HHS Watchdog Advises CIOs to Secure Data Before AI Implementation

Federal IT leaders must first establish clear guidelines to keep data secure before leveraging AI systems, Department of Health and Human Services Assistant Inspector General for Cybersecurity and IT Audits Tamara Lilly said during GovCIO Media & Research’s CyberScape: The Federal Cybersecurity Summit last week.

“We’re allowing these systems onto the network. We’re empowering them to do things — rightfully so. But unfortunately, the swiftness by which they operate is faster than our current traditional controls are effective,” Lilly said.

Establishing Governance

As agencies adopt agentic AI systems, governance is becoming a central concern, Lilly said. Autonomous tools can both protect and expose data at rest and in motion, shifting compliance from static guidance to real-time operational enforcement.

Agency leaders should move beyond high-level policies and implement durable governance frameworks, she said, pointing to guidance from the National Institute of Standards and Technology for managing AI and autonomous systems.

C-suite alignment is also critical. Leaders must identify governance gaps and document remediation strategies. While agencies have traditionally focused on securing data at rest, Lilly emphasized the growing urgency of protecting data in transit, which presents a more complex challenge as AI systems ingest and process large volumes of information to generate outputs.

Agencies must also define clear boundaries before deploying AI systems, including what actions systems can take, who can access them and how frequently they can operate.

“What can it do? Who can do that? How often should it be done? You need to establish and be very clear what that is,” she said.

Data protection should extend to anonymization practices, particularly for agencies handling sensitive citizen data. These safeguards can help reduce risk in the event of a breach, especially as AI systems increasingly share information across environments.

Managing AI Systems and Cybersecurity Debt

Lilly urged CIOs and CISOs to shift from treating audits as one-time, pass-fail events to continuous processes. This approach enables agencies to collect ongoing evidence that systems are functioning as intended.

Auditors are already moving in this direction, she said, adding that HHS has moved beyond traditional paper policy and documentation reviews to aggressive penetration testing to evaluate network security.

“We’re moving from verifying that a policy exists to requiring observable proof that controls are functioning in real time,” she said.

Security must be built in and integrated into planning, not bolted on at the end, she said. This is especially important with AI systems. “It’s imperative that these devices, these tools and mechanisms be planned for and purchased and included and integrated in the beginning. Not as an afterthought,” Lilly said.

Part of this process is managing “cybersecurity debt,” which is the burden of unpatched software. “It’s something we owe, that we need to do to fix our environment and account for. It does take money [to resolve],” she said.