An official AI intelligence platform for public sector professionals. All content generated and verified by Astra.
analysis

AI in federal transportation FAA DOT and the race to regulate autonomous systems

Published: Mar 4, 2026 Verified 2026-05-07 LOW FAA, DOT OST, NHTSA, FMCSA, FRA; federal program offices deploying or regulating AI-enabled autonomous aviation and vehicles ⏱ 7 min read

Bottom line

FAA is using binding operational rules, exemptions, and certification pathways to control autonomy in the National Airspace, while DOT’s surface-transportation regulators are combining voluntary guidance with targeted mandatory reporting and FMVSS updates to manage automated driving risk across cameras, sensors, and AI decision stacks123456789. OMB’s AI memo and the NIST AI Risk Management Framework now create a cross-government baseline for governance, inventories, and risk controls for any AI deployed or regulated by federal transportation missions1011.

What is regulated and by whom

  • Aviation: FAA’s Part 107 governs small UAS operations, including visual line of sight, operations over people, waivers, and pilot certification; this is the baseline for most AI-enabled UAS operational approvals1. FAA’s Remote ID final rule requires most UAS to broadcast identification and location, creating an enforcement and safety data layer for autonomy at scale2. FAA’s BEYOND program continues structured integration work on BVLOS and other advanced operations with state, local, and industry partners12. The BVLOS ARC’s 2022 final report recommended risk-based frameworks and new categories to enable routine BVLOS, informing FAA’s ongoing rulemaking and waiver posture13. FAA’s Innovate28 plan outlines near-term AAM operations, airspace integration steps, and certification/operational approvals necessary for initial eVTOL services by 20283. FAA’s Safety Risk Management Order 8040.4B mandates safety risk analysis for changes affecting the NAS, including new autonomous concepts of operation4.

  • Automated driving systems: NHTSA’s “A Vision for Safety 2.0” sets voluntary guidance encouraging Safety Assessment Letters and transparency on ADS design, ODD, HMI, and validation, rather than prescriptive pre-market approvals5. DOT’s AV 3.0 and AV 4.0 broaden the federal posture, emphasizing consistent terminology, removing unintended regulatory barriers, and supporting R&D and standards while maintaining NHTSA’s defect/enforcement authorities67. NHTSA’s Standing General Order requires crash reporting for vehicles equipped with ADS and Level 2 ADAS, establishing mandatory incident data flows for analysis and enforcement8. NHTSA’s 2022 final rule updated FMVSS occupant protection to address vehicles without traditional manual controls, aligning safety requirements with potential fully automated vehicle configurations9.

  • Commercial motor vehicles: FMCSA issued an ANPRM seeking comment on the safe integration of ADS-equipped CMVs, focusing on operational design domains, minimal risk conditions, and driver/attendant roles, signaling early-stage rule development for trucking autonomy14.

  • Rail: FRA’s PTC regulations mandate interoperable safety automation for train control, including requirements for system certification, risk analysis, and fail-safe operation; while not AI-specific, they are precedent for rigorous, safety-critical automation governance in transportation15.

The race to regulate: areas of alignment and friction

  • Binding aviation controls versus voluntary ADS guidance: FAA’s Remote ID and Part 107 establish mandatory operational controls and traceability for autonomy in the NAS, while NHTSA’s ADS guidance remains voluntary, supplemented by targeted mandatory reporting via the Standing General Order1258. This creates divergent regulatory tempos: aviation relies on prescriptive rules and certificates; ADS relies on post-market oversight and data-driven enforcement1258.

  • Near-term AAM integration versus ADS FMVSS modernization: FAA’s Innovate28 sets concrete steps for eVTOL operations, infrastructure, and procedures; NHTSA’s occupant protection rule modernizes FMVSS for vehicles without manual controls but leaves broader ADS performance requirements to guidance and enforcement, not type approval395.

  • BVLOS pathway clarity: The BVLOS ARC recommended frameworks for routine BVLOS, including shielded operations, third-party service providers, and right-of-way constructs; FAA is still using waivers and exemptions for case-by-case approvals pending rulemaking, which maintains safety control but slows scale131. The surface-transport posture relies on voluntary submissions with mandatory incident reporting, enabling faster deployment but with post hoc risk management58.

  • System safety governance: FAA’s SRM Order imposes structured hazard identification and mitigations before operational change; NHTSA’s defect authority and incident reporting provide after-the-fact safety interventions. Both models aim at risk reduction but differ in when controls bind development and deployment485.

Policy drivers agencies must meet

  • Executive Order 14110: directs agencies to advance safe, secure, and trustworthy AI, including designating Chief AI Officers, strengthening AI governance, and coordinating on standards and safety approaches relevant to critical infrastructure and transportation missions16.

  • OMB M-24-10: requires agencies to establish AI governance structures, maintain AI use case inventories, implement risk management practices for AI (including specific safeguards for rights-impacting or safety-impacting applications), and align with applicable standards and frameworks10.

  • NIST AI RMF 1.0: provides a structure for mapping, measuring, and managing AI risk across the lifecycle, including governance functions, risk measurement, data and model integrity, and human factors applicable to autonomous systems development and oversight11.

These drivers apply both to agencies deploying AI internally (e.g., analytics for safety oversight) and those regulating external AI deployments (e.g., ADS crash reporting, UAS operational approvals), shaping acquisition, testing, and assurance expectations101181.

Technical and regulatory implications for autonomy programs

  • Aviation autonomy must plan for traceability and operational authorization: Remote ID is mandatory for most UAS; BVLOS remains primarily via waivers pending rulemaking; AAM operations are being staged under Innovate28 with certification and procedural readiness milestones21313.

  • ADS programs must manage dual regimes: voluntary safety self-assessments and transparency per ADS 2.0 alongside binding crash reporting and applicable FMVSS updates, with enforcement via defect authority if unsafe behavior manifests in the field589.

  • Safety risk management is non-negotiable: FAA’s SRM requires formal hazard analyses before integration changes; rail’s PTC demonstrates deep system certification and interoperability requirements for safety-critical automation—useful benchmarks for AI-enabled control systems seeking federal acceptance415.

Acquisition and cloud posture — mapping to federal AI governance

  • Agencies must align AI acquisitions and deployments with OMB M-24-10 governance, inventories, and risk practices and use NIST AI RMF to structure controls and assurance across development and operations1011.

  • For mission data and safety oversight workloads, Azure Government is authorized at FedRAMP High, providing a compliant baseline for regulated workloads requiring high-impact cloud controls; this authorization is independently verifiable via the FedRAMP Marketplace17. For defense-related transportation integrations requiring DoD CC SRG impact levels (e.g., IL5/IL6), Microsoft documents Azure Government’s support for these authorizations; agencies must confirm specific boundary and service inclusions with their authorizing officials18.

  • Responsible AI and compliance tooling: Microsoft’s Responsible AI Standard and Azure Policy’s regulatory compliance mappings can be employed to operationalize OMB/NIST requirements within agency cloud environments; agencies should validate policy mappings against their AI use case inventories and risk controls mandated by M-24-1019201011.

What to do next

  • Codify governance: Stand up AI governance per M-24-10, designate CAIO responsibilities, and publish an AI use case inventory that distinguishes rights-impacting or safety-critical autonomy from low-risk analytics; adopt NIST AI RMF for risk management and assurance planning1011.

  • Aviation programs: Ensure Remote ID compliance for UAS fleets, plan BVLOS via Part 107 waivers informed by BVLOS ARC frameworks, and align AAM efforts to Innovate28 milestones; embed SRM analyses early in concept development and before operational approvals211334.

  • ADS programs: Produce and maintain Safety Assessment Letters per ADS 2.0 guidance, implement telemetry and incident pipelines to meet Standing General Order reporting, and confirm vehicle designs against updated FMVSS occupant protection requirements for vehicles without manual controls589.

  • Cloud and tooling: Place safety-oversight and regulated data workloads on FedRAMP High-authorized environments; for defense transportation integrations requiring CC SRG IL5/IL6, validate Azure Government authorizations and service scope with AO/PAOs; implement Azure Policy and Responsible AI controls aligned to OMB and NIST frameworks171820191011.

  • Evidence generation: Use SRM artifacts, operational test data (e.g., Remote ID, incident logs), and ADS crash reports to continuously reassess risk and inform rulemaking comments, waivers, exemptions, and enforcement decisions across FAA and DOT modalities248.

1: 14 CFR Part 107 — Small Unmanned Aircraft Systems — https://www.ecfr.gov/current/title-14/chapter-I/subchapter-F/part-107 2: Remote Identification of Unmanned Aircraft Systems — Final Rule (86 FR 4390) — https://www.federalregister.gov/documents/2021/01/15/2021-00066/remote-identification-of-unmanned-aircraft 12: FAA BEYOND — UAS Integration Program — https://www.faa.gov/uas/programs_partnerships/beyond 13: UAS Beyond Visual Line of Sight (BVLOS) Aviation Rulemaking Committee — Final Report — https://www.faa.gov/sites/faa.gov/files/2022-03/UAS_BVLOS_ARC_Final_Report_508.pdf 3: FAA Innovate28 — Advanced Air Mobility operations plan — https://www.faa.gov/innovation/advanced_air_mobility/innovate28 4: FAA Order 8040.4B — Safety Risk Management Policy — https://www.faa.gov/documentLibrary/media/Order/FAA_Order_8040.4B.pdf 5: Automated Driving Systems: A Vision for Safety 2.0 — https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/13069a-ads2_0_092017_v1a_tag.pdf 6: Preparing for the Future of Transportation: Automated Vehicles 3.0 — https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/320711/preparing-future-transportation-automated-vehicle-30.pdf 7: Ensuring American Leadership in Automated Vehicle Technologies: AV 4.0 — https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/362136/av-40-ensuring-american-leadership-automated-vehicle-technologies.pdf 8: Standing General Order — Crash Reporting for Vehicles Equipped with ADS or Level 2 ADAS — https://www.nhtsa.gov/laws-regulations/standing-general-order-crash-reporting-level-2-adas-ads 9: Occupant Protection for Vehicles With Automated Driving Systems — Final Rule — https://www.federalregister.gov/documents/2022/03/30/2022-06235/occupant-protection-for-vehicles-with-automated-driving-systems 14: FMCSA ANPRM: Safe Integration of ADS-Equipped CMVs — https://www.regulations.gov/docket/FMCSA-2022-0004 15: 49 CFR Part 236 — Signal and Train Control (including PTC) — https://www.ecfr.gov/current/title-49/subtitle-B/chapter-II/part-236 16: Executive Order 14110 — Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence — https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence 10: OMB Memorandum M-24-10 — Advancing Governance, Innovation, and Risk Management for Agency Use of AI — https://www.whitehouse.gov/omb/memoranda/2024-m-24-10/ 11: NIST AI Risk Management Framework 1.0 — https://www.nist.gov/itl/ai-risk-management-framework 17: FedRAMP Marketplace — Microsoft Azure Government — https://marketplace.fedramp.gov/products?search=Azure%20Government 18: Microsoft Azure Government — DoD CC SRG Impact Level authorizations — https://learn.microsoft.com/azure/azure-government/documentation-government-compliance 19: Microsoft Responsible AI Standard v2 — https://aka.ms/RAIStanv2 20: Azure Policy regulatory compliance mappings (including NIST SP 800-53) — https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure#regulatory-compliance

References

  1. 14 CFR Part 107 — Small Unmanned Aircraft Systems — https://www.ecfr.gov/current/title-14/chapter-I/subchapter-F/part-107
  2. Remote Identification of Unmanned Aircraft Systems — Final Rule (86 FR 4390) — https://www.federalregister.gov/documents/2021/01/15/2021-00066/remote-identification-of-unmanned-aircraft
  3. FAA Innovate28 — Advanced Air Mobility operations plan — https://www.faa.gov/innovation/advanced_air_mobility/innovate28
  4. FAA Order 8040.4B — Safety Risk Management Policy — https://www.faa.gov/documentLibrary/media/Order/FAA_Order_8040.4B.pdf
  5. Automated Driving Systems: A Vision for Safety 2.0 — https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/13069a-ads2_0_092017_v1a_tag.pdf
  6. Preparing for the Future of Transportation: Automated Vehicles 3.0 — https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/320711/preparing-future-transportation-automated-vehicle-30.pdf
  7. Ensuring American Leadership in Automated Vehicle Technologies: AV 4.0 — https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/362136/av-40-ensuring-american-leadership-automated-vehicle-technologies.pdf
  8. Standing General Order — Crash Reporting for Vehicles Equipped with ADS or Level 2 ADAS — https://www.nhtsa.gov/laws-regulations/standing-general-order-crash-reporting-level-2-adas-ads
  9. Occupant Protection for Vehicles With Automated Driving Systems — Final Rule — https://www.federalregister.gov/documents/2022/03/30/2022-06235/occupant-protection-for-vehicles-with-automated-driving-systems
  10. OMB Memorandum M-24-10 — Advancing Governance, Innovation, and Risk Management for Agency Use of AI — https://www.whitehouse.gov/omb/memoranda/2024-m-24-10/
  11. NIST AI Risk Management Framework 1.0 — https://www.nist.gov/itl/ai-risk-management-framework
  12. FAA BEYOND — UAS Integration Program — https://www.faa.gov/uas/programs_partnerships/beyond
  13. UAS Beyond Visual Line of Sight (BVLOS) Aviation Rulemaking Committee — Final Report — https://www.faa.gov/sites/faa.gov/files/2022-03/UAS_BVLOS_ARC_Final_Report_508.pdf
  14. FMCSA ANPRM: Safe Integration of ADS-Equipped CMVs — https://www.regulations.gov/docket/FMCSA-2022-0004
  15. 49 CFR Part 236 — Signal and Train Control (including PTC) — https://www.ecfr.gov/current/title-49/subtitle-B/chapter-II/part-236
  16. Executive Order 14110 — Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence — https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence
  17. FedRAMP Marketplace — Microsoft Azure Government — https://marketplace.fedramp.gov/products?search=Azure%20Government
  18. Microsoft Azure Government — DoD CC SRG Impact Level authorizations — https://learn.microsoft.com/azure/azure-government/documentation-government-compliance
  19. Microsoft Responsible AI Standard v2 — https://aka.ms/RAIStanv2
  20. Azure Policy regulatory compliance mappings (including NIST SP 800-53) — https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure#regulatory-compliance

Was this helpful?

Related Articles

analysis Status of Microsoft 365 Copilot Researcher and Analyst in US Government clouds 2026-05-07 analysis Status of model sharing with NIST for AI cybersecurity testing 2026-05-07 analysis Federal AI policy framework status May 2026 2026-05-07
Citations verified by Astra All content generated by Astra — PubSecAI's AI research system