New ISOO Notice 2026-01 Addresses AI and Sensitive Information Handling

BLUF

In furtherance of the Administration’s objectives to rapidly and responsibly utilize the immense potential of AI, ISOO has issued ISOO Notice 2026-01 to provide guidance regarding agency handling of classified national security information (classified information) and controlled unclassified information (CUI) with the use of various AI systems and tools.

The Notice’s guidance covers requirements that must be adhered to and considerations for AI systems with respect to classified information and CUI.

ISOO Notice 2026-01 – CUI and AI

As artificial intelligence continues to rapidly evolve, federal agencies are being urged to balance innovation with responsibility, especially when it comes to sensitive data. ISOO Notice 2026-01 reinforces a clear message: existing rules for handling classified national security information and CUI fully apply to AI use.

While agencies are encouraged to adopt AI to enhance mission effectiveness and competitiveness, they must do so within established security frameworks. One of the most critical directives is straightforward: classified information and CUI must never be entered into AI systems that are internet-connected or not accredited to handle such data. This includes many commercial and generative AI tools.

The guidance also emphasizes the importance of risk-based decision-making. Agencies are advised to involve key stakeholders, including: CIOs, CISOs, and classification and CUI program officials when evaluating AI systems. Open, closed, and generative systems each introduce unique risks related to data exposure, adaptability, and control. This makes it imperative to understanding how different types of AI affect your network architecture.

In the future, agencies may be expected to update internal policies and allocate resources to ensure compliance with evolving AI use. This includes aligning with federal mandates and frameworks, like NIST and OMB.

Ultimately, ISOO’s guidance highlights a dual priority: leverage AI’s transformative potential while maintaining strict safeguards around sensitive information. Responsible adoption will define success in this next phase of federal technology modernization.

SecureStrux and ISOO Notice 2026-01

At SecureStrux, we help organizations navigate this exact intersection of innovation and compliance. As agencies evaluate how to responsibly integrate AI, it’s critical to ensure alignment with existing frameworks like CMMC, NIST 800-53, and Zero Trust principles. Our team supports the design and accreditation of secure environments where emerging technologies can be tested and deployed without introducing unnecessary risk to classified or CUI data.

Key Questions This Article Answers

• What is ISOO Notice 2026-01?
• Will ISOO Notice 2026-01 affect me?
• What ISOO Notices utilize CUI and AI?