Ensuring AI Is Used Responsibly

In Directive 139-08, DHS establishes the following Key principles:

• Lawful and Mission-Appropriate: AI use must comply with the Constitution, laws, and policies, protecting privacy, civil rights, and civil liberties.
• Mission-Enhancing: AI use must be purposeful to improve DHS’s operational, administrative, and support functions.
• Safe, Secure, and Responsible: AI use must address risks and benefits, protects privacy and civil rights, and is rigorously tested to avoid biases and ensure effectiveness, accuracy, and security.
• Trustworthy: AI use must be transparent and explainable, with public disclosures and traceable, auditable outputs.
• Human-Centered: AI design and deployment must consider the impact on users and those affected, incorporating feedback from communities and stakeholders.

These principles are based on DHS’s first set of principles established in 2023 in Policy Statement 139-06: Acquisition and Use of Artificial Intelligence and Machine Learning by DHS Components. They are a comprehensive set with guidance and requirements for how to meet those principles.

DHS’s guidance and requirements for fulfilling the key principles emphasize:

• Dynamic Governance: Led by the DHS Chief AI Officer, governance involves proactively identifying challenges and opportunities, establishing clear policies, and including and integrating interdisciplinary stakeholders and viewpoints.
• Human Oversight: AI use cases that impact safety, rights, or significant agency decisions or actions must have appropriate human oversight.
• Enterprise AI Risk Management: The design, development, deployment, and operation of the AI at DHS must comply with enterprise risk management practices. These include documenting AI use cases, categorizing and classifying risks, testing and evaluation, and ongoing monitoring.
• Testing and Evaluation: AI at DHS must undergo rigorous testing throughout its lifecycle to validate performance, reliability, and bias mitigation.
• Data Management: AI use must comply with laws and policies on data protection that ensure security, privacy, and interoperability.
• Responsible and Authorized Acquisition: AI acquisition must align with legal and policy requirements and address technical specifications, risk management, transparency, and sustainability.
• Workforce Training: DHS personnel must receive periodic training on AI, with the goal of improving the AI literacy of the DHS workforce and ensuring that personnel understand the benefits and risks of AI use.

In Directive 139-08, DHS prohibits the following uses of AI and AI-related data at DHS:

• Relying on AI outputs as the sole basis for law enforcement actions (like arrests, searches, seizures, or issuing citations), civil enforcement actions (such as fines or injunctions), or denial of government benefits.
• Using AI and/or AI-related data to make or support decisions based on unlawful or improper factors like race, ethnicity, gender, national origin, religion, sexual orientation, gender identity, age, nationality, medical condition, disability, emotional state, or future behavior predictions.
• Improperly profiling, targeting, or discriminating against individuals or entities based on the characteristics mentioned above, or in retaliation for exercising Constitutional rights.
• Using AI for unlawful or improper large-scale monitoring, surveillance, or tracking of individuals.
• Sharing DHS data or AI outputs with third parties for uses that are prohibited by law or DHS policy.
• Any other uses of AI or related data that are prohibited by applicable laws and policies.

Directive 139-08 (January 2025) sets forth requirements to promote AI innovation and governance while managing risks associated with AI use, especially those impacting individual safety or rights. This Directive applies to all aspects of AI use at DHS, including the planning, design, development, deployment, and operation of AI systems, services, techniques, software, and hardware. It also covers the acquisition of AI as part of AI use within DHS.

This Directive requires that DHS’s use of AI must be safe, secure, responsible, trustworthy, and human-centered.

Directive 026-11 (September) requires that all uses of face recognition and face capture technologies are thoroughly tested to ensure there is no unintended bias or disparate impact in accordance with national standards. DHS will review all existing uses of this technology and conduct periodic testing and evaluation of all systems to meet performance goals.

Policy Statement 139-07 (October 2023) establishes guidelines for the use of GenAI tools by DHS employees. The policy provides specific requirements for safeguarding data and protecting privacy. It also lays out a process for obtaining approval to use GenAI tools that includes the completion of training on the responsible use of AI.

The Responsible Use Group, led by the Officer for Civil Rights and Civil Liberties, provides guidance, risk assessment, mitigation strategies, and oversight for the protection of individual rights in specific AI projects.

The Group also:

• works to advance the use of AI by DHS through implementing policy,
• building a community of practice, and
• strengthening the DHS AI workforce through trainings and other learning opportunities focused on responsible use, trustworthiness, accountability, and strong governance practices.

The AI Policy Working Group (AIPWG) coordinates with the DHS AI Council to affect policy change and apply oversight to all DHS AI activities. The AIPWG collaborates across the Department, including the Office of the Chief Information Officer, Science and Technology Directorate, Office of the Chief Procurement Officer, Office for Civil Rights and Civil Liberties, the Privacy Office, and the Office of Strategy, Policy, and Plans.

The DHS GenAI Public Sector Playbook encapsulates the lessons learned from DHS’s pilot programs and offers a series of actionable steps for the responsible adoption of GenAI technologies in the public sector.

The DHS 2024 Report on Use of Face Recognition and Face Capture Technologies explains implementation of Directive 026-11 and includes information and requirements about DHS use of FR/FC in eight different instances. This report shares information on FR/FC testing, review, opt-out options, and oversight for each of the highlighted FR/FC uses. We chose the eight FR/FC uses highlighted in the report based on frequency of use and public interest.

The DHS AI Roadmap outlined priorities, goals, and opportunities for DHS’s AI efforts and activities throughout 2024. DHS delivered on this vision through milestones such as:

• Completing DHS generative AI pilots
• Recruiting AI experts through the AI Corps recruiting sprint
• Delivering DHS’s internal generative AI chatbot pilot DHSChat
• Releasing the AI Safety and Security Board’s Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure
• Publishing DHS’s Report on Reducing the Risk at the Intersection of AI and Chemical, Biological, Radiological, and Nuclear Threats
• Releasing DHS’s Safety and Security Guidelines for Critical Infrastructure Owners and Operators

DHS's Compliance Plan for the 2024 Office of Management and Budget Memorandum M-24-10 outlined DHS’s commitment and efforts to fully implement requirements in M-24-10. DHS fulfilled this commitment by:

• Establishing the DHS AI Governance Board;
• Publishing DHS’s 2024 AI use case inventory, which is a broader inventory DHS AI use cases with additional details; and
• Satisfying M-24-10 risk management practices for DHS’s 39 rights- and/or safety-impacting AI uses and releasing information about these use cases and risk management practices in DHS’s 2024 AI use case inventory.

DHS established the DHS Artificial Intelligence Task Force (AITF) in April 2023 to advance specific mission applications of AI for the following four mission objectives:

• Combating fentanyl trafficking
• Strengthening supply chain security
• Countering child exploitation
• Protecting critical infrastructure

The AITF reported its progress in regular updates, with a final, close-out report published in August 2024.