· ai regulation · 5 min read

Maryland Made Its Own Government Audit Itself for AI — Here's What That Looks Like

The Maryland AI Governance Act of 2024 is less about regulating private companies and more about making state government inventory and assess every AI system it uses. That's actually interesting.

Photo by Marvin Meyer on Unsplash

Most AI legislation is about telling private companies what they can’t do. Maryland took a different approach: before regulating the private sector, make the government audit itself.

The Maryland Artificial Intelligence Governance Act of 2024 — signed by Governor Wes Moore and effective July 1, 2024 — requires every unit of state government to inventory their AI systems, conduct impact assessments, and submit to a new Governor’s AI Subcabinet that’s supposed to set coherent policy for how the state deploys AI. It’s not perfect, but it’s a more honest approach than most states have taken.

The Inventory Requirement

Here’s the core obligation: each Maryland state agency has to conduct an annual inventory of every system they use that employs artificial intelligence. This runs alongside an annual data inventory — what data do you have, where is it, what’s it being used for.

Why does this matter? Because most government agencies deploying AI right now genuinely don’t know the full scope of what they’re using. Software vendors embed ML components into enterprise tools all the time. A state benefits agency might be running a fraud detection model embedded in their case management software without anyone in the agency knowing the model exists, much less understanding its error rates.

The inventory requirement forces a basic accounting that should have been standard practice years ago.

Impact Assessments

The law requires agencies to conduct impact assessments for their AI systems — specifically before a new deployment and then on a regular basis afterward.

The impact assessment has to evaluate:

  • The intended purpose of the AI system
  • The potential for adverse impacts on protected classes
  • The accuracy and reliability of the system
  • How the system’s outputs are being used in actual decisions

This isn’t new territory — the NIST AI Risk Management Framework covers this kind of evaluation. But making it a legal requirement for state government, with a political accountability mechanism attached, is different from a vendor recommendation.

The law exempts the Office of the Attorney General, the Comptroller, the Treasurer, and certain universities from some provisions. That’s a real carve-out and it’s worth scrutinizing whether those exemptions are principled or convenient.

The Governor’s AI Subcabinet

The Act establishes a Governor’s Artificial Intelligence Subcabinet within the Governor’s Executive Council. The Subcabinet is tasked with developing a roadmap for AI use across state government and advising on policy.

This is the coordinating body the law needs to actually function. Without it, you’d have 80-something state agencies each doing their own inventory in incompatible formats with no shared standards. With it, you at least have a fighting chance at coherent governance.

The Department of Information Technology is required, in consultation with the Subcabinet, to adopt policies and procedures governing how state agencies develop, procure, implement, and assess AI systems. No state agency can deploy an AI system after a certain date without going through that process. That’s a real gate.

The Competitive Proof of Concept Procurement

This is the provision that actually interests me from a procurement law standpoint.

The Act creates a new formal procurement method called “competitive proof of concept” procurement. This is a way for agencies to test and evaluate emerging technologies — including AI — before committing to a full procurement contract. It’s expressly exempted from Board of Public Works oversight, which normally applies to large state contracts.

That exemption is notable. It means agencies can run AI pilots with reduced bureaucratic overhead. The policy logic is that you can’t evaluate novel technology through a traditional RFP process where you have to specify requirements in advance — you need to be able to experiment. The practical risk is that “proof of concept” becomes a way to backdoor procurement of tools that wouldn’t survive normal scrutiny.

The Department of General Services has to develop policies and procedures for implementing competitive proof-of-concept procurements, so there are supposed to be guardrails. Whether those guardrails are meaningful will depend entirely on how seriously DoGS takes the implementation.

What This Means If You’re a Vendor

If you sell AI software to Maryland state agencies, this law changes your sales cycle. Your state agency customers now have to assess the AI components of your product as part of their annual inventory and impact assessment obligations. You should be prepared to provide documentation about what your model does, how it was trained, its known limitations, and its performance on protected-class populations.

Agencies that haven’t asked you these questions before will start asking them. Either because the law requires them to, or because a contract renewal is now contingent on being able to complete an impact assessment. Get ahead of it.

The Maryland law doesn’t generate the plaintiff-friendly civil cause of action that some state AI laws do — there’s no private right of action for an individual affected by a bad government AI system. Enforcement is internal and political. That’s a weakness. But as a model for how state governments should manage their own AI use, it’s more sophisticated than most of what’s been passed anywhere.

If you want to understand what responsible government AI governance looks like in practice, Maryland’s framework is worth reading — even if implementation will inevitably lag the legislative intent.

You can find the original text of Maryland SB 818 on LegiScan.

Share:
Back to Blog