The U.S. Office of Personnel Management (OPM) has flipped the switch on generative AI for its employees, granting immediate access to Microsoft 365 Copilot Chat and preparing to roll out an enterprise-grade ChatGPT within days. The move, confirmed by OPM officials and internal emails obtained by FedScoop, marks the latest expansion of the General Services Administration’s (GSA) OneGov procurement program, which offers federal agencies cut-rate agreements with top AI vendors. For the federal workforce, it’s a sharp pivot from cautious AI experimentation to mainstream deployment — and it comes with a thick bundle of practical questions about data handling, training, and compliance.
What Actually Changed
Starting this week, OPM staff can use Microsoft 365 Copilot Chat’s conversational AI features embedded in Word, Excel, Outlook, and Teams. A broader deployment of OpenAI’s ChatGPT, described internally as “ChatGPT-5” according to emails obtained by FedScoop, is set to become available agency-wide within days, though neither Microsoft nor OpenAI have publicly confirmed that version designation. OPM Director Scott Kupor told employees the tools are designed to help them “work faster, think bigger, and collaborate better.” The agency also plans to unlock access to GSA’s USAi platform — a multi-model AI sandbox — in the near term. Free training courses, including one on creating custom AI assistants via OpenAI’s GPTs, are being offered through the Office of the Chief Information Officer (OCIO).
What It Means for Federal Workers and IT Teams
For Everyday Employees
Generative AI is now a standing resource on your desktop. You can ask Copilot to draft a memo, summarize a hundred-page PDF, generate a spreadsheet formula, or triage an overflowing inbox. The productivity promise is real, but Kupor’s caution — “AI is a great assistant, but you’re still the expert” — is the crucial fine print. Hallucinations are a known risk: models can invent facts, misstate policies, or confidently produce legal-sounding nonsense. Every AI-generated output must be verified against authoritative sources before it lands in a final work product.
Data sensitivity is the other immediate concern. Until your agency explicitly clears a specific AI service for handling Controlled Unclassified Information (CUI) or personally identifiable information (PII), treat everything you type into a prompt as if it were being read by the public. The vendors promise that federal enterprise tenants won’t use your data to train their models, but the contractual fine print and actual telemetry practices vary. When in doubt, stick to public data or pre-cleared, non-sensitive material.
For IT Administrators and Security Teams
The rollout lands a new operational surface squarely in your lap. Confirm immediately whether your agency’s Microsoft 365 tenant is provisioned on a commercial cloud instance (typically FedRAMP Moderate) or a higher-assurance environment. Data loss prevention (DLP) rules, e‑discovery holds, and audit logging must extend to Copilot interactions. For ChatGPT, push your procurement and legal teams to nail down the exact model version, service boundary, and FedRAMP authorization level before official use. The “ChatGPT‑5” label is unverified; treat it as provisional until OpenAI provides documented specifications.
OneGov procurement — GSA’s fast-lane contracting engine — lowers the acquisition bar but doesn’t replace agency-level governance. Promotional pricing (including the much-discussed $1-per-agency OpenAI deal) may only cover a base tier that isn’t suitable for sensitive workloads. Validate whether the offering is single‑tenant or multi‑tenant and how logs, telemetry, and prompt histories are retained. If your agency processes ITAR-controlled or export-restricted data, the baseline promotional offering almost certainly won’t suffice without additional contractual controls or a dedicated environment.
How We Got Here: OneGov and the New Procurement Landscape
GSA’s OneGov initiative rewrote the rulebook for federal AI buying. Starting earlier this year with a headline-grabbing $1-per-agency OpenAI offer, it rapidly expanded to cover Anthropic, Google (Gemini), Microsoft, and several other providers. The deals collapse the usual multi‑year contracting cycle into a streamlined acquisition path, letting agencies provision enterprise AI services without negotiating from scratch. In March, the Department of Health and Human Services became the first agency to publicly adopt ChatGPT under OneGov. OPM’s move follows quickly on its heels, signaling that the floodgates are opening.
Meanwhile, GSA’s USAi platform — launched last month — gives agencies a common sandbox for side‑by‑side model evaluation. Instead of each agency duplicating test harnesses, USAi offers dashboards, shared infrastructure, and secure tenancy options. It’s designed to let teams answer the “which model for which mission” question rigorously before committing budget and data. OPM’s plan to enable USAi access soon shows a recognition that responsible deployment requires more than just flipping a switch.
What to Do Now: Practical Steps
If You’re an OPM Employee
- Start small. Use Copilot Chat for low‑risk tasks: drafting routine emails, summarizing public documents, or generating meeting notes.
- Sign up for training. The OCIO’s brown‑bag sessions and the “OpenAI GPTs” course are voluntary, but treat them as mandatory for your professional safety. Understand model limitations, bias, and the importance of verification.
- Never assume compliance. Even if your colleague uses ChatGPT for a task, check your agency’s current acceptable‑use policy. If a policy doesn’t exist yet, default to treating all inputs as non‑sensitive and non‑controlled.
If You’re an IT Leader at Any Federal Agency
- Audit your Microsoft tenant. Confirm Copilot DLP policies are active. Ensure sensitivity labels carry through to AI prompts and that retention rules capture Copilot interactions.
- Demand FedRAMP precision. Ask vendors for the exact authorization package, not a marketing summary. Match that to your data classification matrix (public, CUI‑Basic, CUI‑Specified, etc.).
- Set up a USAi pilot. Before wide ChatGPT deployment, test multiple models head‑to‑head with your actual mission prompts inside the USAi sandbox. Measure accuracy, latency, and compliance against your requirements.
- Draft or update your AI acceptable‑use policy. Mandate role‑based training with certification for staff who will use AI on anything beyond public information. Define prohibited use cases (e.g., feeding legal case files into a model without a data‑sharing agreement).
Data Security Checklist for AI Deployments
| Area | Action | Priority |
|---|---|---|
| FedRAMP | Confirm authorization level and service boundary for each AI tool | Critical |
| Tenant Isolation | Verify single‑tenant vs. multi‑tenant; isolate government data | High |
| Telemetry & Logs | Review retention periods; ensure alignment with NARA records schedules | High |
| DLP | Extend endpoint and cloud DLP rules to cover AI prompt inputs and outputs | Critical |
| CUI/ITAR | Validate whether the provisioned tier is cleared for controlled data | Critical (if applicable) |
| Training | Implement mandatory role‑based AI training with verification exercises | High |
The Workforce Readiness Gap
The OPM employee quoted by FedScoop flagged a real tension: the tools are pushed to laptops, but the training is voluntary. Early adopters report tangible time‑savings on mundane tasks, yet the same early users have stumbled on hallucinated citations, garbled policy paraphrases, and a creeping over‑reliance that dulls critical review. Voluntary training is a good start, but it won’t scale safely. A robust readiness plan needs mandatory modules that link AI use cases to data classification rules, practical labs that simulate common blunders, and clear guidance on what to do when an AI output looks plausible but wrong.
Outlook: The Federal AI Era Is Accelerating
OPM’s rollout is a bellwether. More agencies will follow, drawn by the low‑cost, fast‑track OneGov deals. The next wave will bring pressure to onboard ever more advanced models, fold AI into case management systems, and embed it into public‑facing services. But the gap between vendor promises and operational discipline remains wide. Procurement protests over OneGov compliance and reseller channels have already surfaced, and the liability questions around AI‑assisted decisions are far from settled. The practical test for OPM and its peers will be whether they can channel this momentum into documented use cases, enforced guardrails, and an upskilled workforce that treats AI outputs as assisted — never authoritative.