AI Disclosure in Federal Contracts: What GovCon Firms Should Prepare For

Federal contractors should not wait for an RFP to ask whether their AI use needs to be disclosed. By then, the hard work should already be done.

The real question is not whether AI is useful. It is whether your company can explain where AI touches contract performance, what data it processes, who approved it, how outputs are reviewed, and what evidence exists when the customer asks.

Federal contractors should not treat AI disclosure as a future paperwork problem. It is becoming an operating problem.

AI is already showing up in ordinary contractor work: proposal drafting, document summaries, compliance reviews, help desk triage, data analysis, program reporting, software development, and back office workflows. That is not the problem. The problem is when nobody can say which uses are approved, what data the tool touched, whether the output affected a deliverable, or whether a subcontractor used AI in the background.

In commercial work, that might be an internal management issue. In federal contracting, it can become a customer trust issue.

The question will not simply be, "Do you use AI?" The harder questions will be: where is AI used, what contract work does it support, what data does it touch, who approved it, how is it tested, who reviews the output, and what happens when the model is wrong?

Contractors that can answer those questions calmly will look prepared. Contractors that wait until the RFP asks will be building governance, disclosure language, and evidence under deadline pressure.

Why AI Disclosure Matters in Federal Contracting

In commercial business, AI can look like a productivity choice. In federal contracting, that is too simple.

The same tool that cleans up a draft, summarizes a file, or triages a request can create contract risk if it touches government data, influences a deliverable, supports a mission workflow, or sits inside a subcontractor's process. AI disclosure matters because customers need to know where the tool ends and accountable contract performance begins.

That is why the OMB acquisition guidance matters. It pushes agencies to think beyond contracts where the government is deliberately buying an AI system. It also points to the practical reality that vendors may use AI while performing ordinary service, IT, advisory, engineering, administrative, or mission support contracts.

The same OMB guidance recognizes that not every contractor use of AI is in scope. It excludes AI used incidentally by a contractor during contract performance when AI is used at the contractor's option and is not directed or required to fulfill contract requirements. It also states that the memo does not apply to AI acquired for use as a component of a National Security System.

What AI Disclosure Means

AI disclosure is not a confession. It is an operating record.

A useful disclosure tells the government what AI is being used, where it fits into contract performance, what data it processes, whether outputs affect deliverables or decisions, who reviews the work, and how the contractor monitors performance over time.

That does not always mean disclosing every employee productivity shortcut. A contractor using AI to clean up internal meeting notes for a company meeting that does not involve sensitive information is different from a contractor using AI to analyze data furnished by the government, generate contract deliverables, summarize CUI, operate a chatbot for agency users, or support a mission decision workflow.

A strong AI disclosure should answer what AI system is being used, who provides or hosts it, what task it supports, whether it is required for performance, what data it processes, whether it touches restricted information, whether output becomes part of a contract deliverable, whether humans review the output, how performance is monitored, and whether subcontractors are using AI too.

The goal is not to overwhelm the government with irrelevant technical detail. The goal is to provide enough information for the customer to understand risk, approve appropriate use, and maintain confidence in contract performance.

AI Disclosure Is Not Just for AI Product Vendors

This is where many contractors get it wrong.

AI disclosure is not only an issue for companies selling AI platforms. It can matter when a contractor uses AI to perform the work, analyze government data, generate deliverables, support a mission workflow, embed functionality in software, or rely on a subcontractor that uses AI.

OMB guidance directs agencies to test proposed AI systems or services where practicable, understand their capabilities and limitations, and use acquisition techniques based on performance that allow agencies to assess vendor claims before award and monitor performance after award.

That means contractors should expect AI questions to show up in technical proposals, oral presentations, product demonstrations, quality plans, data management plans, cybersecurity volumes, and governance meetings after award.

The Emerging Direction: More AI Transparency

The direction is not mysterious: agencies want more visibility into AI use, not less.

Contractors should not read that as a reason to panic. They should read it as a reason to get organized. The companies that know their AI use, data boundaries, review process, and evidence trail will be easier for agencies to trust.

GSA has circulated proposed Government AI System Terms and Conditions that would require contractors to disclose all AI systems used in contract performance to the ordering contracting officer within 30 days after award, unless requested earlier. The draft terms would also include expectations around human oversight, traceability, incident reporting, service provider change notification, and government evaluation rights. Because this is proposed language, contractors should treat it as a strong signal of where acquisition expectations may go, not as a universal final rule.

OMB guidance also adds procurement expectations for LLMs. When agencies procure large language models, they must obtain enough information from vendors to determine whether the LLM complies with applicable principles, while generally avoiding requests that force disclosure of sensitive technical data such as model weights.

For contractors, this points to a major preparation need: documentation.

Original Research: Where AI Disclosure Pressure May Rise First

The federal AI use case inventories are not a crystal ball. They are a signal.

They do not show every federal AI activity, and they do not replace acquisition guidance from each agency. But they do show where agencies are reporting AI use, where high impact use cases are concentrated, and where contractors should expect more concrete questions about data, controls, oversight, and evidence.

GS Consulting analyzed the 2024 and 2025 Federal Agency AI Use Case Inventories to identify where AI disclosure pressure may mature first. The resulting AI Disclosure Pressure Index combines reported AI use case volume, high impact AI counts, deployed or piloted share, and momentum from 2024 to 2025. The index is not an official government score. It is a directional planning tool for contractors that need to prioritize AI inventory, data boundary work, testing, monitoring, and subcontractor disclosure readiness.

Open source inventory data shows why AI disclosure readiness is becoming urgent. In the 2025 Federal Agency AI Use Case Inventory, agencies reported 3,611 individually reported AI use cases and 445 high impact AI use cases. Compared with the 2024 inventory's 2,133 reported use cases, that represents a 69% increase in one year.

What Agencies May Ask Contractors to Disclose

Agencies may not all ask the same questions. But the questions will rhyme.

Contractors should prepare for practical, boring questions with serious consequences: What tool are you using? What data does it touch? Who owns the environment? Does the output affect a deliverable? Who reviews it? How do you know it works? What happens when it fails? Are your subcontractors doing the same thing?

AI system identity and ownership

Agencies may want to know the name of the AI tool, model, platform, API, service provider, cloud environment, reseller, integrator, and any third party components involved. This is especially important when a contractor is not the original AI developer but is using a commercial model through an intermediary, platform, or software product.

Intended use case

Contractors should be able to describe the AI use case in plain English: capture research from public sources, help desk triage before human assignment, first draft internal status report language, retrieval augmented search over approved internal documents, or AI embedded in software delivered to the agency.

Data categories

This is one of the most important disclosure areas. Contractors should identify whether the AI will touch public data, company proprietary data, Federal Contract Information, Controlled Unclassified Information, Covered Defense Information, PII, export controlled information, law enforcement sensitive information, intelligence related information, classified information, or restricted data from the customer.

Government data and model training

Agencies will want confidence that government data is not being used improperly to train or improve public or commercial AI models. Contractors should be prepared to disclose vendor data retention, model training, human review, logging, deletion, and customer data segregation practices.

Human oversight

A strong AI disclosure should explain where humans remain accountable. This is especially important when AI output influences deliverables, recommendations, eligibility determinations, cybersecurity triage, program reporting, mission support, or services facing the customer.

Testing and monitoring

Agencies may ask how the AI was tested before use, how accuracy is measured, how hallucinations or errors are handled, how model changes are tracked, how outputs are validated, and how the contractor will monitor performance after deployment.

Subcontractor and service provider use

Prime contractors should expect more scrutiny of subcontractor AI use. If a subcontractor uses AI to support contract performance, the prime may need to know what tool is used, what data it touches, whether it affects deliverables, and whether subcontract terms restrict unapproved AI use.

When Contractors Should Assume AI Disclosure May Be Needed

Use a simple rule: if AI touches contract work, government data, deliverables, high impact workflows, restricted information, or subcontractor performance, slow down and run a disclosure review.

That does not mean every use requires the same response. It means leadership, contracts, security, legal, and program management should not be guessing after the fact.

Contractors should treat the following scenarios as AI disclosure triggers:

• AI is required to perform part of the statement of work.
• AI is embedded in a system, application, dashboard, chatbot, model, workflow, or deliverable provided to the government.
• AI processes, stores, transmits, summarizes, indexes, or generates output from government data.
• AI output is included in reports, recommendations, analysis, software, briefings, or other contract deliverables.
• AI supports cybersecurity, personnel, benefits, law enforcement, intelligence, healthcare, infrastructure, financial, or other high impact workflows.
• AI touches FCI, CUI, Covered Defense Information, PII, export controlled data, classified data, or other restricted information.
• AI is used by a subcontractor, consultant, or third party service provider in support of the contract.
• The solicitation, task order, data rights clause, security plan, quality plan, or customer direction asks about AI use.
• The AI provider changes, the model changes materially, or new AI functionality is added during performance.

This does not mean every scenario requires the same level of detail. It means these are the situations where leadership, contracts, security, and program management should review whether disclosure is required or prudent.

A Practical AI Disclosure Framework

Do not wait for an RFP to force a template into existence.

A useful AI disclosure template should be simple enough for proposal and program teams to use quickly, but complete enough for contracts, legal, security, and technical leaders to trust. The point is not to create a binder. The point is to create a repeatable operating process.

A complete template should also address subcontractor use and change management so the company can notify the customer if AI use materially changes after award.

Proposal Language Contractors Can Adapt

Do not paste this blindly.

This language should be treated as a starting point for counsel, contracts, security, and program leadership to tailor by customer, contract, data type, tool, environment, and use case.

GS Consulting uses AI enabled tools only within approved workflows, approved accounts, and approved data boundaries. AI is not used to process, store, transmit, or generate output from FCI, CUI, Covered Defense Information, PII, classified information, export controlled information, or other restricted customer data unless the tool, environment, contract terms, and security controls have been reviewed and approved for that specific use. Outputs generated by AI and used in contract performance are subject to human review, validation, and approval by accountable personnel.

For direct AI delivery, the proposed solution should describe the AI function, data categories, approved environment, restrictions on government data that is not public, human oversight, performance testing, monitoring, logs, review cadence, and issue resolution process.

Common Mistakes to Avoid

Most AI disclosure problems will not start with a bad model. They will start with a bad assumption.

These are the mistakes that create avoidable risk.

Mistake 1: Assuming disclosure only matters when you sell an AI product. If AI supports contract performance, affects deliverables, or touches government data, it may be relevant even when the contractor is not selling AI.

Mistake 2: Treating "human review" as a magic phrase. Human review matters. It does not replace data controls, testing, monitoring, documentation, escalation paths, or customer transparency.

Mistake 3: Ignoring shadow AI. If employees use unapproved AI tools with contract information, leadership may not be able to answer basic customer questions accurately.

Mistake 4: Forgetting subcontractors. Prime contractors should not learn after award that a subcontractor used an unapproved AI tool to process customer data or draft deliverables.

Mistake 5: Assuming FedRAMP equals permission. FedRAMP status can support the review. It does not automatically approve a tool for every contract, every agency, every data type, or every workflow.

Mistake 6: Starting from a blank page when the RFP arrives. By the time a solicitation asks for AI disclosure, the inventory, data boundary decisions, approval process, and draft language should already exist.

What GovCon Firms Should Build Now

The readiness package does not need to be elegant. It needs to be usable.

A contractor should be able to sit down with contracts, security, legal, program leadership, and proposal teams and answer the same questions the customer is likely to ask. Where is AI used? What data does it touch? Who approved it? What evidence do we have? What would we disclose? What are subcontractors doing?

The package should include an AI use policy, approved tool list, prohibited use rules, AI inventory, data handling matrix, vendor review checklist, model and system documentation, human oversight procedures, testing and evaluation evidence, subcontractor AI questionnaire, contract disclosure template, incident response procedure, and change management process.

CMMC should also be considered where AI touches defense contract information. NIST requirements for CUI apply to components of nonfederal systems that process, store, or transmit CUI, or that protect those components. For AI in cloud environments, FedRAMP considerations should be part of the review.

A 90 Day AI Disclosure Action Plan

Ninety days is enough time to move from guessing to answering.

The goal is not to solve every AI governance issue in one quarter. The goal is to know where AI is being used, stop the riskiest unapproved behavior, build the basic evidence trail, and create a repeatable review process before the next RFP or customer meeting.

1. Days 1 to 30Find the AI

   Survey employees, review licenses, check browser extensions, examine proposal and program workflows, and restrict unapproved AI use with contract data.

2. Days 31 to 60Build the evidence

   Create an AI inventory, data handling matrix, approved tool list, vendor checklist, subcontractor attestation, and disclosure template.

3. Days 61 to 90Make it operational

   Train employees, update subcontractor onboarding, add AI review to proposal kickoff, and run controlled pilots with documented value and risk.

By the end of 90 days, leadership should be able to answer five questions without scrambling: Where are we using AI? What contract data does it touch? Which uses are approved? What would we disclose to the government? How do we know subcontractors are following the same rules?

The Bottom Line

AI disclosure is not just paperwork. It is trust infrastructure.

Government customers want the benefits of AI, but they need contractors that understand data boundaries, cybersecurity, documentation, accountability, testing, monitoring, and mission risk.

The firms that wait until an RFP asks about AI will be forced to build answers under pressure. The firms that prepare now will be able to say, with confidence, where AI is used, why it is used, how it is controlled, and how the customer's data and mission are protected.

That is the advantage: not louder AI claims, but cleaner answers.

Suggested Future Reading

• The Ultimate Guide to AI Integration in Government Contracting
• AI Procurement Regulations Every Government Contractor Should Know
• Preventing CUI Leakage in LLMs
• How DoD Contractors Can Use AI Without Putting CUI at Risk