If you're managing IT assets for a federal agency, you've probably heard about GAO's plan to expand their Galileo AI system by December. But here's what you might not realize: this expansion highlights a critical blind spot in how most agencies track and manage artificial intelligence tools.

The problem? Your current asset management system probably can't handle AI tools properly. And that's creating risks you might not even know about yet.

Think about how you currently manage software. You track licenses, monitor installations, and know exactly what's running where. Simple, right?

AI tools throw all of that out the window.

Unlike traditional software that lives on servers or desktops, artificial intelligence platforms often work through web browsers, API calls, and cloud-based processing. Your standard discovery tools? They're essentially blind to these interactions.

GAO's experience illustrates this challenge perfectly. As CIO Beth Killoran noted, they built their own AI system because, as she explained, "we have accounting standards and audit standards" that existing AI products couldn't accommodate.

The NIST AI Risk Management Framework (AI RMF 1.0), released in January 2023 with updates through the Generative AI Profile in July 2024, provides guidance for AI governance. But many federal ITAM teams are still figuring out how to translate these frameworks into day-to-day operations.

Here's a scenario that's probably happening in your agency right now: A program manager signs up for an AI writing tool using their government credit card. They access it through their browser, process some documents, and get their work done faster.

Your ITAM system sees none of this.

This creates what we call "shadow AI," artificial intelligence tools that operate completely outside your asset management visibility. Unlike shadow IT applications that eventually show up in network scans or software inventories, AI tools can process sensitive federal data without leaving traditional digital footprints.

The Federal Data Strategy emphasizes comprehensive data governance, but current ITAM approaches weren't designed for tools that access, process, and potentially store government information through web APIs and cloud services.

Data lineage becomes crucial here. You need to know not just what AI tool is being used, but what data it's touching, where that data goes, and how long it's retained. Traditional Configuration Management Database (CMDB) systems simply don't capture this level of detail about AI interactions.

This is where things get tricky. Current FISMA requirements don't specifically address AI implementations, since the framework predates widespread AI adoption in government.

You still need Authority to Operate (ATO) documentation for any system processing federal data. But how do you assess an AI tool that continuously updates its models, changes its capabilities, and processes information in ways that traditional security assessments don't cover?

The NIST Risk Management Framework provides a structured approach, but agencies are having to develop supplementary procedures for AI-specific risks. Since dedicated federal AI implementation guidance is still evolving, you're essentially building the plane while flying it.

Here's what successful agencies are doing:

Before you can manage AI tools, you need to know what's already out there. Create a simple assessment process:

• Survey your users. Ask department heads what AI tools their teams are using or want to use. 
• Review credit card statements. Look for subscriptions to AI platforms and services. 
• Check web traffic logs. Identify frequent access to AI service domains. 
• Talk to procurement. Understand what AI-related purchases are in the pipeline.

Traditional ITAM categories don't fit AI tools. You'll need new classification systems that capture processing capabilities and data access levels, pricing models (usage-based vs. subscription), data residency and processing locations, update and versioning patterns, and integration points with existing systems.

The Federal Enterprise Architecture Framework provides guidance for technology categorization that can help here.

AI management isn't just an IT problem. You need collaboration between ITAM professionals (for tracking and compliance), cybersecurity specialists (for risk assessment), privacy officers (for data governance), business stakeholders (for requirements and usage patterns), and procurement (for contract and licensing management).

This collaborative approach ensures AI adoption decisions include asset management considerations from the beginning, rather than trying to retrofit compliance after implementation.

While most federal agencies are still developing their AI asset management strategies, some patterns are emerging from early adopters:

• Enhanced monitoring capabilities: Agencies are implementing network monitoring that can detect API calls and cloud-based processing activities characteristic of AI tool usage, going beyond traditional software discovery methods.
• Vendor evaluation frameworks: Leading organizations are developing specific criteria for evaluating AI vendors that include asset management considerations like usage tracking, audit capabilities, and integration with existing ITAM platforms.
• Policy integration: Successful agencies are updating their existing IT policies to include AI-specific requirements rather than creating entirely separate governance structures.

Current market analysis suggests that while some ITAM vendors are beginning to incorporate AI-assisted features for application categorization and inventory management, AI-specific discovery capabilities vary significantly among solutions. This makes careful vendor evaluation essential for agencies planning AI adoption initiatives.

GAO's Galileo expansion offers valuable insights for other agencies preparing their own AI strategies. The key lesson? Treat AI tools as hybrid assets that combine software functionality with service consumption, similar to cloud services managed under FedRAMP authorization processes.

Success requires viewing AI not as isolated software additions, but as components of evolving technology ecosystems that need sophisticated management approaches aligned with federal governance frameworks.

The agencies that get ahead of this challenge now – by developing AI-specific asset management capabilities, training their teams, and building relationships with vendors who understand federal requirements – will be much better positioned when AI adoption accelerates across government.

Managing AI tools in federal environments isn't just about compliance, it's about enabling your agency to adopt transformative technologies safely and efficiently. The agencies that figure this out first will have significant advantages in mission delivery and operational effectiveness.

Ready to strengthen your agency's approach to AI asset management? Contact our team for practical guidance on managing emerging technologies within federal frameworks, or schedule a discussion with our federal ITAM experts to explore solutions tailored to your agency's specific challenges.