Although the IRS has dozens of ongoing projects that involve the use of artificial intelligence (AI), the agency struggles to maintain a complete and accurate inventory of its active initiatives, according to the Treasury Inspector General for Tax Administration (TIGTA). (Report No. 2025-IE-R003, 11/12/2024)
AI inventory and leadership.
On November 12, TIGTA issued a special report finding that as of February 2, 2024, the IRS has 68 AI projects. These projects use analytics and automation technologies to improve customer service, enforcement efforts, and internal operations. Thirty are currently in use while the remaining 38 are in development.
The chief data and analytics officer, a position currently held by Barry Johnson, is responsible for monitoring and overseeing the IRS’ AI workstreams. Melanie Krause previously served in the role before she was named chief operating officer as part of a major leadership restructure announced in December 2023.
Federal agency guidelines.
Federal agencies were first instructed under Executive Order 13960, Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government (December 3, 2020), to adhere to nine principles for implementing AI. Updated guidance in Executive Order 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (October 30, 2023), required the National Institute of Standards and Technology (NIST) to establish best practices by July.
It also directed the Office of Management and Budget (OMB) to designate a chief artificial intelligence officer and issue further guidance to strengthen the effective and appropriate use of AI. The OMB complied and released Memorandum 24-10, Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence, in March. The memo focused on how agencies should establish AI governance procedures. Specifically, the OMB guidance sought to preempt risks to security, privacy, and civil rights.
Inventory tracking.
TIGTA found that the IRS has a process to keep track of AI projects in accordance with the first executive order, but “the reporting was inconsistent due to the evolving guidance and efforts to interpret such guidance.”
For example, an initial list of AI projects provided to TIGTA included several that were not related to AI, the watchdog determined. As of July 31, 2023, 16 of the 33 identified AI projects should not have been classified as such, TIGTA reported. Further mismatches on the number of AI projects also arose in June and July of 2023 between information provided by the Treasury Department and the IRS Research, Applied Analytics and Statistics organization.
“In our opinion, the inconsistent and changing inventory of AI projects we identified can be attributed to the newness of this technology and limited guidance from a government-wide perspective,” read the report.
TIGTA recommended that the chief data and analytics officer should “accelerate” following processes established this year by the OMB and the NIST. IRS management agreed to hire more employees to monitor AI governance, expedite the “execution of organizational changes,” and update processes and procedures for the agency’s Enterprise-Level AI Governance Board.
Generative AI. Executive Order 14110 encourages agencies to restrict the use of generative AI through clear guardrails. In its report, TIGTA defined generative AI as “the class of AI models that emulate the structure and characteristics of input data to generate derived synthetic content, such as images, video, audio, text, and other digital content.”
Months prior to the issuance of the order, the Treasury chief information officer in a mass email to its bureaus (including the IRS), told employees to avoid making queries to public large language models like ChatGPT that may compromise sensitive data.
In response, the IRS Office of Information Technology’s Computer Security Incident Response Center (CSIRC) blocked 39 AI websites on the IRS network.
However, TIGTA’s review revealed that “employees are in fact attempting to access generative AI websites. For example, traffic logs provided by the CSIRC show that for the period October 31, 2023, to January 29, 2024, 531 attempts were made to access ChatGPT, a prohibited generative AI website.”
CSIRC discovered that a business rule was not created to deny access to one of the prohibited sites, which was consequently accessed by IRS employees nearly 200 times. Further, it also identified an exploit wherein employees could access ChatGPT through the IRS’ “External e-Learning and Collaborative” platform.
“When employees send queries to generative AI online tools, they might inadvertently reveal sensitive or non-public information to the generative AI tool entities, which might be available to access by other users,” the report explained.
TIGTA said these two issues have been addressed and that IRS Cybersecurity will frequently review traffic logs to ensure processes are in line with federal guidance.
Take your tax and accounting research to the next level with Checkpoint Edge and CoCounsel. Get instant access to AI-assisted research, expert-approved answers, and cutting-edge tools like Advisory Maps and State Charts. Try it today and transform the way you work! Subscribe now and discover a smarter way to find answers.
