Artificial intelligence is no longer an experimental feature in federal procurement. It is rapidly becoming essential digital infrastructure used to analyze data, support decision‑making, automate workflows, and power mission‑critical systems across civilian agencies (non-military federal agencies such as the DHS, HHS, and Treasury) to analyze data, support decision-making, and automate workflows.

Against that backdrop, the General Services Administration (GSA) has issued for public comment a proposed GSAR deviation clause, GSAR 552.239‑7001, “Basic Safeguarding of Artificial Intelligence Systems” (the “Proposed AI Clause”). If finalized, the Proposed AI Clause would apply broadly to GSA solicitations and contracts involving “artificial intelligence capabilities” and would impose a comprehensive framework governing data rights, system transparency, data handling, and performance oversight (While AI is also widely used in the defense context, the Proposed AI Clause is limited to the civilian acquisition system, which is governed by the Federal Acquisition Regulation (FAR) and agency-specific supplements such as the GSAR.)

For companies that develop, license, integrate, or rely on AI systems in federal programs, this is not merely another cybersecurity clause. It would extend, and in some respects recalibrate, long-standing government contracts principles in ways that could materially affect:

• Data ownership and monetization models
• Proposal and pricing strategies
• Use of subcontractors and cloud/AI vendors
• Compliance risk allocation

If finalized, the Proposed AI Clause would apply broadly to GSA solicitations and contracts involving “artificial intelligence capabilities” and would impose a comprehensive, government‑wide framework governing data rights, AI system transparency, data handling, and performance oversight.

Overview

The Proposed AI Clause is best understood as an effort to translate familiar federal priorities — data ownership, security, sovereignty, and accountability — into the AI context. However, it does so using expansive definitions and operational mandates that appear to reach beyond traditional FAR data-rights constructs.

At a high level, the Proposed AI Clause would:

• Extend government ownership concepts to AI inputs, outputs, and derivative data
• Prohibit use of government data for model training or enhancement outside the contract
• Require controlled (“eyes-off”) data access frameworks
• Impose data segregation, localization, and deletion obligations
• Mandate detailed AI system disclosures and documentation
• Restrict use to “American AI Systems”
• Authorize government benchmarking and enforcement based on bias or performance concerns

While many of these requirements reflect legitimate government concerns, their breadth and ambiguity raise significant implementation questions for businesses.

Scope and Applicability: Who Is Covered?

One of the most significant open issues is the Proposed AI Clause’s scope. The Proposed AI Clause applies to contracts involving “artificial intelligence capabilities,” a term that is notably undefined. As a result, the clause could reasonably be interpreted to cover:

• Contractors providing AI systems directly
• Contractors using AI tools in performance, even if AI is incidental
• Third-party AI service providers, even without contractual privity with the government

This would be a significant expansion beyond traditional government contract parameters, which typically have regulated deliverables rather than tools used in performance.

The clause also places primary compliance responsibility on the prime contractor, effectively requiring primes to flow down obligations to vendors and technology providers that may not be accustomed to these kinds of federal compliance regimes.

This creates substantial interpretive risk, particularly for:

• Commercial SaaS platforms with embedded AI
• Productivity and analytics tools
• Cybersecurity and monitoring solutions

Key Provisions Explained

1. Government Data Ownership and Custom Developments

One of the most consequential features of the Proposed AI Clause is its treatment of data and intellectual property. The Proposed AI Clause builds on existing federal data-rights principles but extends them significantly in scope.

What Is “Government Data”?

“Government Data” is defined to include:

• Inputs: prompts, queries, uploaded data, documents
• Outputs: AI-generated responses, analyses, reports
• Metadata and logs
• Derivative or anonymized data

This definition is intentionally expansive and appears designed to capture the entire lifecycle of AI interaction, not just traditional deliverables. Unlike existing FAR clauses, which distinguish between technical data and software, this formulation collapses those distinctions and asserts government ownership over interaction-level data.

Is This New?

Conceptually, the Proposed AI Clause’s definition of government data is not new. The government has long required broad rights in data generated under its contracts. Operationally, however, the definition of government data represents a significant expansion because it:

• Reaches ephemeral data (prompts and outputs)
• Captures derivative and anonymized forms
• Applies in real time, not just to delivered work products

Custom Developments

The government also claims ownership of “Custom Developments,” including:

• Model configurations
• Fine-tuning outputs
• Enhancements created for the contract

This raises a critical practical issue. Contractors risk unintentionally transferring valuable IP (such as tuned models or configurations) unless they carefully segregate baseline systems from contract-specific adaptations.

2. License‑Back and Prohibited Uses of Government Data

Consistent with government‑ownership principles, contractors receive only a limited, revocable license to use Government Data:

• Solely to perform the contract
• For system support and maintenance
• For other uses expressly authorized by the contracting officer

The Proposed AI Clause expressly prohibits using Government Data for:

• Model training or fine-tuning (internal or third-party)
• Product development for other customers
• Commercial analytics or monetization
• Retention beyond contract scope

This is a significant departure from commercial AI norms, where continuous model improvement is foundational.

3. “Eyes‑Off” Data Handling: What Does It Actually Mean?

The Proposed AI Clause does not prohibit all human interaction with Government Data, nor does it require AI systems to operate without human intervention. Rather, the “eyes-off” data handling restriction limits discretionary or ad hoc access to Government Data.

Permitted Access Includes:

• Incident response
• Debugging and system maintenance
• Cybersecurity investigations
• Required audits
• Government-requested support

Prohibited or Restricted Access:

• Casual browsing of data
• Exploratory or convenience-based review
• Use outside defined, auditable roles

The key distinction is whether the access is purpose-limited, role-restricted, and auditable, rather than optional or exploratory.

4. Data Segregation, Localization, and Deletion

The Proposed AI Clause requires logical segregation of Government Data, limits storage and access to approved locations, and mandates secure deletion and written certification upon contract end, requirements that may necessitate significant architectural changes for many providers. Some of these requirements resemble existing FAR obligations. Indeed, these concepts are not entirely new — they echo:

• FedRAMP and cloud security frameworks
• Controlled Unclassified Information (CUI) handling
• Data segregation requirements in multi-tenant systems

However, the Proposed AI Clause differs in that it:

• Applies these requirements specifically to AI interaction data
• May require architectural redesign of commercial AI platforms
• Incorporates certification and deletion mandates tied to model data flows, not just stored data

Thus, this is best understood as an extension of existing principles into AI system design, rather than a wholly new framework.

5. Disclosure, Documentation, and Incident Reporting

Contractors must disclose the AI systems used in performance within thirty days of award, identify non‑U.S. regulatory configurations, maintain documentation aligned with the NIST AI Risk Management Framework, support government AI impact assessments, and report incidents involving Government Data within seventy-two hours through the Cybersecurity and Infrastructure Security Agency with daily updates until resolution.

6. Bias and Government Oversight

The Proposed AI Clause establishes “Unbiased AI Principles” requiring AI systems to be truthful, neutral, and non‑partisan. The government may conduct automated benchmarking using undisclosed methodologies and may suspend use or terminate for cause, potentially imposing decommissioning costs on the contractor. AI bias is a particular focus of Department of Justice’s interest right now. Look for a separate blog addressing this issue soon.

Practical Takeaways for Contractors

The Proposed AI Clause signals that AI governance is becoming a contractual obligation, not an aspirational policy. Contractors should:

• Map Data and IP Flows Early – Identify:
  • What constitutes Government Data
  • Where it resides
  • How it interacts with proprietary systems
• Segregate Systems Thoughtfully
  • Ensure clear separation between:
    • Baseline models
    • Customer-specific configurations
    • Training datasets
• Re-evaluate Vendor Relationships — Flow-down obligations may affect:
  • Cloud providers
  • AI vendors
  • SaaS platforms
• Align Contracts with Operations
  • As always, practice must match paper. Government-facing representations about AI systems must be operationally accurate.
• Price for Compliance
  • The architectural, governance, and monitoring requirements will carry real cost

Bean, Kinney & Korman’s business contracts and employment law practice groups work proactively with employers of all sizes, in Virginia, Maryland, and the District of Columbia, and can help your business strengthen its federal contract and grants compliance efforts and to meet the compliance challenges of all federal, state, and local anti-discrimination laws. For more information or assistance, please feel free to reach out to Timothy Hughes at (703) 526-5592, thughes@beankinney.com, or Doug Taylor at (703) 526-5586, rdougtaylor@beankinney.com. 

This article is for informational purposes only and does not contain or convey legal advice. Consult an attorney. Any views or opinions expressed herein are those of the author and are not necessarily the views of the firm or any client of the firm.