Title page
Contents
Highlights 2
Letter 5
Background 9
SRMAs Are Directed by Federal Laws, Policies, and Guidance 11
Federal Guidance for Identifying and Mitigating AI Risks 12
SRMAs' Initial AI Risk Assessments Did Not Incorporate All Aspects of Risk Identification and Mitigation 14
Several Reasons Accounted for SRMAs' Mixed Progress 18
DHS and CISA Improved the Process for Annual AI Risk Assessments, but More Remains to Be Done 19
Conclusions 21
Recommendation for Executive Action 22
Agency Comments 22
Appendix I: Beneficial Uses for AI in Critical Infrastructure 26
Appendix II: Comments from the Department of Homeland Security 29
Appendix III: Comments from the Department of Defense 32
Appendix IV: GAO Contacts and Staff Acknowledgments 33
Table 1. Selected Activities for Assessing Potential Artificial Intelligence (AI) Risks and Mitigation Strategies in Critical Infrastructure Sectors 14
Figure 1. The 16 Critical Infrastructure Sectors and Their Respective Sector Risk Management Agencies 10
Figure 2. Extent to Which Sector Risk Management Agencies (SRMA) Have Addressed the Selected Activities for the 17 Critical Infrastructure Sector... 15
Figure 3. Implementation of the Six Artificial Intelligence Risk Assessment Activities for Each Critical Infrastructure Sector and One Subsector 18
Figure 4. Beneficial AI Use Categories Identified by the Department of Homeland Security 27