Public sector agentic AI: the 2026 procurement constraints

The OMB M-24-10 federal AI use guidance, the post-Executive-Order-14110 successor framework, the FedRAMP authorisation regime, the state-level AI procurement laws, and FOIA-equivalent disclosure obligations together produce a procurement environment for public-sector agentic AI that is materially more constrained than the private-sector equivalent. The 2026 deployment record is sparse but illustrative: the NYC MyCity case (claim AM-044) is the canonical failure, and the absence of large-scale federal agentic AI deployments through Q1 2026 reflects the genuine difficulty rather than insufficient interest.

What follows is a working playbook for public-sector agentic AI procurement in 2026: the five constraints that narrow the option space, the vendor and architectural choices that satisfy them, and the operational requirements that distinguish public-sector deployments from their private-sector equivalents.

The five constraints

Constraint 1: FedRAMP authorisation

Federal deployments touching anything beyond public information require FedRAMP Moderate authorisation; deployments touching sensitive but unclassified data require FedRAMP High; deployments touching classified data require IL5 or IL6 (Impact Level 5 or 6 authorisation under the DoD Cloud Computing Security Requirements Guide).

State-level deployments increasingly require StateRAMP authorisation, which overlaps with FedRAMP but is run through a separate process. Some states accept FedRAMP authorisation as evidence; others require state-specific authorisation.

The 2026 vendor implications: Microsoft, Anthropic (via AWS GovCloud through Bedrock), Google, and a small number of specialist government-AI vendors have FedRAMP High authorisation for their public-sector cloud SKUs. Other vendors are typically authorised only at FedRAMP Moderate, which limits them to lower-sensitivity deployments. Most consumer-facing AI services are not FedRAMP authorised at all and cannot be used for federal deployments.

Constraint 2: Sovereign data residency

Data and model inference must remain within the relevant sovereign boundary. For U.S. federal deployments, this typically means continental U.S. (CONUS) or specifically U.S. government cloud regions. For state deployments, this typically means within the U.S.; some states require within-state. For non-U.S. governments, the requirement is country-specific and often country-specific-sub-region (e.g., German federal deployments may require within-Germany).

The agentic AI implication is that the vendor’s inference infrastructure for the deployment must be in the relevant region. Vendors that offer multi-region inference for cost optimisation or latency reasons cannot do so for sovereign-restricted deployments. The cost difference is real (typically 15-30% premium for sovereign-restricted inference) and is part of the deployment’s TCO.

Constraint 3: Procurement transparency

Public-sector procurement decisions are subject to disclosure obligations under various legal frameworks: federal FOIA, state public records laws, GAO bid protest processes, contract-award publication requirements. The vendor selection rationale, the evaluation criteria, the comparison against alternatives, and the contract terms are typically discoverable.

The implication for procurement playbook execution: every step in the enterprise agentic AI procurement playbook (claim AM-041) needs to produce documentation suitable for public disclosure. Stage 4 GAUGE governance scoring needs to record reasoning at a level of detail that survives FOIA review. Stage 5 RFP responses need to be retained in a form that supports public-record requests. The transparency requirement adds approximately 20-30% to the procurement effort.

Constraint 4: Administrative-law accountability

Decisions affecting individuals are subject to due-process frameworks: notice, opportunity to be heard, written reasons, right of appeal, judicial review. An agentic AI deployment that participates in such decisions must operationally support each element of due process.

The architectural implication: agents do not make consequential decisions about individuals. Agents recommend; humans decide; the audit substrate captures the full decision chain to support appeal and judicial review. The action-class approval gates from the seven-control surface (claim AM-043) implement the constraint at the technical level. The deployment’s documented decision policy (per the 14-field audit template’s policy version field) is the substrate for the written-reasons requirement.

The constraint applies most strongly to benefit determinations (Social Security, unemployment insurance, Medicaid eligibility), license decisions (professional licensing, business licensing), enforcement actions (regulatory enforcement, civil penalties), and eligibility decisions (procurement awards, public-housing access, public-program enrolment).

Constraint 5: FOIA-equivalent audit-log disclosure

Audit logs of agentic AI deployments are typically subject to public-disclosure requests under FOIA (federal) or state public records laws. The disclosure is subject to standard exemptions (personal privacy, deliberative process, law-enforcement investigation, classified information, attorney-client privilege) but the default is disclosure with redaction.

The audit substrate (per the 14-field Article 12 template, claim AM-046) needs to support FOIA-style workflows: per-individual queries answerable in 4-business-hour evidence-assembly windows, bulk redaction with consistent policy application, review-and-release workflow with legal sign-off prior to disclosure.

Most vendor-native audit logs do not natively support these workflows. Deployment-layer tooling (typically a FOIA-specific query and redaction layer above the audit substrate) is required. The tooling’s correctness is itself subject to public scrutiny; quarterly drill exercises with FOIA-style requests catch operational gaps before they become disclosure failures.

The realistic vendor options

The April 2026 federal-deployment landscape has four credible options. Microsoft is the broadest in terms of deployment surface and integration with existing federal IT (M365 ubiquity). AWS GovCloud with Anthropic is the strongest for purely-API-driven deployments where the cloud-native portability matters. Google Cloud Public Sector is competitive for specific use cases but has narrower public-sector adoption than Microsoft and AWS as of April 2026. Specialist vendors are appropriate for use cases where their domain expertise is structurally important.

State-level procurement typically uses the same four vendor groups plus state-specific options that have completed StateRAMP authorisation.

Public-sector deployment patterns that work

Three deployment patterns have produced credible public-sector agentic AI outcomes through Q1 2026.

Internal employee productivity. Federal and state employees using agentic AI to draft documents, research issues, and process paperwork. The pattern stays within sovereign boundaries, does not directly affect external individuals (so administrative-law accountability is lower), and has internal accountability mechanisms. The Microsoft 365 Copilot for Government deployments at multiple federal agencies represent this pattern.

Public-information access. Agents that answer public questions about public information (regulatory text, agency policies, procedural guidance) without making determinations about specific individuals. The pattern is high-value for citizen access but requires conservative scoping (the agent answers what is documented; it does not interpret beyond the documented record). The NYC MyCity case (claim AM-044) is the failure mode of this pattern when scoping is inadequate.

Backend administrative automation. Agents that process administrative workflows where the consequential decisions are made by humans and the agent supports the human work (drafting, research, document assembly). The pattern is structurally similar to internal productivity but for administrative-decision workflows; it requires the action-class approval gates to ensure the agent’s contribution remains advisory.

Public-sector deployment patterns to avoid

Three patterns have produced documented failures or carry sufficient structural risk that they should be avoided in 2026.

Direct benefit determinations. Agents that make eligibility decisions for benefits (Social Security determinations, Medicaid eligibility, unemployment insurance approvals). The administrative-law accountability requirements are stringent, the audit substrate requirements are heightened, and the consequence of error is direct individual harm. The pattern is operationally tractable in principle but has not produced credible 2026 deployments and the risk-adjusted procurement case is currently weak.

Enforcement-decision automation. Agents that make or recommend enforcement actions (citations, fines, regulatory penalties). The administrative-law due-process requirements are at maximum strength here, and the bias-and-discrimination risk is concentrated. The pattern is structurally hostile to current agentic AI capabilities; the risk-reward case is unfavourable through at least 2027.

Public-facing autonomous agents. Agents that interact directly with the public on consequential topics (regulatory guidance, eligibility advice, complaint handling) without conservative scoping. The NYC MyCity case is the failure mode. The pattern can work with extreme scope conservatism but typically does not deliver the value proposition that motivated the deployment.

What this playbook does NOT cover

The playbook addresses U.S. federal and state public-sector procurement for agentic AI in 2026. It does not cover:

• Classified deployments. Deployments at IL5/IL6 with Top Secret data have additional requirements beyond FedRAMP High; the procurement and operational frameworks are separately regulated.
• Defence-specific procurement. DoD-specific frameworks (DoD Cloud Computing Security Requirements Guide, Joint Warfighter Cloud Capability vehicles) overlay onto the FedRAMP baseline with mission-specific provisions.
• Non-U.S. government procurement. Each national government has its own procurement framework. The constraint pattern (sovereign data, public transparency, administrative-law accountability) generalises but the specific vendor and authorisation regime varies.
• Public-private partnership models. Many emerging public-sector AI deployments use PPP structures where the procurement, deployment, and operational accountability are split between government and contractor in non-standard ways. These models warrant separate treatment.

The full state of enterprise agentic AI is at /state-of-enterprise-agentic-ai/ (claim AM-040). The OWASP threat-class walkthrough applicable to public-sector deployments is at /owasp-agentic-ai-top-10-walkthrough/ (claim AM-043). The Article 12 audit substrate that overlaps with FOIA-equivalent disclosure obligations is at /eu-ai-act-article-12-audit-evidence/ (claim AM-046).

Public-sector agentic AI is operationally harder than the private-sector equivalent, not because public agencies are less competent but because the constraint envelope is genuinely narrower and the accountability standard is genuinely higher. The procurement track must respect both. The deployments that succeed do so by accepting the narrower scope and operating within it; the deployments that fail typically do so by attempting to bring private-sector deployment patterns into a regulatory environment that does not accept them.