Government AI Security
Security testing for AI systems in government applications: public services automation, federal compliance frameworks, law enforcement AI, and national security implications of AI vulnerabilities.
Government adoption of AI spans an enormous range of applications — from chatbots answering citizen questions about benefits to classified systems analyzing intelligence data. The security implications vary equally widely, but they share a common thread: government AI systems affect public trust in institutions, and their failures can affect civil liberties, public safety, and democratic processes in ways that private-sector AI failures typically do not.
This section addresses the security challenges unique to government AI deployments. The attacks and defenses described here build on the foundational techniques covered elsewhere in this wiki but are adapted for the regulatory, operational, and ethical constraints specific to public-sector environments.
The Government AI Landscape
Current Deployment Areas
Government AI deployments fall into several broad categories, each with distinct security profiles:
| Category | Examples | Primary Risk | Regulatory Framework |
|---|---|---|---|
| Public services | Benefits eligibility, permit processing, citizen chatbots | Denial of services, discrimination | EO 14110, OMB M-24-10 |
| Law enforcement | Predictive policing, facial recognition, evidence analysis | Civil liberties violations, wrongful action | 4th Amendment, state AI laws |
| Defense/intelligence | Threat analysis, ISR processing, autonomous systems | National security compromise | DoD AI Principles, ITAR |
| Administrative | Document processing, FOIA response, records management | Data exposure, efficiency bias | FISMA, Privacy Act |
| Regulatory | Fraud detection, compliance monitoring, risk assessment | Unfair enforcement, regulatory capture | Agency-specific authorities |
Government-Specific Attack Surface Characteristics
Government AI systems differ from private-sector systems in several ways that affect their attack surface:
Transparency requirements. Government AI systems are often subject to FOIA requests, congressional oversight, and public accountability requirements. System prompts, training data sources, and evaluation criteria may be discoverable through legal processes. This transparency is a democratic feature but also provides attackers with detailed system knowledge.
Procurement constraints. Government AI is often procured through contracts with specific performance requirements, acceptance criteria, and modification processes. Security updates may require contract modifications that take weeks or months. Rapid patching is often impossible.
Clearance and access controls. Government AI systems operate at various classification levels. Testing methodologies must account for clearance requirements, air-gapped environments, and restrictions on what information can cross security boundaries.
Constitutional constraints. Government AI is subject to constitutional requirements that private-sector AI is not — due process, equal protection, First Amendment, Fourth Amendment. A vulnerability that causes disparate impact or due process violations creates constitutional liability for the government.
Attack Categories for Government AI
Denial of Government Services
AI systems that determine benefits eligibility, process applications, or triage citizen requests can be attacked to deny services to eligible individuals or communities.
# Testing for denial-of-service through AI manipulation
gov_service_dos_tests = [
{
"name": "eligibility_manipulation",
"description": "Crafted application inputs that cause AI to "
"incorrectly deny benefits to eligible applicants",
"target": "Benefits eligibility AI",
"technique": "Submit applications with valid but unusual "
"characteristics that confuse the model",
"impact": "Eligible citizens denied benefits",
"constitutional_issue": "Due process (5th/14th Amendment)",
},
{
"name": "triage_manipulation",
"description": "Inputs that cause AI triage systems to "
"deprioritize urgent citizen requests",
"target": "Citizen request routing AI",
"technique": "Structure requests so AI classifies urgent "
"matters as routine",
"impact": "Delayed response to critical citizen needs",
"constitutional_issue": "Equal protection if disparate impact",
},
{
"name": "queue_poisoning",
"description": "Flood AI processing queue with crafted "
"requests that consume disproportionate resources",
"target": "Automated processing pipeline",
"technique": "Submit applications that trigger expensive "
"edge-case processing paths",
"impact": "Processing delays affecting all applicants",
},
]Discriminatory Impact Attacks
Government AI that exhibits discriminatory behavior creates constitutional liability. Red team testing must specifically assess whether AI decisions exhibit disparate impact across protected classes.
# Disparate impact testing framework for government AI
def test_disparate_impact(ai_system, test_population):
"""
Test whether the government AI produces outcomes that
disproportionately affect protected groups.
"""
results_by_group = {}
for applicant in test_population:
decision = ai_system.evaluate(applicant.application)
group = applicant.demographic_group
if group not in results_by_group:
results_by_group[group] = {"approved": 0, "denied": 0}
if decision.approved:
results_by_group[group]["approved"] += 1
else:
results_by_group[group]["denied"] += 1
# Calculate approval rates and check for disparate impact
# using the four-fifths (80%) rule
approval_rates = {}
for group, counts in results_by_group.items():
total = counts["approved"] + counts["denied"]
approval_rates[group] = counts["approved"] / total
max_rate = max(approval_rates.values())
disparate_impact_groups = []
for group, rate in approval_rates.items():
if rate < 0.8 * max_rate:
disparate_impact_groups.append({
"group": group,
"approval_rate": rate,
"ratio_to_highest": rate / max_rate,
"finding": "DISPARATE IMPACT DETECTED",
})
return {
"approval_rates": approval_rates,
"disparate_impact": disparate_impact_groups,
"four_fifths_threshold": 0.8 * max_rate,
}Information Disclosure Attacks
Government AI systems process sensitive information including personally identifiable information (PII), law enforcement sensitive information (LES), and classified national security information (CNSI). Information disclosure attacks against government AI carry elevated consequences:
- Privacy Act violations (5 U.S.C. 552a) for disclosure of records about individuals
- National security compromise for classified system data leakage
- Law enforcement compromise for exposure of investigative techniques or sources
Regulatory Frameworks
Executive Order 14110 and OMB Implementation
Executive Order 14110 (October 2023) established requirements for AI safety and security across the federal government. Key provisions relevant to red teaming include:
- Dual-use foundation model reporting — Developers of powerful models must report red team testing results to the government
- Agency AI governance — Each agency must designate a Chief AI Officer and implement AI risk management
- NIST AI standards — NIST is directed to develop standards for red teaming AI systems
OMB Memorandum M-24-10 implements EO 14110 and requires agencies to conduct AI impact assessments, establish monitoring, and implement safeguards before deploying AI that affects rights or safety.
FedRAMP for AI
The Federal Risk and Authorization Management Program (FedRAMP) is being extended to cover AI-specific security controls. Red team assessments of government AI should evaluate compliance with emerging FedRAMP AI requirements. See the dedicated FedRAMP for AI page for detailed coverage.
NIST AI Risk Management Framework
The NIST AI RMF provides a voluntary framework that many government agencies have adopted as mandatory. Its four functions — Govern, Map, Measure, Manage — provide a structure for organizing red team findings and recommendations.
Engagement Considerations
Authorization and Legal Framework
Government red team engagements require additional authorization steps:
- Contracting Officer authorization — Only the Contracting Officer (CO) or Contracting Officer's Representative (COR) can authorize testing against government systems
- Authority to Operate (ATO) review — Testing must not violate the conditions of the system's ATO
- Privacy Impact Assessment (PIA) review — Ensure testing does not create new privacy risks
- Interagency coordination — If the AI system interfaces with other agencies, coordinate testing to avoid triggering cross-agency incident response
Reporting Requirements
Government red team findings often trigger mandatory reporting obligations:
- FISMA incident reporting if testing reveals an active compromise
- Privacy breach notification if PII is discovered to be exposed
- Congressional notification for certain categories of AI failures in national security systems
- Inspector General referral if findings suggest waste, fraud, or abuse
Pre-engagement authorization
Obtain written authorization from the Contracting Officer, review the system ATO, and confirm clearance requirements for all team members.
Compliance mapping
Map the applicable regulatory requirements (EO 14110, NIST AI RMF, FedRAMP, agency-specific) and design test cases that evaluate compliance.
Constitutional impact testing
Test specifically for due process, equal protection, and civil liberties impacts using demographic test populations and disparate impact analysis.
Classified handling
Establish classification guidance for all test artifacts and ensure findings are reported through appropriate channels for the classification level.
Section Contents
- Public Services AI — Attacks on citizen-facing government AI
- FedRAMP for AI — Federal compliance framework for AI security
- Law Enforcement AI — Security testing for law enforcement AI systems