GS
Ask a federal leadership team where the controls on their AI systems live and most will point at the model — its guardrails, its evaluation scores, its responsible-AI documentation. Those controls matter. But they are not where the consequential decisions get enforced. What an AI system can actually do to a federal mission — which records it can read, which systems it can write to, which actions it can take on a citizen's case — is governed not by the model but by the identity and access layer underneath it. That layer is quietly becoming the real control plane for federal AI, and most agencies are governing it as an afterthought.
Where the control actually lives
A model is a reasoning engine. On its own it cannot touch a single federal system. It becomes consequential only when it is wired to data and to actions — when it can retrieve from a records store, query a case-management system, or trigger a workflow. Every one of those connections is an access decision. And access decisions are not made by the model; they are made by the identity and access infrastructure that grants or denies the request.
This reframes the governance question. The familiar debate — is the model safe? — is necessary but insufficient. The more operationally decisive question is: what can this AI system reach, and what can it do with what it reaches? A perfectly-evaluated model wired to over-broad access is a more dangerous system than a mediocre model on a tightly-scoped least-privilege footprint. The access layer dominates the risk.
"A model can only do what its access lets it do. The agency that governs the model but not the access has governed the part that reasons and left the part that acts unguarded."
From network perimeter to permission boundary
For two decades, federal security treated the network perimeter as the primary control. Zero trust began the shift toward identity as the control point.[1] AI completes it. When the actor is an AI system whose behavior is emergent rather than specified, there is no meaningful perimeter to defend — the system is inside the environment by design, reaching for data and actions across it. The only place to enforce control is at the permission boundary: the moment the system requests access to a specific resource for a specific purpose.
That moment is where governance becomes enforceable rather than aspirational. A responsible-AI policy that says 'the system shall not access records outside its mission scope' is a sentence in a document. The same policy enforced as an access rule — the system's credential is scoped so it physically cannot reach those records — is a control. The difference between a policy and a control is the access layer, and federal AI programs that confuse the two are running on stated intentions rather than enforced boundaries.
The link between retrieval quality and access
There is a second reason identity and access is the control plane, and it is one most AI conversations miss entirely: access scoping is what makes retrieval both safe and accurate. A federal AI system that retrieves from a records store to ground its answers can only be as trustworthy as the access boundary around that retrieval.
- Over-broad retrieval leaks. If the system can retrieve from records the user is not entitled to see, the model will faithfully surface information that should have been withheld. The access boundary is the privacy control, and there is no model-side fix for an access-side failure.
- Under-scoped retrieval hallucinates. If the system cannot reach the records it needs, it fills the gap with plausible invention. Retrieval quality and access scope are the same problem viewed from two sides.
- Entitlement-aware retrieval is the goal. The system should retrieve exactly what the requesting user is entitled to — no more, no less — which means the access layer has to understand the user's entitlements and propagate them into every retrieval the AI performs on that user's behalf.
This is the seam where retrieval, records governance, and identity meet. Get it right and the AI is both safe and grounded. Get it wrong on either side and the system either leaks or invents. The control that prevents both failures is access, not the model.
Building the AI control plane
Treating identity and access as the AI control plane is a design posture, not a product. Several moves define agencies that are doing it deliberately.
- Scope every AI identity to mission, not convenience. Each AI system gets the narrowest access footprint its mission requires. The default is denial, and every grant is justified against a specific function.
- Propagate user entitlements into retrieval. When the AI acts on a user's behalf, it inherits that user's entitlements for the duration of the request, so it can never surface what the user could not have seen directly.
- Mediate action through a policy enforcement point. High-consequence actions route through a control point that applies policy, logs intent, and gives the agency one governed place to see and constrain what AI systems are doing.
- Log access as the audit trail of record. The access log — what the system reached, on whose behalf, for what purpose — becomes the primary evidence base for AI accountability, more useful in an audit than the model's internal reasoning.
The CIO's highest-leverage move
For a federal CIO deciding where to invest scarce governance attention, the access layer offers the most leverage. Model governance is necessary and the agency should do it — but it governs the part of the system that reasons. Access governance constrains the part that acts, and the part that acts is what reaches the mission. An agency that builds a disciplined identity-and-access control plane can deploy a wide range of AI systems on it safely, because the boundary holds regardless of which model sits on top. An agency that invests everything in model governance and leaves access loose has secured the engine and left the steering unguarded. The control plane is the durable asset. It is also the one most likely to be underfunded, because it is invisible until the day an audit asks what the AI could reach — and the agency cannot answer.[2]
