AI Disclosure in Federal Contracts: What GovCon Firms Should Prepare For

Artificial intelligence is becoming a normal part of how government contractors work. Teams are using AI to summarize documents, support proposals, draft internal content, review compliance requirements, triage data, automate help desk workflows, analyze program information, and improve back-office efficiency.

But in federal contracting, the fact that a tool is useful does not mean its use is invisible.

Government contractors should prepare for a future where AI use becomes more visible in solicitations, proposals, contract terms, security reviews, quality assurance surveillance, and post-award performance oversight. The question will not simply be, "Do you use AI?" The more important questions will be where AI is used, what contract work it supports, what data it touches, whether it affects deliverables or decisions, who approved it, how it is tested and controlled, and whether subcontractors use it too.

For GovCon firms serving DoD, Intelligence Community, and federal civilian customers, AI disclosure is quickly becoming a trust issue. Contractors that can explain their AI use clearly, accurately, and responsibly will be better positioned than contractors that wait until an RFP forces the conversation.

Why AI Disclosure Matters in Federal Contracting

In commercial business, AI use is often treated as an internal productivity decision. In federal contracting, AI can affect contract performance, data protection, cybersecurity boundaries, intellectual property rights, privacy, civil liberties, mission assurance, and customer confidence.

OMB Memorandum M-25-22 tells agencies to determine whether solicitations should include provisions requiring disclosure of AI use in contract performance, especially where vendors may use AI in situations the government does not anticipate. That language moves the issue beyond contracts where the government is deliberately buying an AI system. It also covers the practical reality that vendors may use AI while performing ordinary service, IT, advisory, engineering, administrative, or mission support contracts.

The same OMB guidance recognizes that not every contractor use of AI is in scope. It excludes AI used incidentally by a contractor during contract performance when AI is used at the contractor's option and is not directed or required to fulfill contract requirements. It also states that the memo does not apply to AI acquired for use as a component of a National Security System.

What AI Disclosure Means

AI disclosure is the process of telling the government when, where, and how AI is being used in connection with contract performance.

That does not always mean disclosing every employee productivity shortcut. A contractor using AI to clean up internal meeting notes for a non-sensitive company-only meeting is different from a contractor using AI to analyze government-furnished data, generate contract deliverables, summarize CUI, operate a chatbot for agency users, or support a mission decision workflow.

A strong AI disclosure should answer what AI system is being used, who provides or hosts it, what task it supports, whether it is required for performance, what data it processes, whether it touches restricted information, whether output becomes part of a contract deliverable, whether humans review the output, how performance is monitored, and whether subcontractors are using AI too.

The goal is not to overwhelm the government with irrelevant technical detail. The goal is to provide enough information for the customer to understand risk, approve appropriate use, and maintain confidence in contract performance.

AI Disclosure Is Not Just for AI Product Vendors

Many contractors think AI disclosure only matters if they are selling an AI platform. That is too narrow.

Disclosure may be relevant when a company is delivering an AI system, integrating AI into a government workflow, using AI to generate contract deliverables, applying AI to government data, using AI in a cloud environment, relying on AI-enabled subcontractors, or embedding AI into software provided to the government.

OMB M-25-22 directs agencies to test proposed AI systems or services where practicable, understand their capabilities and limitations, and use performance-based acquisition techniques that allow agencies to assess vendor claims before award and monitor performance after award.

That means contractors should expect AI-related questions to show up in technical proposals, oral presentations, product demonstrations, quality plans, data management plans, cybersecurity volumes, and post-award governance meetings.

The Emerging Direction: More AI Transparency

The direction of federal acquisition is clear: agencies want more visibility into AI use, not less.

GSA has circulated proposed Government AI System Terms and Conditions that would require contractors to disclose all AI systems used in contract performance to the ordering contracting officer within 30 days after award, unless requested earlier. The draft terms would also include expectations around human oversight, traceability, incident reporting, service provider change notification, and government evaluation rights. Because this is proposed language, contractors should treat it as a strong signal of where acquisition expectations may go, not as a universal final rule.

OMB M-26-04 also adds LLM-specific procurement expectations. When agencies procure large language models, they must obtain enough information from vendors to determine whether the LLM complies with applicable principles, while generally avoiding requests that force disclosure of sensitive technical data such as model weights.

For contractors, this points to a major preparation need: documentation.

What Agencies May Ask Contractors to Disclose

Federal customers may not all ask the same questions, but contractors should prepare for recurring themes.

AI system identity and ownership

Agencies may want to know the name of the AI tool, model, platform, API, service provider, cloud environment, reseller, integrator, and any third-party components involved. This is especially important when a contractor is not the original AI developer but is using a commercial model through an intermediary, platform, or software product.

Intended use case

Contractors should be able to describe the AI use case in plain English: public-source capture research, help desk triage before human assignment, first-draft internal status report language, retrieval-augmented search over approved internal documents, or AI embedded in software delivered to the agency.

Data categories

This is one of the most important disclosure areas. Contractors should identify whether the AI will touch public data, company proprietary data, Federal Contract Information, Controlled Unclassified Information, Covered Defense Information, PII, export-controlled information, law enforcement sensitive information, intelligence-related information, classified information, or customer-specific restricted data.

Government data and model training

Agencies will want confidence that government data is not being used improperly to train or improve public or commercial AI models. Contractors should be prepared to disclose vendor data retention, model training, human review, logging, deletion, and customer data segregation practices.

Human oversight

A strong AI disclosure should explain where humans remain accountable. This is especially important when AI output influences deliverables, recommendations, eligibility determinations, cybersecurity triage, program reporting, mission support, or customer-facing services.

Testing and monitoring

Agencies may ask how the AI was tested before use, how accuracy is measured, how hallucinations or errors are handled, how model changes are tracked, how outputs are validated, and how the contractor will monitor performance after deployment.

Subcontractor and service provider use

Prime contractors should expect more scrutiny of subcontractor AI use. If a subcontractor uses AI to support contract performance, the prime may need to know what tool is used, what data it touches, whether it affects deliverables, and whether subcontract terms restrict unapproved AI use.

When Contractors Should Assume AI Disclosure May Be Needed

Contractors should treat the following scenarios as AI disclosure triggers:

• AI is required to perform part of the statement of work.
• AI is embedded in a system, application, dashboard, chatbot, model, workflow, or deliverable provided to the government.
• AI processes, stores, transmits, summarizes, indexes, or generates output from government data.
• AI output is included in reports, recommendations, analysis, software, briefings, or other contract deliverables.
• AI supports cybersecurity, personnel, benefits, law enforcement, intelligence, healthcare, infrastructure, financial, or other high-impact workflows.
• AI touches FCI, CUI, Covered Defense Information, PII, export-controlled data, classified data, or other restricted information.
• AI is used by a subcontractor, consultant, or third-party service provider in support of the contract.
• The solicitation, task order, data rights clause, security plan, quality plan, or customer direction asks about AI use.
• The AI provider changes, the model changes materially, or new AI functionality is added during performance.

This does not mean every scenario requires the same level of detail. It means these are the situations where leadership, contracts, security, and program management should review whether disclosure is required or prudent.

A Practical AI Disclosure Framework

Contractors should create a standard AI disclosure template before the next RFP asks for it. The template should be simple enough to use quickly but complete enough to support contracting, security, legal, and technical review.

A complete template should also address subcontractor use and change management so the company can notify the customer if AI use materially changes after award.

Proposal Language Contractors Can Adapt

Below is sample language that can be adapted for proposals or internal review. It should be tailored by counsel, contracts, and security leadership before use.

GS Consulting uses AI-enabled tools only within approved workflows, approved accounts, and approved data boundaries. AI is not used to process, store, transmit, or generate output from FCI, CUI, Covered Defense Information, PII, classified information, export-controlled information, or other restricted customer data unless the tool, environment, contract terms, and security controls have been reviewed and approved for that specific use. AI-generated outputs used in contract performance are subject to human review, validation, and approval by accountable personnel.

For direct AI delivery, the proposed solution should describe the AI function, data categories, approved environment, restrictions on non-public government data, human oversight, performance testing, monitoring, logs, review cadence, and issue resolution process.

Common Mistakes to Avoid

The first mistake is assuming AI does not need disclosure because the contractor is not selling an AI product. If AI supports contract performance, affects deliverables, or touches government data, it may be relevant.

The second mistake is relying on "human review" as a blanket answer. Human review matters, but it does not eliminate the need for data controls, testing, documentation, or customer transparency.

The third mistake is failing to track shadow AI. If employees use unapproved AI tools with contract information, leadership may be unable to answer basic customer questions accurately.

The fourth mistake is forgetting subcontractors. Prime contractors should not learn after award that a subcontractor has been using an unapproved AI tool to process customer data or draft deliverables.

The fifth mistake is assuming FedRAMP status equals permission to use a tool for every contract and data type. Authorization materials support an agency's use decision, but they are not the same as an agency Authorization to Operate and do not eliminate agency-specific oversight.

The sixth mistake is failing to document AI use before the proposal. When the RFP asks for an AI disclosure, a contractor should not be starting from a blank page.

What GovCon Firms Should Build Now

To prepare for AI disclosure, contractors should build an internal AI readiness package. This should not be an academic exercise. It should be a practical set of documents and workflows that support proposal writing, contract compliance, security review, and customer conversations.

The package should include an AI use policy, approved tool list, prohibited use rules, AI inventory, data handling matrix, vendor review checklist, model and system documentation, human oversight procedures, testing and evaluation evidence, subcontractor AI questionnaire, contract disclosure template, incident response procedure, and change management process.

CMMC should also be considered where AI touches defense contract information. NIST SP 800-171 applies to components of nonfederal systems that process, store, or transmit CUI, or that protect those components. For cloud-based AI, FedRAMP considerations should be part of the review.

A 90-Day AI Disclosure Action Plan

By the end of 90 days, leadership should be able to answer five questions: Where are we using AI? What contract data does it touch? Which uses are approved? What would we disclose to the government? How do we know our subcontractors are following the same rules?

The Bottom Line

AI disclosure is not just a compliance burden. It is a competitive advantage.

Government customers want the benefits of AI, but they need contractors that understand risk, data boundaries, cybersecurity, documentation, accountability, and mission trust. Contractors that can clearly explain their AI use will be better prepared for solicitations, customer conversations, audits, and post-award performance reviews.

The firms that wait until an RFP asks about AI may find themselves scrambling to answer basic questions. The firms that prepare now will be able to say, with confidence, where AI is used, why it is used, how it is controlled, and how the customer's data and mission are protected.

GS Consulting helps DoD, IC, and federal contractors assess AI readiness, develop AI disclosure packages, build practical AI governance and cybersecurity policies, evaluate contract and data risk, prepare proposal language, and implement AI workflows that support growth without putting customer trust at risk.

Suggested Future Reading

• The Ultimate Guide to AI Integration in Government Contracting
• AI Procurement Regulations Every Government Contractor Should Know
• How DoD Contractors Can Use AI Without Putting CUI at Risk