Federal AI policy just changed again. Is your security stack ready?

Gettyimages.com/BlackJack3D

Find opportunities — and win them.

The White House's Anthropic directive shows why contractors can't build compliance around any single AI tool or ruling, writes Mark Mitchell of Netskope.

The White House order for all government contracts to eliminate use of Anthropic products in federal government solutions illustrates a precarious and volatile new reality for federal systems integrators (FSIs) and federal contractors.

It is a stark reminder that, in the federal space, the ability to pivot—based on ever-evolving AI technology, shifting geopolitical concerns, and fluctuating policy—is not just an advantage. It is a requirement for survival.

Although the government continues to accelerate adoption following last year’s White House executive order directing the elimination of policy obstacles to AI innovation, a consistent national standard for AI governance remains elusive. Requirements vary across agencies and continue to shift with evolving executive guidance, procurement rules and risk interpretations.

Recent Government Accountability Office findings on federal AI use highlight that agencies are scaling AI faster than they are establishing consistent governance, oversight and risk tracking, resulting in a fragmented operating environment. These demands will continuously change as new models and technologies are introduced and matured.

What will not change is the need for security solutions to support these technologies. For FSIs and federal contractors operating in the federal ecosystem, this creates a moving target. As agencies adopt generative and emerging AI capabilities, expectations around security, data protection and model risk continue to evolve without uniform standards.

As such, FSIs and other technology contractors must have flexible foundational security processes in place that enable them to align with differing agency requirements, support rapid AI adoption and pivot to new AI technologies as government demands evolve without rebuilding their entire security architecture.

Legacy security tools often treat "AI traffic" as a monolith, failing to distinguish between consumer AI tools or government-sanctioned controlled instances. Without this granularity, FSIs and federal contractors risk blind spots that enable "shadow AI" behavior, where sensitive data, including controlled unclassified information (CUI) may be inadvertently exposed to external models or used in unintended training contexts.

In practice, organizations can’t rely on restrictive AI policies alone. In fast moving mission environments, users will adopt AI tools to increase efficiency and get the job done. The goal as a partner to the government is therefore not to block adoption but to ensure innovation doesn't come at the expense of a data spill.

As an extension of federal agencies, FSIs and federal contractors must adhere to strict mandates such as the Department of War’s Cybersecurity Maturity Model Certification (CMMC) program. While CMMC doesn’t explicitly address AI, its focus on protecting CUI through robust DLP controls is central to AI-intensive operations – an area that will only grow more complex as AI increases the volume and velocity of data-intensive operations.

In AI enabled workflows, data loss prevention (DLP) plays a key role in ensuring sensitive data is not inadvertently introduced into external or multi-tenant AI environments. For example, an FSI or federal contractor might have a corporate account for Google Gemini that prevents anyone outside of the company from accessing the data used on the platform. On top of that, they must ensure their security solutions account for all potential pathways in which sensitive data can leak in the cloud – whether that’s from unmanaged devices, off-premises locations, unsanctioned/shadow IT cloud services and more.

To address these risks, FSIs and federal contractors should opt for cloud security platforms with comprehensive monitoring and enforcement at the user activity and content level, whether users are on-premises or remote, on a mobile device or even using mobile apps or sync clients. They must ensure their solutions cover all possible cloud traffic regardless of location, device or network.

At the core of the AI revolution is a single constant: the visibility and security of data – understanding what data exists, who has access to it, what risk levels surround it and knowing how to protect it.

For FSIs and federal contractors, adopting a flexible security foundation is essential to ensuring that every new technology investment can be adopted without introducing unmanaged risk.

If they ignore this, they risk falling out of compliance with government regulations, which translates into the possibility of losing government contracts and damaging their brand. A modern Data Protection Architecture - built on a high-performance cloud platform, with expanded visibility across the AI landscape - keeps FSIs and federal contractors ahead of the evolving risk landscape and competitive in the market.


Mark Mitchell is the federal security architect for Netskope.