VA inventory report reveals 367 AI systems operating in healthcare, benefits and services

TL;DR

The VA disclosed an internal inventory showing 367 AI systems operating across the agency, including 215 classified as high-impact systems. The inventory tracks governance requirements, impact assessments, and compliance measures, and signals a transparency initiative aligned with federal AI governance frameworks. This sets a precedent for how agencies will oversee and procure AI technologies and raises the bar for operational controls, testing, monitoring, training, and risk mitigation. Contractors supplying AI solutions to the VA must ensure their systems meet the documented requirements or face potential discontinuation. Expect increased scrutiny on system documentation, evidence of testing/monitoring, personnel training, and risk controls. Immediate action is required to inventory contracts, verify compliance artifacts, and prepare for potential re-certification or decommissioning requests.

Key Points

• What happened: The VA disclosed an inventory showing 367 AI systems in use, including 215 high-impact systems, and is tracking governance requirements, impact assessments, and compliance measures as a transparency initiative.
• Who is affected: Contractors in Artificial Intelligence / Machine Learning, Healthcare IT, IT Services, Data Analytics, Software Development, AI Governance, Veterans Services Technology, Benefits Administration Systems; NAICS codes: 541512, 541511, 541715, 541990, 518210, 541519, 611430, 621111, 621399; agencies: VA, OMB, GSA (General Services Administration); contract vehicles: T4NG, OASIS+, 8(a) STARS III, Alliant 3, CIO-SP4, SEWP.
• Timeline: Timeline TBD pending source review.
• What contractors should do NOW: Immediately inventory AI systems you provide to VA, compile governance and compliance artifacts (testing, monitoring logs, training records, risk mitigations), validate alignment with stated compliance regimes, and prepare remediation plans for any gaps.

Who Is Affected

• Specific NAICS codes, agencies, and contract vehicles pending source review.
• Market segments called out in segmentation: Artificial Intelligence, Machine Learning, Healthcare IT, IT Services, Data Analytics, Software Development, AI Governance, Veterans Services Technology, Benefits Administration Systems.
• Compliance surfaces cited in segmentation: OMB M-24-10, Executive Order 14110, NIST AI Risk Management Framework, FedRAMP (Federal Risk and Authorization Management Program), FISMA, Section 508, HIPAA, VA Directive 6004.

Frequently Asked Questions

Q: Will the VA discontinue non-compliant AI systems?

A: The VA's disclosure states non-compliant systems are subject to discontinuation. Specific discontinuation processes and timelines are TBD pending source review.

Q: What evidence will contractors need to show to remain operational?

A: Contractors must ensure systems meet documented testing, monitoring, training, and risk mitigation requirements. Exact documentation formats and thresholds are TBD pending source review.

Q: Does this VA inventory affect other agencies or procurement programs?

A: The disclosure is described as a transparency initiative that reflects federal AI governance frameworks and establishes precedent for agency oversight and procurement. How other agencies implement similar inventories or enforcement is TBD pending source review. Segmentation lists OMB and GSA as relevant agencies.

Definitions

• AI systems: Software or systems that employ artificial intelligence methods to perform tasks or provide decision support.
• High-impact systems: AI systems classified as having significant potential to affect outcomes, operations, or individuals, as identified in the VA inventory.
• Impact assessments: Evaluations of the consequences, risks, and effects associated with an AI system’s deployment and operation.
• Governance requirements: Policies, controls, and procedures used to manage AI system risk, compliance, and oversight.
• Compliance measures: Documented actions, tests, monitoring, and controls demonstrating adherence to applicable policies and regulations.

Intelligence Response

• Cabrillo Signals War Room — Already detected this event and delivered this briefing. Continuously monitors regulatory changes, contract vehicles, and policy shifts.
• Cabrillo Signals Match Engine — Automatically rescors opportunity pipelines when events like this shift the competitive landscape.
• Cabrillo Signals Intelligence Hub — Tracks affected agencies, NAICS codes, and contract vehicles. Saved searches alert when follow-on solicitations appear on SAM.gov (System for Award Management).
• Proposal Studio (Proposal OS) — Use for AI-powered proposal automation with compliance matrices, win theme library, and bid/no-bid decision engine to assemble remediation evidence and proposals.
• Proposal Studio Workflow Tracker — Use capture management to route compliance reviews, track approvals through a 9-gate capture workflow, and maintain audit-ready documentation.

Who to notify

• Capture/Business Development Lead — to assess impacted opportunities and bid strategy.
• Proposal Manager — to assemble compliance artifacts and update proposals.
• Security & Privacy Officer / Compliance Lead — to validate testing, monitoring, training, and risk mitigation evidence.
• Product Manager / Engineering Lead — to remediate technical gaps and implement monitoring/training controls.

First 48-hour playbook

• Hour 0–4: Convene a rapid response team (BD, Proposal, Security, Product). Pull a list of all current VA engagements and AI-related contracts. Flag contracts on listed vehicles (T4NG, OASIS+, 8(a) STARS III, Alliant 3, CIO-SP4, SEWP).
• Hour 4–12: Inventory and collect available artifacts: testing reports, monitoring logs, training records, risk assessments, and any VA-submitted documentation. Triage systems identified as high-impact.
• Hour 12–24: Use Proposal Studio (Proposal OS) to map compliance gaps against required governance and prepare remediation plans. Route tasks in Proposal Studio Workflow Tracker for approvals and evidence collection.
• Hour 24–48: Produce an executive remediation brief for stakeholders, notify contracting officers as appropriate, and prepare bid/no-bid recommendations with the Match Engine’s rescored opportunity pipeline.

Relevant Cabrillo resources and guides

• Primary hub: Secure Operations Guide (/insights/secure-operations-guide)
• Related guides:
• CMMC (Cybersecurity Maturity Model Certification) Compliance Guide (/insights/cmmc-compliance-guide)
• CUI (Controlled Unclassified Information)-Safe CRM Guide (/insights/cui-safe-crm-guide)