GSA's Proposed AI Clause: A Deep Dive into New Requirements for Government Contractors

The General Services Administration (GSA) on March 6, 2026, released a draft of a significant new contract clause, GSAR 552.239-7001, titled "Basic Safeguarding of Artificial Intelligence Systems". This proposed clause, if adopted, will impose substantial and wide-ranging obligations on contractors providing artificial intelligence (AI) solutions to the government. This blog provides a summary of the key provisions and their practical implications for the industry. GSA is accepting public and industry input through March 20, 2026.

Executive Summary

The proposed GSAR clause seeks to create a uniform set of rules governing the acquisition and use of AI systems across GSA contracts. It introduces several consequential obligations with the potential to reshape the government AI marketplace. Notably, it grants the government expansive ownership of all data inputs, outputs, and any "Custom Developments," as well as prohibits contractors from using this government data for training or improving AI models; and requires the use of only "American AI Systems".

Furthermore, the clause imposes an aggressive 72-hour incident reporting requirement, holds prime contractors directly responsible for the compliance of their downstream commercial AI "Service Providers," and codifies a set of "Unbiased AI Principles". In addition, the government would retain authority to independently evaluate AI systems and suspend their use for non-compliance. For contractors and their commercial AI vendors, these requirements will likely necessitate significant adjustments to product offerings, compliance programs, and risk allocation.

Scope and Applicability

The new clause is slated for inclusion in all solicitations and contracts "for Artificial Intelligence capabilities". The term "AI capabilities" is not defined, leaving some ambiguity as to the clause's full scope. The draft defines several critical terms that clarify its reach:

• AI System. This adopts the definition from the Advancing American AI Act, and means AI systems developed and produced in the United States.
• Government Data. This broadly encompasses both "Data Inputs" (e.g., user prompts, source data) and "Data Outputs" (e.g., system responses, analyses, metadata and synthetic data).
• Custom Development. This covers any modifications, enhancements, or configurations made specifically for the government, including model adjustments resulting from training or fine-tuning.
• Service Provider. This refers to any entity that provides, operates, or licenses an AI system used in contract performance but is not a party to the prime contract. This explicitly includes subcontractors and commercial vendors.

A notable ambiguity arises from the term "American AI Systems," which are defined as systems "developed and produced in the United States". The clause provides no further test for what constitutes "produced," which may create compliance challenges for systems built with global data, open-source components, or international talent.

Intellectual Property (IP) and Data Rights

The proposed clause establishes an IP and data rights regime heavily favoring the government. Under its terms, the government will own all "Government Data" and "Custom Developments". Contractors and their Service Providers receive only a limited, revocable license to use this data for the sole purpose of performing the contract. Any IP rights that a contractor might otherwise obtain in Government Data or its derivatives are automatically assigned to the government upon creation. The clause specifically covers rights in "improvements" and "derivative works" a contractor may obtain from the Government Data, contemplating broad assignment of patentable inventions or copyrightable works a contractor may create from Government Data using the AI System.

Though contractors and Service Providers retain ownership of their underlying AI systems and base models, they must grant the government an irrevocable, non-exclusive, royalty-free license to use the system for the duration of the contract for any lawful government purpose. The clause explicitly prohibits the use of Government Data to train, fine-tune, or otherwise improve any AI model for any other customer or for any commercial purpose. It also prevents a contractor from refusing to generate outputs or conduct analyses based on its own discretionary corporate policies, though this does not require retraining the model.

Security, Privacy and Incident-Reporting Requirements

The draft clause mandates a comprehensive security framework. Contractors must implement and maintain "reasonable technical, administrative, physical, and organizational safeguards" to protect Government Data from unauthorized access, loss, or alteration. A key requirement is the implementation of "'eyes off' Data handling procedures," which restrict human review of Government Data to instances that are strictly necessary and logged for government visibility. The clause also requires the logical segregation of Government Data from other customer data and provides for data localization requirements to be specified by ordering agencies. Upon contract completion, all Government Data must be securely deleted and certified in writing to the Contracting Officer.

For security incidents, the clause imposes a strict 72-hour reporting deadline. Upon discovery of a confirmed or suspected incident, the contractor must notify the Cybersecurity and Infrastructure Security Agency, contracting officer and other designated points of contact. Daily updates are required until the incident is resolved, and all forensic artifacts must be preserved for at least 90 days. The clause clarifies that in cases of conflict with Federal Risk and Authorization Management Program (FedRAMP) incident response procedures, the FedRAMP rules will govern.

Contractor Responsibilities and Flowdown to Service Providers

The proposed clause reaches well beyond prime contractors, effectively regulating subcontractors, cloud providers, and commercial AI vendors. Critically, it makes prime contractors directly liable for their "Service Provider's" compliance with all its terms. Given the broad definition of "Service Provider," this flowdown responsibility extends to the commercial AI platforms and models that contractors often integrate into their solutions. This will likely require prime contractors to renegotiate terms with their commercial vendors to ensure compliance.

The clause mandates that contractors disclose all AI systems used in performance of the contract, including any modifications made to comply with foreign or commercial regulatory frameworks. It also institutes a strict "American AI Systems" requirement, prohibiting the use of "foreign AI systems in the performance of this contract, including any AI components manufactured, developed, or controlled by non-U.S. entities". To demonstrate compliance, contractors must provide extensive documentation upon government request, including system documentation consistent with the National Institute of Standards and Technology (NIST) AI Risk Management Framework, information on known biases, and other data needed for government AI impact assessments. Contractors must also provide 30 days' written notice before adding or materially changing a Service Provider.

Change Management, Portability and Interoperability

The proposed clause aims to prevent vendor lock-in and ensure government flexibility through strict change management and data portability rules. Contractors must provide the government with concurrent access to new versions of an AI model for an evaluation period of 30 days for major versions and 15 days for minor versions before discontinuing the old model. Contractors are also required to provide notice of changes that materially increase bias or decrease safety guardrails, as well as notice before adding or changing a Service Provider.

To ensure interoperability, all AI systems, data outputs, and custom developments must use open and standard formats and APIs. The clause prohibits the use of proprietary technologies that would require additional licensing or create dependencies. Furthermore, contractors must provide tools that allow the government to export all Government Data in open, machine-readable formats such as JSON or XML, ensuring the data can be fully reconstructed in an alternative system.

Performance Standards, Evaluation and Remedies

A central feature of the clause is the mandate for contractors to adhere to a set of "Unbiased AI Principles". These principles require that the AI system be "truthful," prioritize "historical accuracy, scientific inquiry, and objectivity," and operate as a "neutral, nonpartisan tool that does not manipulate responses in favor of ideological dogmas such as Diversity, Equity, Inclusion".

The government reserves the right to conduct its own automated assessments of the AI system at any time to test for bias, truthfulness, and other factors using its own benchmarks. If the government identifies non-compliance, it has the right to suspend use of the AI system until the "performance issues are satisfactorily addressed." In the event of a termination for cause due to failure to comply with the Unbiased AI Principles, the contractor will be held liable for "reasonable decommissioning costs". The ambiguity of terms such as "performance issues" and "decommissioning costs" creates uncertainty regarding the scope of contractor liability.

Practical Implications for Contractors and Industry

If implemented as drafted, the proposed GSAR clause will have profound practical implications for the government contracting industry. The expansive government ownership of data and custom developments, combined with the prohibition on using that data for model training, fundamentally challenges the business models of many commercial AI providers. Contractors will face increased risk and compliance costs, which will need to be factored into contract pricing.

The proposed clause also will impact contractors’ approach to IP rights. The broad definition of Government Data and assignment scope will prompt companies to adopt clear protocols for how data arguably constituting Government Data is used and how such use is documented. Failure to do so may place the company's broader IP rights at risk.

Additionally, the direct liability for Service Provider compliance will likely necessitate difficult negotiations with commercial vendors, who may be unwilling or unable to conform their standard terms to these government-unique requirements. Operationally, the "American AI Systems" restriction and data handling requirements may limit technology choices and require significant architectural changes. These stringent terms could create a barrier to entry for smaller, innovative companies and alter the competitive landscape for AI procurement.

Recommended Immediate Actions and Comment Topics for Stakeholders

Time is short for contractors and other stakeholders seeking to comment: The proposed clause was issued on March 6, 2026, and GSA is accepting public and industry input through March 20, 2026. In light of the significant impact of this proposed clause and the short comment period, contractors and other stakeholders should act promptly. Immediate internal actions should include conducting a gap analysis of current AI offerings and compliance frameworks against the clause's requirements and reviewing all agreements with commercial AI "Service Providers" to assess the feasibility of flowing down these new obligations.

For public comments to GSA, stakeholders should consider addressing several key areas. Seeking clarification on ambiguous terms such as "American AI Systems," "produced," and "AI capabilities" is critical. Industry feedback should also focus on the broad government data ownership provisions and the prohibition on model training, practical challenges of flowing down liability to commercial vendors, stringency of the 72-hour incident reporting window, and subjective nature of the "Unbiased AI Principles" and their enforcement.

Conclusion and Next Steps

The proposed GSAR clause represents a landmark effort by the government to regulate its procurement of AI. Its provisions on data rights, security, and performance are among the most prescriptive seen in federal contracting. Given GSA's indication that the clause could be included in a GSA Schedule refresh as early as spring 2026, the window for industry to provide feedback is narrow. Active engagement and detailed comments will be essential to help shape a final rule that balances government needs with commercial and practical realities.

This analysis is based on the draft of GSAR 552.239-7001 released by GSA on March 6, 2026. For more information on how these proposed changes may affect your business, please contact the authors.