About These Publications
What We Publish and Why
ThinkCapital publications span three formats. The Government AI in Practice newsletter delivers research analysis and field observations to practitioners on a regular schedule. Short-form research articles address specific governance questions with enough depth to be useful without requiring a full working paper. The GIAG Research Series working papers and technical methods documents are the most substantive output — intended for researchers, senior practitioners, and policy audiences who need the underlying argument and evidence, not just the conclusions.
All publications are freely available. Working papers and technical methods documents may be cited with attribution for non-commercial research and professional purposes.
Subscribe to Government AI in Practice
The newsletter is published on Substack. New issues go to subscribers first, with archived issues available here. If the research questions GIAG is working on are relevant to your work, the newsletter is the fastest way to stay current.
Issue 10
When Oversight Requires a Decision: The Determinism Boundary in Practice
Government AI in Practice — June 10, 2026
Examines the structural governance gap created when agencies migrate from deterministic rule-based systems to generative and agentic AI without updating their oversight architecture. Introduces the Determinism Boundary as the threshold at which existing governance programs become insufficient, and presents the Three Governance Clocks framework — Detection, Intervention, and Accountability — as the diagnostic construct for assessing whether oversight is functioning in real time for live agentic deployments.
“A governance decision that most agencies have not made is which conditions require mandatory human intervention, and which conditions make human oversight counterproductive.”
Presents the Stream Two Five Intervention Criteria for mandatory human oversight (irreversibility, consequence transfer, distributional novelty, value conflict, and legal or regulatory accountability) alongside the inverse rule: where none of the five apply, automated governance is the correct model. Covers the Four-Pattern Typology from Stream One research — Structured Adopters, Reactive Compliers, Framework Borrowers, and Unstructured Experimenters — and the CAO authority gap in agentic contexts. Addresses the bifurcated policy environment created by the June 2026 national security AI memorandum and its deployment-level governance implications. Local section examines HHS child welfare predictive analytics funding as a case study in risk transfer without governance architecture. Closes with three practitioner oversight readiness tests and six diagnostic questions for use in governance review meetings.
Determinism Boundary
Three Governance Clocks
Agentic AI
Human Oversight
Five Intervention Criteria
Four-Pattern Typology
CAO Authority Gap
Vendor Lock-In
HALT Authority
Scope Drift
NIST AI RMF
M-25-21
National Security AI Memo
Multi-Agent Governance
Stream One
Stream Two
Issue 9
The Contract Is the Governance: M-25-22 Eight Months In
Government AI in Practice — June 3, 2026
Examines the gap between what OMB Memorandum M-25-22 requires from federal AI procurement and what contract surveillance infrastructure is actually delivering eight months after the directive took effect. M-25-22 established four specific obligations: performance-based acquisition language, pre-award testing and evaluation, ongoing monitoring after deployment, and disclosure requirements when contractors use AI beyond original contract scope. The issue documents where each obligation is most likely to have been documented at award but not operationalized in production, and provides a concrete review checklist IT and AI leadership can apply to active contracts today.
“A contract that specifies delivery of an AI tool without specifying how its performance will be measured in production provides no basis for surveillance.”
Covers the parallel state-level pressure under Colorado SB 24-205 (effective June 30, 2026), which establishes a “reasonable care” outcome standard that responsible use policies alone will not satisfy. Examines Honolulu’s citizen-facing permit AI deployment as a local governance case study in unanswered contract questions. Presents three behavioral tests for governance maturity drawn from a structured US–EU framework comparison, and a measurement note on why compliance metrics systematically undercount governance failure. Closes with five practitioner questions designed for use in a contract review meeting. Recent Intelligence section covers the NIST AISIC rebranding, USDA IG cybersecurity audit, federal data strategy warnings, House NDAA AI incident disclosure provisions, and HHS predictive child welfare funding.
M-25-22
AI Procurement
Contract Surveillance
COTR
Pre-Award Testing
CPARS
Colorado SB 24-205
Reasonable Care Standard
Scope Drift
Governance Maturity
NIST AI RMF
EU AI Act
Compliance Metrics
WP-3 Preview
Stream One
Stream Two
Issue 8
Governance Without a Fixed Anchor: What Federal Uncertainty, the NASCIO Paradox, and Downstream Risk Mean for Government AI at Every Level
Government AI in Practice — May 27, 2026
Examines three levels of a structural governance failure made visible by NASCIO’s 2025 State CIO Survey: 88% of states have AI responsible use policies in place, while 75% of state CIOs report serious concerns about deploying GenAI in direct citizen services. Both numbers are accurate. Their coexistence is the finding. At the federal level, the withdrawal of a proposed pre-deployment review mechanism leaves subnational governance frameworks calibrated to a reference that is no longer operative — while the unanimously passed SBA AI accountability legislation provides a rare stable legislative anchor. At the state level, the NASCIO data documents three specific gaps that governance documentation is not closing: unfunded CPO authority, one-time rather than maintained AI inventories, and oversight roles with no defined authority to act. At the local level, shadow AI adoption accelerates into the governance-to-architecture gap that documentation-only state frameworks create downstream.
“The documentation layer is present, but the confidence layer does not follow from it.”
Introduces the intervention-point gap as the structural mechanism connecting governance documentation to governance failure across all three tiers. Presents three specific investments required to close it for state CIOs. Recommends NIST AI RMF 1.0 as an operational baseline for local agencies whose governance cannot depend on consistent state or federal signal. Includes a five-question practitioner diagnostic covering framework independence, inventory currency, oversight role authority, citizen-facing AI policy adequacy, and the assistive-to-agentic governance distinction. Previews GIAG Working Paper 3 (Mandate Translation, releasing June 2026), which extends the mandate-to-implementation argument in full.
NASCIO Paradox
Federal Signal Uncertainty
Documentation Layer
Intervention-Point Gap
CPO Authority
Inventory Currency
Reviewer Authority
Shadow AI
Subnational Governance
SBA AI Accountability
Scope Monitoring
NIST AI RMF
WP-3 Preview
Stream One
Stream Two
Issue 7
The Intervention Point Problem: Where Oversight Must Sit in Government Agentic AI
Government AI in Practice — May 20, 2026
Addresses the central governance failure in agentic AI deployments: oversight positioned at the wrong point in the process. Every agency deploying AI has adopted one of two models by default — authorization-plus-audit at the edges, or human review gates at consequential decision nodes inside the process chain. Stream Two empirical findings indicate more than half of agencies are using the first model. Most have governance documents that describe the second. Documents four cases of scope drift across federal and state deployments — CBP’s Automated Targeting System, TSA’s facial recognition program, the Arkansas Medicaid care algorithm, and VA claims processing AI — in each of which authorized scope and actual operating scope diverged without oversight tracking the expansion.
“A reviewer looking at a summary of outputs from a system they cannot observe in operation is not performing oversight. They are performing sign-off.”
Also introduces the GIAG Agentic AI Assessment Tool, a working prototype that operationalizes the five-criterion framework from Working Paper Two. Any agentic AI task entered in plain language returns a structured Governance Assessment Card with criterion scores, rationale, and an intervention level recommendation from Autonomous to Human Only. Presents three structural requirements for oversight that functions as a genuine control: intervention points at decision nodes, operationally defined scope actively monitored, and reviewers equipped for the actual cognitive task. Includes a five-question practitioner diagnostic and three annotated process diagrams. Companion research note provides full citations for all four documented scope drift cases.
Intervention Point Architecture
Scope Drift
Agentic AI
Human Oversight
Authorization-Only Model
Operational Monitoring
Assessment Tool
Five Characteristics
CBP ATS
TSA Facial Recognition
Medicaid Algorithm
VA Claims AI
NIST AI RMF
Stream Two
WP-2
Issue 6
The CAO in Practice: Authority, Designation, and the Governance Gap
Government AI in Practice — May 12, 2026
M-25-21 required federal agencies to designate a Chief AI Officer. Most did. This issue examines the gap between designation and authority: what the directive actually specifies, what it leaves to agency discretion, and what happens when a named compliance role is given no operational decision rights. The FISMA ISSO analogy frames the structural problem. The NASCIO state CIO model illustrates what defined decision rights look like in practice. The GAO-FITARA record documents how long the authority gap persisted after the federal CIO designation was established. A review of public CAO job postings confirms where agencies have drawn the line as an organizational design choice, not a regulatory requirement.
“A CAO who can require documentation but cannot delay a deployment is an ISSO with an AI-specific title. The compliance record cannot tell them apart.”
Presents the Stream One Pattern 2 update: no practitioner interviewed to date has described a case in which the CAO delayed or modified a deployment over program office objection. Includes an authority structure comparison table mapping the CAO against the federal CIO (post-FITARA) across five governance dimensions, and a three-question practitioner diagnostic for government IT leaders assessing their own CAO authority structure. Connects to Stream Two: a CAO without operational decision rights cannot exercise the intervention authority the five-characteristic framework identifies as structurally required for high-stakes agentic deployments.
M-25-21
Chief AI Officer
CAO Authority
ISSO Analogy
NASCIO
Decision Rights
FITARA
Deployment Authority
Identical Score Problem
Stream One
Agentic AI
Issue 5
The Morning After: What M-25-21 Compliance Actually Looked Like
Government AI in Practice — May 6, 2026
The April 3 OMB M-25-21 compliance deadline passed and some 400 agencies filed. This issue asks the question the compliance record cannot answer: whether any of it changed a single AI deployment decision. Examines the structural measurement failure at the center of federal AI governance policy, the FISMA parallel, and what a measurement standard built for governance outcomes rather than activity completion would require.
“Every agency that filed looks identical in the compliance record. Governance programs that changed deployment decisions and programs that changed nothing are indistinguishable in the official record. That indistinguishability is a structural feature of how the framework was designed.”
Introduces the Identical Score Problem and the Agency A/Agency B diagnostic framework. Presents early Stream One findings on four governance patterns observed across agency intake conversations. Delivers a side-by-side EU AI Act vs. NIST AI RMF comparison with direct implications for government and multinational commercial CIOs. Includes a Goal-Question-Metric framework applied to AI governance outcomes, and a practitioner self-assessment diagnostic of three questions.
M-25-21
Implementation Fidelity
Measurement Design
Identical Score Problem
FISMA Pattern
NIST AI RMF
EU AI Act
Chief AI Officers
Governance Outcomes
GQM
Stream One
Issue 4
When AI Starts Acting: The Governance Architecture Problem
Government AI in Practice — April 28, 2026
Addresses the structural shift from advisory AI to agentic AI and what it demands of government oversight programs. When systems act rather than recommend, the governance architecture built for the previous generation becomes a liability. Most agencies have not redesigned it. This issue documents the gap and frames what redesign requires.
“The governance structures agencies built for AI recommendation systems are architecturally mismatched to AI action systems. That mismatch is where oversight fails.”
Introduces the GIAG five-characteristic diagnostic framework for distinguishing nominal oversight from substantive oversight, presents early Stream Two research findings on how agencies are managing agentic deployments in practice, and delivers a side-by-side comparison of EU AI Act and NIST AI RMF obligations with direct implications for US government practitioners. Incorporates WSJ reporting (April 24) on the federal-state regulatory tension as context for the practitioner accountability gap.
Agentic AI
Governance Architecture
Human Oversight
EU AI Act
NIST AI RMF
Five Characteristics
Oversight Officers
Federal-State Regulation
WP-2
Issue 3
Human Oversight Quality in Agentic AI: From Checklist to Judgment
Government AI in Practice — April 16, 2026
The centerpiece issue for GIAG Stream Two. Translates the findings of Working Paper WP-2 for government practitioners and CIO audiences, framing the human oversight quality problem as a deployment-level concern that risk registers and compliance frameworks do not currently address.
“Nominal oversight — human review that exists on paper but provides no genuine control — is more dangerous than its absence, because it creates documented accountability that is not backed by actual human judgment.”
Examines the five decision characteristics that require mandatory human intervention in agentic deployments, the reviewer quality problem, and what distinguishing genuine oversight from rubber-stamp compliance means operationally for government IT leaders.
Agentic AI
Human Oversight
Decision-Level Governance
OMB M-24-10
Reviewer Quality
Chief AI Officers
WP-2
Issue 2
When Policy Moves Faster Than Organizations Can Learn
Government AI in Practice — Late March 2026
Analysis of OMB Memoranda M-25-21 and M-25-22 as the high-impact AI documentation deadline arrives. Addresses the fidelity gap between compliance documentation and operational governance capability — and why the most dangerous position is checkbox compliance, not non-compliance.
“Compliance documentation and operational governance are measuring different things. Almost no one is tracking the distance between them.”
Also covers: what M-25-21 actually requires vs. what the 365-day deadline measures; the state agency dimension; the likely near-term trajectory of federal AI governance; and a research update on active GIAG interview streams.
M-25-21
M-25-22
Implementation Fidelity
Federal Compliance
State CIOs
Chief AI Officers
Agentic AI
Issue 1
What We Don’t Know About NIST AI RMF in Practice
Government AI in Practice — March 2026
Inaugural issue. Frames three empirical questions the published literature cannot currently answer about NIST AI RMF implementation: how governance varies across agency types, what separates durable governance from audit-cycle compliance, and what meaningful oversight actually looks like when it is working.
“The RMF is the architecture. What works operationally looks more like a field manual.”
Introduces the GIAG research agenda, reports early signals from practitioner conversations, and covers what to watch in state legislative activity and the pilot-to-production gap.
NIST AI RMF
Federal Agencies
Human Oversight
NASCIO
Research Agenda
Pilot-to-Production
Don’t miss an issue
Get new issues delivered to your inbox as soon as they publish.
Research Articles
4 Articles
Short-form analytical pieces on specific government IT and AI governance questions, distributed through professional networks. Each develops a focused argument grounded in the same measurement discipline as the longer GIAG working papers.
Research Article
Three Jurisdictions, Three Models: What Global AI Governance Means for US Government Leaders
June 12, 2026
US agencies evaluating AI vendor compliance claims without understanding which external governance requirements apply to that vendor are evaluating an incomplete picture. A vendor subject to EU AI Act high-risk obligations has undergone independent conformity assessment against binding technical standards. A vendor operating under China’s CAC generative AI registration regime has completed government-reviewed security assessments and is subject to active administrative enforcement. A vendor operating exclusively under voluntary US frameworks has self-attested. These are not equivalent compliance postures, and no current US instrument requires agencies to distinguish between them.
“The verification asymmetry across the three models creates a procurement evaluation gap that the proposed Great American Artificial Intelligence Act will not resolve alone, even if the bill passes in its current form.”
Examines the EU AI Act, China’s CAC enforcement regime, and the current US federal posture across six governance dimensions. Presents a structured three-jurisdiction comparison table covering legal authority, risk classification, pre-deployment requirements, enforcement body, maximum financial penalty, and verification model. Includes a procurement scenario mapping three vendor compliance postures against the evaluation gap, and five diagnostic questions CIOs and CAIOs can apply immediately without waiting for new policy authority.
EU AI Act
China CAC
GAAIA
ISO/IEC 42001
Procurement Governance
Verification Asymmetry
Vendor Compliance
Jurisdictional Analysis
CAISI
Six Governance Dimensions
CIO
CAIO
Federal Procurement
State Agencies
GIAG Series Article 2
Research Article
The Federal AI Governance Stack: What the GAAIA, the AI Action Plan, and CISA’s Forthcoming Directive Mean Together
June 11, 2026
Federal agencies now face simultaneous compliance demands from three instruments operating on independent timelines: America’s AI Action Plan (July 2025), the draft Great American Artificial Intelligence Act (introduced June 2026), and a forthcoming CISA binding operational directive on AI and cybersecurity. Each instrument is consequential individually. Together they create a governance requirement set whose interactions are not addressed by any of the three documents, and whose combined effect on agency planning is materially different from what any single instrument would produce alone.
“CISA’s forthcoming BOD operates through existing regulatory authority and does not require Congressional action. It will create binding obligations for federal civilian agencies on its own timeline, regardless of the GAAIA’s legislative trajectory.”
The article identifies six specific open questions that remain unresolved across the three instruments, assesses the organizational risk each question creates for CIOs, CAIOs, CISOs, CDOs, CTOs, and program managers, and provides a sequenced 120-day action framework calibrated to enforcement certainty: CISA BOD and IG oversight obligations are certain now; GAAIA enforcement is contingent. Grounded in GIAG Stream One research on NIST AI RMF implementation fidelity and Stream Two research on human oversight quality in agentic AI deployments.
GAAIA
AI Action Plan
CISA BOD
NIST AI RMF
CAISI
CAIO Authority
Agentic AI
Federal Governance
State Preemption
120-Day Framework
Stream One
Stream Two
Research Article
Your AI Governance Framework Won’t Save You. Your Contract Might.
March 23, 2026
The Pentagon–Anthropic–OpenAI sequence of late February and early March 2026 as a live case study in AI governance architecture. The dispute was not resolved by NIST RMF compliance, OMB memoranda, or any risk management documentation. It was resolved by contract language.
“The operational governance that actually constrains AI behavior in deployment does not live in policy frameworks. It lives in contract terms, technical configurations, and vendor relationships.”
Examines the supply chain risk designation as a governance architecture story, and draws the implication for every CIO whose AI contract language has not received the same scrutiny as their risk documentation.
Procurement
M-25-22
Contract Governance
Vendor Risk
Supply Chain
CIO Decision-Making
Research Article
The AI Threshold Problem Government IT Can’t Measure
February 6, 2026
Government IT leaders face competing mandates to modernize with AI while maintaining digital sovereignty. The problem is not lack of metrics — agencies are accumulating AI KPIs — but that measurement frameworks built for earlier technology generations cannot price what sovereignty actually costs.
“At what threshold does AI process automation become mission-critical enough to require sovereign controls? You can’t measure jurisdictional control in the same framework you use to measure server utilization.”
Develops the threshold question that matters for state CIO investment decisions and argues for measurement frameworks built around decision logic rather than activity metrics.
AI Thresholds
Digital Sovereignty
Measurement
State CIOs
ROI Frameworks
Mission-Critical AI
The GIAG Research Series documents the theoretical and empirical foundations of the initiative’s research streams. Working papers develop the core arguments. Technical methods papers document the measurement approaches applied. These are the reference documents underlying the newsletter analysis and practitioner articles.
Working Paper • WP-2
When Humans Must Intervene: A Decision-Grounded Framework for Human Oversight in Government and Commercial Agentic AI Deployments
GIAG Research Series — April 2026 · Stream Two: Human Oversight Quality
Establishes a decision-level standard for mandatory human intervention in agentic AI deployments — one that operates independently of system risk classification. Identifies five decision characteristics that consistently require a human in the execution chain before action proceeds: irreversibility, consequence transfer, distributional novelty, value conflict, and legal or regulatory significance. Any one criterion is sufficient to trigger mandatory review.
“Nominal oversight — human review that exists on paper but provides no genuine control — is more dangerous than its absence, because it creates documented accountability that is not backed by actual human judgment.”
Provides a five-phase implementation framework for building durable intervention architecture in government and commercial settings, with direct attention to the reviewer quality problem: the gap between oversight presence and oversight substance. Proposes measurement criteria for distinguishing genuine human control from rubber-stamp compliance. Designed to be operationally deployable at the decision-type level without changes to existing AI system architecture.
Agentic AI
Human Oversight
Decision-Level Governance
Irreversibility
Consequence Transfer
Distributional Novelty
NIST AI RMF
OMB M-24-10
EU AI Act
Reviewer Quality
Implementation Framework
Working Paper • WP-1
Implementation Fidelity: Why AI RMF Adoption Metrics Are Measuring the Wrong Thing
GIAG Research Series — March 2026
Defines implementation fidelity as the degree to which a governance framework changes actual decision behavior — and distinguishes it from documentation compliance, adoption rates, and reporting scores, which current practice conflates with it.
“Current AI RMF adoption metrics count governance documentation activity. They measure the governance equivalent of lines of code: technically precise, functionally uninformative about what the governance system delivers.”
Draws on the software measurement community’s resolution of the lines-of-code problem to argue that the same conceptual move is required in AI governance. Develops the measurement framework for GIAG Stream One and introduces three concepts that current practice incorrectly treats as proxies for implementation fidelity.
NIST AI RMF
Implementation Fidelity
Governance Metrics
Measurement Frameworks
Function Points
Capers Jones
M-25-21
Technical Methods • D-1
Functional Sizing as a Foundation for AI Governance Measurement
GIAG Research Series — March 2026 · Applying Function Point Analysis and COSMIC to AI System Scope and Complexity
Documents the application of Function Point Analysis and the COSMIC functional size measurement method to the problem of AI system scope characterization. Argues that governance frameworks built on adoption metrics fail at the same structural level that pre-FPA software metrics failed.
“Adoption rates, documentation scores, and compliance checklists in AI governance represent the same category of failure as lines-of-code metrics. They describe activity at the implementation layer without reaching the functional layer where governance either works or does not work.”
Applies Albrecht’s FPA methodology — validated by Capers Jones at Software Productivity Research across 250+ enterprise assessments — to AI system scope characterization, then develops COSMIC-based extensions for the internal computational behavior that FPA alone does not address.
Function Point Analysis
COSMIC
Software Measurement
AI Scope
Governance Metrics
IFPUG
SPR
Citation and use. Working papers and technical methods documents are copyright ThinkCapital LLC. They may be cited and shared for non-commercial research and professional purposes with attribution. Suggested format: Bragen, M. (2026). [Title]. ThinkCapital GIAG Research Series. ThinkCapital LLC. thinkcapital.org/publications.html — For other uses, contact via the Engage page.
Monthly compiled archives of short-form posts from the Government AI in Practice Substack and LinkedIn commentary stream. Each archive collects the prior month’s posts in a single PDF — typically 15–30 entries per month. Longer pieces and newsletter issues are cataloged separately above.
Substack & LinkedIn Posts — May 2026
Government AI in Practice — Compiled May 2026 · 19 posts · Substack and LinkedIn
Monthly compilation of short-form commentary from the Government AI in Practice Substack and LinkedIn streams. This archive covers Issues 5 through 8, spanning the M-25-21 post-compliance analysis, the CAO authority gap and FITARA precedent, the intervention point problem in agentic AI oversight, and the NASCIO paradox in state governance. 19 posts across four newsletter weeks, including LinkedIn post series and newsletter article excerpts.