On March 28, 2024, the US Office of Management and Budget (OMB) released a memorandum, M-24-10 (basically a regulatory requirement for federal agencies), creating the new role responsible for operationalizing the Executive Order (EO) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, issued last fall. Per the OMB memo, agencies named in the CFO Act will have 60 days to appoint a chief artificial intelligence officer (CAIO) with a remit to: 1) strengthen AI governance; 2) advance responsible AI innovation; and 3) manage risks from the use of AI.

While new role creation to introduce accountability for advancing the federal agenda isn’t new — in 2019, the OMB did the same in establishing the chief data officer (CDO) role to lead agency digital transformation efforts — what’s unique about the CAIO is the role’s level of authority, seniority, skill set, and broad risk management responsibilities.

We believe that the requirement for federal agencies will accelerate this role in the private sector. Tech execs can use the OMB memo as a starting point for the skills and requirements of a CAIO role, although the specific responsibilities for CAIOs will be unique to each organization’s AI goals, business strategies, and risk appetite. For a deeper understanding of risk management’s role in supporting AI, read Generative AI: What It Means For Governance, Risk, And Compliance.

The CAIO Has Broad Authority For Transformational Change

The OMB memo states that the CAIO role “must be a position at the Senior Executive Service [SES], Scientific and Professional, or Senior Leader level.” This unusually high rank is justified by noting that the CAIO must have the “necessary authority to perform the responsibilities in this section and must be positioned highly enough to engage regularly with other agency leadership, to include the Deputy Secretary or equivalent.” If the agency already has someone appointed to the role, the memo urges agencies to evaluate whether that individual needs additional authority to do their job at this level.

  • What To Know: The EO gives CAIOs broad responsibility over the coordination, innovation, and risk management for their agency’s use of AI. This position is more than just influencing policy and managing data calls (internal questionnaires) — instead, it requires development of partnership, and strategy, as well as direct operational involvement to bring about change. In other words, this role isn’t reactive. It’s not about simply mitigating AI’s downside risk (often a compliance initiative guised as “risk management”). Rather, it’s about promoting use of AI, which implies that orgs need a strategy and mature understanding of AI use aligned with mission objectives.
  • What To Avoid: Transformational change happens neither overnight nor in a vacuum. Since the OMB requires this position to be an SES, it speaks to the caliber of results expected from agency performance. Agencies can better plan for success by taking advantage of the existing process maturity across their CIO, CISO, CDO, and CFO teams by partnering to build a cohesive strategy for AI inventorying, risk management, and innovation. Those same processes are often a barrier to change initiatives, however, so leverage internal partnerships and set clear internal roles and responsibilities to clear operational hurdles early on.

This Ain’t Your Average Lateral Hire

The CAIO must have the skills, knowledge, and expertise to do the job, since the primary role of the CAIO is “coordination, innovation, and risk management for their agency’s use of AI specifically, as opposed to data or IT issues in general.” Internal hires are allowed, so long as they have “significant expertise in AI.” This is not a “hire now, learn on the job” position.

  • What To Know: When federal mandates require a new SES position, you know that the directive is more than just a compliance exercise. For example, in 2019, the OMB required agencies to appoint a chief data officer but without the SES seniority, which meant that the position would function inconsistently across agencies. This marks a shift in expectations by placing accountability and authority within the senior leadership team. It also means the position must be equally adept in technology, operations, and strategy.
  • What To Avoid: Don’t rush to appoint someone with an existing SES title and take external hires off the table. Given the scope, complexity, and guaranteed changes that this position will have to navigate, treat this directive as an opportunity to look for unique skills and long-term leadership. AI skills and knowledge are new, and few will have direct experience today. But equally as important is the role’s focus on risk management and innovation. Make these attributes key requirements for the position, then determine the best hiring strategy.

A CAIO’s Responsibilities Mirror That Of A Chief Risk Officer

The role may have AI in the title, but risk management shouldn’t be overlooked. The responsibilities detailed in the memo section “Managing Risks from the Use of AI” read like a job description for what Forrester describes as a transformational chief risk officer (CRO) who understands that risk is necessary for growth and innovation and that risk management is an accelerator to go faster, not slower.

  • What To Know: AI inventories is a start. The CAIO, like a CRO, will need tools that help them identify AI risk, conduct risk assessments, and measure and monitor the agency’s ongoing performance and effectiveness toward AI. To be successful, this role requires an equivalent governance, risk, and compliance technology stack, not a single tool.
  • What To Avoid: The gut reaction for most OMB mandates is a request for information, but as often with manual collection methods, by the time the data is aggregated into a pretty dashboard, it’s already stale. Data calls alone will not make this role successful nor sustainable. CAIOs will also need to master the five competencies of the Forrester Enterprise Risk Management (ERM) Success Cycle — identify, evaluate, respond, monitor, and communicate — to keep pace with innovation and potential pitfalls that they create.