Title page

Contents

Highlights 2

Letter 5

Background 9

SRMAs Are Directed by Federal Laws, Policies, and Guidance 11

Federal Guidance for Identifying and Mitigating AI Risks 12

SRMAs' Initial AI Risk Assessments Did Not Incorporate All Aspects of Risk Identification and Mitigation 14

Several Reasons Accounted for SRMAs' Mixed Progress 18

DHS and CISA Improved the Process for Annual AI Risk Assessments, but More Remains to Be Done 19

Conclusions 21

Recommendation for Executive Action 22

Agency Comments 22

Appendix I: Beneficial Uses for AI in Critical Infrastructure 26

Appendix II: Comments from the Department of Homeland Security 29

Appendix III: Comments from the Department of Defense 32

Appendix IV: GAO Contacts and Staff Acknowledgments 33

Table 1. Selected Activities for Assessing Potential Artificial Intelligence (AI) Risks and Mitigation Strategies in Critical Infrastructure Sectors 14

Figure 1. The 16 Critical Infrastructure Sectors and Their Respective Sector Risk Management Agencies 10

Figure 2. Extent to Which Sector Risk Management Agencies (SRMA) Have Addressed the Selected Activities for the 17 Critical Infrastructure Sector... 15

Figure 3. Implementation of the Six Artificial Intelligence Risk Assessment Activities for Each Critical Infrastructure Sector and One Subsector 18

Figure 4. Beneficial AI Use Categories Identified by the Department of Homeland Security 27