Securing federal AI: From legacy systems to innovation

As artificial intelligence reshapes the public sector landscape, government organizations must navigate between extraordinary possibilities and serious security risks. The ways the public sector implements AI today will set the stage for future technological progress.

Software development stands at the center of this transformation. As government departments embrace AI's game-changing capabilities, they're discovering that it creates code much faster than existing security systems can review it. This speed creates a massive expansion in potential attack points across federal networks.

The cybersecurity challenge for government

Recent research reveals the magnitude of security challenges confronting federal agencies. GitLab's 2025 executive research report, “The Economics of Software Innovation: $750B+ Opportunity at a Crossroads,” found that 85% of senior leaders believe AI will bring unprecedented security risks, with 52% naming cybersecurity threats as their top concern.

The threat landscape is growing at a concerning pace. Security experts predict that researchers and organizations will identify nearly 50,000 new common vulnerabilities and exposures (CVEs) this year. AI systems create more code and add dependencies across government networks, causing these security gaps to multiply rapidly.

Outdated systems and code throughout government operations exacerbate the problem. Federal technology infrastructure depends heavily on aging frameworks and programming languages that lack modern security features. These older systems often can't work with current security scanning tools, creating dangerous gaps that criminals can target.

Perhaps most concerning for national security is the shrinking window between vulnerability disclosure and exploitation. Current data shows that hackers exploit more than 28% of security flaws within 24 hours of disclosure. Federal agencies can't continue using slow, traditional response methods.

Strengthening government software supply chains

Federal agencies face challenges that go beyond standard cybersecurity to include software supply chain protection. When AI generates code across multiple storage locations at once, basic questions about what systems exist, how they work, and where risks concentrate become much harder to answer.

This visibility problem requires a comprehensive approach that progresses from discovery to monitoring to response. To maintain clear visibility across software supply chains, agencies should implement:

Complete asset tracking: Government departments must keep detailed records of all software components, including a comprehensive software bill of materials (SBOM) that shows exactly which third-party and open-source components they use.

Agency-wide risk assessment: Security can't stay isolated within single programs or offices. Teams need shared dashboards to understand what's protected, find missing coverage, and respond quickly, especially with AI speeding up development across entire agencies.

Ongoing threat surveillance: Continuous security scanning fills critical holes by automatically watching code storage areas and checking existing SBOMs against newly published CVEs. This approach proves especially valuable in AI-accelerated environments, where automatic code creation can build large codebases that teams might neglect later.

Targeted problem-solving: Code that gets pulled in automatically from other libraries often makes up most of an application's total code. When security flaws appear in complicated dependency chains, teams can't see how vulnerable packages were introduced through multiple layers. Dependency tracking shows the complete path from main dependencies to flawed packages, helping teams quickly find the right solutions.

These supply chain security steps provide important visibility and control, but they're only part of the answer. The biggest challenge for federal agencies remains scaling these security practices to match the velocity of AI-driven development while also addressing vulnerabilities inherited from decades of legacy systems.

Secure governance for AI-powered development

Federal agencies must modernize legacy codebases while building governance frameworks that can scale with AI-driven development cycles. Traditional security governance relies on manual checking and periodic reviews that can't address either challenge. This situation requires proactive, platform-embedded governance that can address both legacy vulnerabilities and AI-accelerated development.

To ensure comprehensive protection, the core principles of secure AI development must extend across the entire software development lifecycle. These platform-native controls ensure security governance scales automatically with development speed, enabling federal agencies to build faster with AI without sacrificing enterprise security needs.

For agencies managing sensitive national security data, these governance frameworks must work entirely within agency-controlled environments, whether in classified facilities, private clouds, or highly regulated spaces. This approach allows agencies to use AI-powered development tools while maintaining complete control over their data.

By building these governance principles directly into their development platforms, federal agencies can ensure security scales automatically with AI-accelerated development, removing the traditional trade-off between speed and security.

Leading through secure innovation

Federal agencies face a critical decision point. Moving forward requires secure, compliant systems that enable organizations to harness AI's complete potential.

With 94% of organizations seeing return on investment from AI within two years, there's no time to delay. By creating secure and ethical AI deployments, government agencies can set standards and gain a lasting competitive advantage. The future of technological leadership, in both public and private sectors, depends on successfully finding this balance.