Presented by Carahsoft

As artificial intelligence becomes more embedded in government operations, agencies need a way to manage risk, protect data and build confidence in the systems they adopt. Vicky Pillitteri, Manager of the Security Engineering and Risk Management Group at NIST, says NIST’s work helps provide that shared foundation.

In this Innovation in Government segment from the GovExperience Summit, Pillitteri explains that NIST advances measurement science, standards and technology. In the AI and IT security space, that work is focused on building trust. NIST develops standards, guidelines and best practices that can be used by federal agencies, industry and international partners. She describes NIST’s role as providing a “Rosetta Stone” for good security outcomes and practices that translate across IT systems, including AI systems.

That shared language is important because AI is evolving quickly and agencies are adopting it in different ways. Without common outcomes and guidance, it becomes harder for leaders, developers, security teams and mission owners to understand what “secure” and “trustworthy” should mean in practice.

Pillitteri also emphasizes the people side of trusted AI. Agencies need to use the workforce they have and retrain employees to use AI tools effectively. AI should help people do their jobs more efficiently and move into higher-value responsibilities. That means trusted AI is not only about technical controls. It is also about workforce development, culture and helping employees understand how to use new tools responsibly.

Data protection is another critical issue. Pillitteri says data is essential to training AI models and producing outputs that are useful, reliable and trustworthy. But that data must be secure throughout the AI lifecycle. Agencies need to think about what happens when data goes into an AI system, how the system uses it and what comes out the other side.

NIST is developing resources for different users and organizations to help answer those questions. Pillitteri points to work on security controls for predictive AI, generative AI and agentic AI, as well as resources for AI software developers. NIST is also working on ways to explain AI risk management to different audiences, from C-suite leaders to implementers.

That range of audiences matters. Senior executives need to understand the strategic risk and governance implications of AI. Developers need practical guidance on how to secure the systems they are building. Acquisition teams need to understand what questions to ask when buying AI-enabled products. Mission leaders need confidence that the tools they use will support their goals without exposing data or operations to unacceptable risk.

Pillitteri also notes a key challenge: AI is not one single thing. Predictive AI, generative AI and agentic AI have different functions and different risks, and those categories can overlap. AI may also be embedded in products that are not primarily described as AI products. That means organizations must learn to recognize AI risk even when it is not obvious.

The segment makes clear that AI is becoming mission technology, not just another IT tool. Agencies want to use it to improve processes, support analysis, develop materials and deliver services more efficiently. But if AI is mission technology, then securing it is mission work.

Pillitteri’s message is practical and important: trusted AI requires standards, security controls, workforce readiness and a clear understanding of the data lifecycle. NIST’s role is to help agencies and industry work from common guidance as the technology continues to evolve.

Key Takeaways

• NIST provides standards and guidance that help agencies build trust in AI and IT systems.
• AI adoption requires workforce development, not just technical implementation.
• Securing data throughout the AI lifecycle is essential to producing trustworthy AI outcomes.