The Department of Energy (DOE) lacks an enterprise-wide framework to govern artificial intelligence (AI) and cybersecurity, according to a report from the agency’s Office of Inspector General (OIG).
In a fiscal year 2026 management challenges report published Dec. 22, the watchdog warned that the department needs better oversight, more consistent data practices, and clearer lines of authority to keep pace with the evolving technology landscape.
The OIG said it identified challenges facing the department based on audits, inspections, investigations, prior management challenges reporting, and ongoing national and congressional oversight priorities. Additional priority areas covered in the report include program and human capital management, national security, domestic challenges, and financial assistance.
For AI, the OIG said the department should implement a comprehensive governance framework, ensuring it reflects how the DOE and its national laboratories develop and deploy AI.
“The development of common standards, promotion of best practices, and mitigation of potential risks may encourage consistent and effective AI implementation,” OIG officials stated.
The report also called for an enterprise data management system that includes a catalog, shared taxonomy, and metadata management processes and standards. By building that system, OIG officials said that accessible, authoritative, and organized data will “form a solid foundation” for AI and “lead to the most accurate insights.”
Meanwhile, the report said the DOE’s current cybersecurity governance structure “impacts its ability to respond to cybersecurity evolving risks and mandates,” due to its lack of centralization.
“The governance structure is exacerbated by a general lack of correlating authoritative data and using performance metrics to enhance cybersecurity oversight,” OIG officials said.
The OIG also found that DOE is falling behind changing cybersecurity requirements and enhancements, despite department directives requiring the implementation of the most recent cybersecurity guidance. The report pointed to contractors who instead implement and assess their cybersecurity environments against outdated requirements.
Officials told the OIG that cybersecurity requirements are often underfunded, authority between sites and the Office of the Chief Information Officer is unclear, and resistance to what sites view as “unfunded mandates” has driven the adoption of local solutions rather than enterprise-wide approaches.
“Cybersecurity is a critical aspect of the Department’s overall security posture and one of the Department’s highest risks,” OIG officials stated. “Protecting and enhancing the security of the Department’s information technology and operational technology assets, including critical infrastructure and high-value assets, is crucial to fulfilling the Department’s unique mission set.”