Agencies Shift From Fragmented IT Systems to Unified Platforms

Federal agencies are shifting from isolated modernization projects to broader operational transformation efforts, using AI governance frameworks, consolidated platforms and DevSecOps pipelines to improve efficiency and speed mission delivery, officials said Wednesday at GovCIO Media & Research’s Federal IT Efficiency Summit in Reston, Virginia.

Standardizing AI Governance Through NIST

National Institute of Standards and Technology Principal Researcher for AI and Cybersecurity Martin Stanley said improving efficiency starts with standardized frameworks that integrate into existing organizational functions.

“We’re seeing an uneven application of AI in federal agencies,” Stanley said. “We want to ensure that we’re promoting conversations around use of AI, even if we don’t have tools.”

Stanley, who leads the AI Risk Management Framework project at NIST, said the framework has been operationalized across commercial, academic and federal sectors over the past three years to establish governance aligned with organizational values. To improve efficiency, agencies should encourage internal dialogue and experimentation around AI capabilities before procurement decisions are finalized, he added.

Beyond internal planning, Stanley highlighted the need for transparent vendor partnerships to maximize return on investment. Agencies must understand how their data is handled and how secure the underlying AI models are, he said. Operationalizing AI governance is less about avoiding regulations and more about integrating requirements into existing workflows to avoid duplicative processes.

Overcoming ‘Accidental Architectures’ in IT Operations

Government agencies also need to rethink tool consolidation strategies, said Cody Bell, federal sales leader at NinjaOne. Many agencies currently suffer from what he called an “accidental architecture” — fragmented environments created through decades of disconnected procurement cycles, where separate tools manage patching, asset inventories and ticketing independently.

“It’s a platform that nobody really designed, no one owns it end to end and no one can see all the way across, and so the problem isn’t that any one of these tools is bad,” Bell said. “The gaps in between all these different tools are where risk and inefficiencies live.”

When new vulnerabilities emerge and compliance requirements demand immediate remediation, analysts are forced to act as “human middleware,” Bell said. He argued that tool consolidation should not be viewed solely as a cost-cutting measure, but as a critical path to operational efficiency.

“A dashboard is what gives you visibility, but a consolidated platform is what’s going to give you velocity,” Bell said.

By using a unified platform built on a single code base and agent, agencies can layer AI capabilities directly onto endpoints, he added. He said that “patch intelligence” can automatically cross-reference vulnerabilities against community sentiment and installation failure rates to identify stable patches for deployment.

“Every agency here is under pressure to do more with less, that’s really not new. But the scrutiny on how you spend, how many tools you maintain and how fast you can respond is at a level that we’ve never seen before,” Bell said.

Digital Transformation as a Human Endeavor

Beyond broad modernization mandates, Marine Corps Service Data Officer Colin Crosby said the service is focused on deliberate execution strategies that embed technology directly into operational workflows.

“It’s not as simple as IT upgrades. It’s the fundamental rewiring of how we operate, how we make decisions and how we fight,” Crosby said. “Transformation is not a mandate. It happens through deliberate execution.”

The Marine Corps uses digital transformation teams as “operational muscle” to help commanders integrate modernization initiatives into daily operations.

“We know their frustrations in having new technology going out to command,” Crosby said. “What if we had a capability that could help commanders understand the technology, understand how to use and integrate that technology into their everyday experience?”

By embedding directly with operational units, digital transformation teams ensure new technologies align with existing workflows rather than disrupting them.

“They get into the trenches with these units,” Crosby said. “The digital transformation teams ensure that the new capability that arrives actually connects to workflows instead of disrupting them.”

Crosby also highlighted the Marine Corps’ use of Cooperative Research and Development Agreements (CRADAs) to safely test emerging commercial technologies within operational environments. Rather than relying on isolated pilot programs, CRADAs create structured environments for collaborative experimentation, he said.

“Under a CRADA, we bring you inside our environment, you use our data, you get to use our get on our network,” Crosby said. “We get to actually test how that technology works within the service within the day-to-day operation that we do, and so that is a very important capability.”

Crosby added that modernization efforts are only as effective as the personnel operating the technology.

“Digital transformation is ultimately a human endeavor,” Crosby concluded.

Tech and Efficient Edge AI

HP Federal COO Matt Barry expanded on Crosby’s point, arguing that successful digital transformation efforts remain rooted in trust and human relationships.

“This is a human sport,” Barry said. “None of it happens without trust, and we can only move at the speed of trust when we invest in human relationship.”

Barry said edge devices are becoming increasingly important as government organizations look to run complex AI workloads locally instead of relying entirely on cloud-based environments.

“We see incredible opportunities with clients looking at workstation-class devices where they can have compute workflows AI at the edge in ways that are more secure at times, depending on the use case, less latency, higher performance,” Barry said. “The economics are quite compelling when you look at operational cost of operating workloads at scale at the edge versus transporting a lot through tokens and cloud consumption.”

For operators working in disconnected or contested environments, localized compute capabilities can provide significant operational advantages, Barry added.

“If I’m in a contested place in the world … and on my laptop, not connected to anything, I’ve got billions of parameters of information that I can query, like ChatGPT,” Barry said.

Shifting Security Outcomes to Accelerate Delivery

In software development, the authority to operate (ATO) process can be notoriously slow, said David Raley, chief digital business officer for Operation StormBreaker in the Marine Corps. Raley said that traditional, paper-based compliance acts as a massive bottleneck, actively blocking the delivery of vital capabilities to the warfighter.

“[The ATO process] is blocking implementation and getting capability to deliver it to the warfighter in the context of the Marine Corps and the Department of War,” Raley said.

Raley said both vendors and mission owners frequently focus too narrowly on applications while overlooking the broader operational environment and infrastructure layer. Because as much as 85% of risk management framework controls exist outside the application itself, Operation StormBreaker centralizes infrastructure services to simplify compliance requirements.

“We’re able to push container workloads into production with an authorization in 15 minutes,” Raley said, “We put all the guardrails, and we’ve got the platform set up properly. We put the guardrails and everything else in the DevSecOps pipeline that apply the RMF steps through an automated process and puts the control in the hands of the developer.”

By shifting security outcomes “left” and leveraging a certified DevSecOps pipeline, developers can run efficient, automated compliance scans and receive real-time feedback, Raley said. This approach replaces massive, multi-year deployment batches with containerized, incremental releases, he said.

“[We can move] to that model and that gets us aligned with industry’s best practice of being able to agilely develop and build an internal release capability at that seat of the mission requirements, as opposed to a four- or five-year deployment cycle,” Raley said.