The Federal Facility AI Governance Gap: When the Mandate Disappears but the Risk Doesn't

Author: James C. Waddell | Cognitive Corp

Published: April 2026

Cluster: Federal/Government/Defense Vertical

Target Audience: Federal facility managers, DOE site directors, DoD installation commanders, GSA executives, government CRE leaders

Word Count: ~2,500

---

In October 2023, the White House issued Executive Order 14110, establishing requirements for the safe, secure, and trustworthy development and use of artificial intelligence across the federal government. This executive order appointed Chief AI Officers across various agencies, mandated the compilation of AI inventories, and facilitated the mapping of risk management frameworks to the NIST AI Risk Management Framework (RMF).

However, in January 2025, EO 14110 was revoked. While the executive order is no longer in place, the AI systems operating within federal facilities continue to function. Therefore, the governance gap that existed under this mandate has significantly widened without any federal directive to address it.

Brookhaven National Laboratory, for example, operates over 150 buildings across a 5,300-acre campus. The Department of Energy (DOE) manages numerous facilities that incorporate AI-driven HVAC optimization, energy management, and predictive maintenance systems. Likewise, the VA Medical Centers, totaling 173 nationwide, utilize AI systems to manage critical factors such as air quality, temperature, and equipment monitoring in hospital environments where patient safety is of utmost importance. Furthermore, DoD installations employ AI for access control, energy management, and facility monitoring at thousands of locations globally.

These AI systems make autonomous decisions continuously, optimizing energy consumption, managing environmental controls, predicting equipment failures, and controlling access. The removal of EO 14110 has not diminished the operational capabilities of these systems; rather, it has eliminated a crucial governance mechanism that could have compelled agencies to effectively manage such technologies.

Why the Revocation Makes Things Worse, Not Better

Ironically, EO 14110's brief existence failed to adequately address building AI. During its 15-month lifespan, agency Chief AI Officers primarily focused on AI systems directly impacting agency missions—such as intelligence analysis and logistics optimization—overlooking the facility management systems that govern safety and operational effectiveness in federal buildings.

With the governance framework established by EO 14110 no longer in effect, federal facility AI governance encounters a dual gap: these AI systems were never effectively governed under the revoked mandate, and there is now no framework compelling agencies to institute necessary governance practices.

Despite the absence of formal governance, the risks that necessitate oversight remain. For instance, an AI-controlled HVAC system in a VA operating room continues to be critical in managing airflow essential for successful surgical outcomes. Similarly, predictive maintenance algorithms at DOE facilities still determine which vital equipment warrants attention. The question that arises is not whether federal facility AI systems require governance but what mechanisms can now drive such governance in the absence of an executive order.

Four Forces That Make Federal AI Governance Inevitable

Despite the revocation of EO 14110, at least four enduring forces still necessitate governance:

Force 1: NIST AI RMF Exists Independent of Any Executive Order

The NIST AI RMF, which recently received updates to improve its applicability, was developed through a comprehensive, multi-year stakeholder process predating EO 14110. Its authority is not dependent on presidential mandates. Federal agencies that adopted the NIST AI RMF as a governance standard are not legally required to abandon it due to the revocation of EO 14110. Many will continue to follow it because the framework provides practical solutions to real operational risks rather than mere compliance checkboxes, reinforcing the importance of good risk management practices.

For federal facility managers, utilizing the updated NIST AI RMF's Govern-Map-Measure-Manage structure offers a practical approach to establishing AI governance in facilities. While adherence is now voluntary, it is critical for agencies seeking to effectively mitigate unmanaged risk.

Force 2: State and Local Regulation Isn't Waiting for Washington

Though the federal AI governance directive has been revoked, state-level AI regulation is advancing rapidly. For instance, Colorado's AI Act (SB 24-205) establishes regulations regarding high-risk AI systems, and New York City's Local Law 144 mandates bias audits for automated employment decision tools. Additionally, Illinois' Biometric Information Privacy Act (BIPA) subjects systems that handle biometric data—including facial recognition or biometric access control systems—to liability.

Federal facilities located in states with AI regulations must comply with applicable state requirements, irrespective of the federal landscape. DoD installations in states like Colorado, which utilize AI for building operations, are subject to state-level governance obligations. Furthermore, any federal facility operating within the European Union must navigate new AI regulations once the EU AI Act is fully implemented.

Force 3: Liability Exposure Doesn't Require a Mandate

When an AI system in a federal building makes a decision resulting in harm—such as an HVAC failure in a patient care area or erroneous energy management—it creates immediate liability risks, independent of executive orders.

The Federal Tort Claims Act does not require a specific AI governance mandate to enforce liability for negligent operations. If an agency is aware (or should be aware) that its AI systems are making autonomous, ungoverned decisions, the absence of a mandate does not shield the agency from liability. In fact, it may heighten their exposure, as they cannot claim compliance with established federal governance requirements.

Insurers are already monitoring these governance gaps. Commercial building operators are facing inquiries related to governance in their insurance applications. As AI incidents become more frequent, federal facility self-insurance programs will encounter similar scrutiny.

Force 4: GAO and Inspector General Oversight Continues

Congressional oversight of federal AI persists regardless of executive orders. The Government Accountability Office (GAO) has been examining federal AI governance independently of EO 14110, while Inspector General offices across agencies like DOE, VA, DoD, and GSA retain the authority to audit facility operations, including AI systems.

When a GAO report reveals that numerous federal facilities have operated AI systems without governance regarding safety-critical decisions, the political urgency to reinstate governance will not wait for another executive order. It may manifest through appropriations riders, agency-specific directives, or direct congressional mandates—potentially with less operational flexibility than EO 14110.

Smart leaders in federal facilities should proactively address this evolving landscape rather than waiting for new mandates.

The Classification Problem Remains Structural

The lack of an executive order does not alleviate the structural governance challenges faced by federal facility AI systems: building AI often straddles organizational silos.

Facility operations and IT departments typically do not synchronize their governance directives, resulting in AI systems being overlooked during inventory efforts. Facility managers may not classify their building management systems as "AI," while IT personnel may lack insight into the AI technologies embedded within the facilities.

This classification challenge persists despite the existing governance landscape. AI systems like HVAC optimizers using machine learning, predictive maintenance algorithms focused on prioritizing equipment repairs, and occupancy analytics platforms tracking building utilization patterns are all undeniably AI systems. Yet, they often get excluded from agency AI inventories as they are commonly classified as part of “building infrastructure” rather than “information technology.”

The BAGI Federal Baseline

Our preliminary assessments using the Building AI Governance Index (BAGI) framework tailored for federal facility environments present concerning results.

Typically, federal facilities score between 10 and 20 on the 100-point BAGI scale. The most common deficiencies in governance include:

• Accountability: Lack of a defined governance structure for building AI, leading to operational silos.

• Transparency: Absence of decision logging for building AI systems, even within agencies possessing established IT governance protocols.

• Privacy: Collection of building occupancy and movement data without governance frameworks complying with federal privacy mandates, such as the Privacy Act of 1974.

For context, commercial buildings average scores of 15-25 on BAGI, while we recommend a target governance score of 70+. These findings indicate that federal facilities are at the lower end of overall governance maturity, and with EO 14110's revocation, there is likely to be diminished institutional pressure to elevate these scores.

Building the Business Case for AI Governance

In light of these developments, federal facility leaders need to construct a compelling business case for AI governance to secure budget approvals. Key points to include in your proposal may encompass:

1. Highlight Risk Management: Emphasize the necessity of managing risks associated with ungoverned AI systems to protect public safety and mitigate potential liability.

2. Cite Regulatory Compliance: Reference emerging state and local regulations that may require immediate action to avoid non-compliance and associated penalties.

3. Demonstrate Operational Efficiency: Enhanced governance can lead to more efficient facility operations, resulting in long-term cost reductions tied to maintenance and oversight.

4. Enhance Public Trust: Strong AI governance reinforces agency credibility with stakeholders and the public, showcasing a commitment to safety and transparency.

5. Prepare for Future Mandates: Proactively establishing governance now lays the groundwork for compliance with potential future federal mandates.

6. Leverage NIST AI RMF as a Framework: It costs comparatively less to implement a robust governance framework that aids in compliance with existing regulatory standards.

What Federal Facility Leaders Should Do Now

The absence of EO 14110 does not render federal facility AI governance optional. Instead, it necessitates that governance becomes a leadership decision rather than a mere compliance obligation. Agencies that take initiative will enhance their governance capabilities, while those that delay will find themselves compelled to establish governance quickly due to state regulations, liability concerns, GAO findings, or future federal mandates.

First, inventory your building AI anyway. Even with the executive order revoked, managing your agency’s AI inventory process should still be a priority. Collaborate with your facility operations team and CIO's office to ensure that AI systems—including those for HVAC optimization, predictive maintenance, occupancy analytics, and energy management—are accurately included. This practice is a sound operational strategy, irrespective of formal regulatory requirements.

Second, apply NIST AI RMF voluntarily. The updated NIST AI RMF framework provides valuable guidance for governance initiatives. Utilize it employing the Govern-Map-Measure-Manage structure for your building AI systems. Identify systems that meet high-risk criteria and conduct thorough risk assessments with documentation for these systems.

Third, assess your state regulatory exposure. Acknowledge all relevant state and local AI regulations concerning your facility locations. Be proactive in identifying state requirements—ignoring them under the presumption of federal facility status may lead to legal risks.

Fourth, implement governance for high-risk systems first. Initiate governance practices focused on the highest risk building AI systems, such as environmental controls in patient care facilities or access control systems in secure settings. Establish decision logging and monitoring protocols, and include human override capabilities where appropriate.

Fifth, fix the acquisition pipeline. Ensure that governance requirements are integrated into procurement processes for all building AI systems bought moving forward. Given the federal government’s status as the largest building operator, acquisition decisions made today will influence the governance framework across federal facilities for years to come.

The Governance Case Is Stronger Without the Mandate

Counterintuitively, the argument for federal building AI governance is stronger in the absence of EO 14110. Previously, governance practices were seen mainly as compliance exercises driven by mandates. Now, governance is framed as essential risk management—grounded in the understanding that the operational, legal, and safety risks associated with ungoverned building AI are both real and escalating.

Federal agencies no longer have the luxury of waiting for explicit mandates to govern AI systems. State regulations are stepping into the federal void; liability exposures exist regardless of a mandate; and GAO oversight will uncover governance gaps. Meanwhile, AI systems in federal buildings continue to make autonomous decisions—with direct implications for public safety, national security, and infrastructure reliability—regardless of whether monitoring is taking place.

The executive order may be absent, but the governance gap persists. Agencies that proactively address and mitigate this gap will emerge as leaders in governance, better positioned for compliance when the next federal directive eventually arrives.

---

James C. Waddell is President of Cognitive Corp, architect of the Building Constitution framework, and author of 175+ research papers on AI governance in the built environment. Cognitive Corp's federal practice focuses on NIST AI RMF implementation for building operations and BAGI governance assessment for classified and sensitive environments.

Keywords: building AI, AI governance, Building Constitution, smart buildings, CRE, Federal, Facility, Mandate, Disappears, Risk, federal AI governance, NIST AI RMF, liability exposure, regulatory compliance, operational efficiency, business case for AI governance, AI regulations, state compliance, NIST updates.