draft, and CISA's forthcoming directive), a comparative look at global governance models, and a run of federal Inspector General findings showing that even directly mandated agencies struggle to translate governance requirements into practice, closing with Colorado's SB 24-205 "reasonable care" standard.

“even directly mandated agencies struggle to translate governance requirements into practice”
AI Governance NIST AI RMF GA AIA Colorado AI Act Inspector General audits
PDF  ·  19 posts
Commentary Archive  •  May 2026

Substack & LinkedIn Posts — May 2026

Government AI in Practice  —  Compiled May 2026  ·  19 posts  ·  Substack and LinkedIn

Monthly compilation of short-form commentary from the Government AI in Practice Substack and LinkedIn streams. This archive covers Issues 5 through 8, spanning the M-25-21 post-compliance analysis, the CAO authority gap and FITARA precedent, the intervention point problem in agentic AI oversight, and the NASCIO paradox in state governance. 19 posts across four newsletter weeks, including LinkedIn post series and newsletter article excerpts.

“Agency A has governance outputs. Agency B has governance outcomes. The compliance architecture measures only the former.”
M-25-21 CAO Authority FITARA Precedent GQM Framework Identical Score Problem NASCIO Intervention Point Agentic AI Scope Drift CPO Authority Shadow AI NIST AI RMF EU AI Act Stream One Stream Two
PDF  ·  19 posts
Commentary Archive  •  April 2026

Substack & LinkedIn Posts — April 2026

Government AI in Practice  —  Compiled April 27, 2026  ·  16 posts  ·  Substack and LinkedIn

Monthly compilation of short-form commentary from the Government AI in Practice Substack and LinkedIn streams. This first archive spans mid-March through April 2026, covering M-25-21 deadline dynamics, the compliance-versus-governance distinction, risk register structural failures, scope expansion as incremental accommodation, and the moment AI becomes load-bearing infrastructure.

“Federal agencies can satisfy every NIST AI RMF documentation requirement and still operate a governance program that has never changed a single deployment decision.”
NIST AI RMF M-25-21 Risk Registers Agentic AI Scope Expansion Load-Bearing Infrastructure Implementation Fidelity Governance Metrics
PDF  ·  16 posts

Get Involved

Participate in This Research

GIAG is conducting structured interviews with government IT leaders, AI governance practitioners, and policy implementers with direct experience in federal, state, or local government AI deployment or oversight.

Participation is a single 30–45 minute interview. Participants receive early access to preliminary findings and may be acknowledged by name or participate anonymously.

Express Interest in Participating View Research Program

Accounts of difficulty or partial implementation are as valuable as accounts of success. Direct experience within the past 18 months is the primary qualifier.