GSA Seeks Comment on Updated AI Contract Clause

June 29, 2026

WHAT: The U.S. General Services Administration (GSA) has published a second draft of the proposed GSAR 552.239-7001 clause that is aimed at establishing comprehensive requirements for safeguarding government data within large language model (LLM) artificial intelligence (AI) systems that process such data. According to GSA, this latest draft reflects substantial revisions to the initial draft released in January 2026, based on comments and concerns raised in response to the initial draft. Our coverage of the initial draft can be found here.

WHEN: The proposed clause was published in the Federal Register on June 17, 2026. GSA intends to hold a public listening session on the proposed clause on July 14, 2026 (registration closes July 3, 2026). Comments on the proposed clause, submitted via https://www.regulations.gov/, are due by August 3, 2026.

WHAT IT MEANS FOR INDUSTRY: The new draft clause will apply when LLMs process “Government Data” (which is defined in the proposed clause as discussed below). While the proposed clause carves out exceptions for certain LLM use cases (e.g., LLM functionality embedded in common commercial products or LLM functionality that is incidental), it will still result in significant requirements on contractors that directly provide LLM AI systems, as well as those that use LLM AI systems for the primary purpose of performance of a government contract. 

For example, where the clause applies, the contractor will be responsible for a service provider’s adherence to the clause and, under the second draft, must also obtain an attestation from the LLM’s developer, system operator, system integrator, and service provider that the requirements of the clause have been implemented. Additionally, prohibited uses of Government Data now include processing or storing data with, or transferring Government Data to, any party not authorized under the contract or without the proper flowdowns. GSA has removed the licensing requirement from the prior draft of the clause, however, which provided that an AI system could not refuse to produce data outputs or conduct analyses based on the contractor’s or service provider’s discretionary policies.

In the publication, GSA highlights the following key changes to the proposed clause:

• Changing the name of the clause to “Basic Safeguarding of Data Within Large Language Model Artificial Intelligence Systems (LLMs)” and clarifying that it applies only when Government Data will be processed by an LLM;
• Adding exceptions to application of the clause if the LLM is embedded in a common commercial product (i.e., a word processor or navigation system) or the LLM functionality is incidental to the primary purpose of the requirement being procured;
• Defining common roles involved with various functions within the LLM supply chain (LLM Developers, LLM System Operators, LLM System Integrators, and LLM Service Providers) and mandating the flowdown of specific requirements to any subcontractor or service provider functioning within applicable common roles;
• Updating the definitions of Contractor, Data, Data Inputs, Data Outputs, and Government Data, and establishing definitions for Background Data and Material Change;
• Clarifying contractor responsibilities, government data use and handling, licensing requirements, and compliance requirements;
• Identifying contractor and flowdown roles regarding compliance, reporting, and documentation;
• Replacing the term “change management” with “Change Notification” and clarifying what, when, and how to notify GSA of changes to the LLM; and
• Providing additional context to the application of “unbiased AI principles.”

In addition to the key changes highlighted by GSA, there are several other relevant changes of which contractors should be aware:

• Defining “Government Data” as data inputs, which include all data, information, personally identifiable information (PII), or content submitted ot the LLM by, or created for, the Government, and data outputs, which include all data, information, PII, any improvements, enhancements, corrections, annotations, or other modifications made to data inputs, or content generated by the LLM in the performance of the contract;
• The requirement for contractors and service providers to use only American AI systems has been removed and replaced with a requirement to maximize the use of LLMs developed, managed, and operated by an entity incorporated in the U.S. and subject to U.S. law and jurisdiction;
• The definition of LLM has been expanded to include “the integrated technical and operational environment in which the model is configured, deployed, operated, monitored, or made available for the processing of Government Data”;
• The requirement that only LLM Developers, System Operators, System Integrators, and Services Providers receive and process Government Data was added;
• An order of precedence provision has been added stating that the GSAR clause “establishes specific requirements that take precedence over conflicting provision in the Contractor’s policies, requirements, terms, conditions, or commercial agreements” has been added;
• The license to the Government has been revised to be limited to the specific purpose and scope of work of the contract and restricted to commercially available features, background data, and functionality of the LLM necessary to fulfill the contract;
• Prohibited uses related to use, processing, storage, and selling or licensing of Government Data have been added;
• The requirement for data handling procedures that restrict human access to Government Data has been expanded to include a list of automated processing systems and operational controls to prevent human access;
• A requirement that Government Data may be stored or processed only when reasonably necessary for performance of the contract has been added; and
• Provisions restricting foreign control and compulsion related to performance and operation of the LLM have been added.

NEXT STEPS: GSA is seeking public comment on the proposed draft clause through August 3, 2026. While stakeholders may comment on any aspect of the proposal, GSA is specifically seeking comments on the following questions:

1. Does the change in clause prescription adequately address previous concerns about the clause’s scope?
2. Are the requirements such as Government Data ownership and protection and contractor accountability clearly defined?
3. Are the roles and responsibilities of the contractor, LLM Developer, LLM System Operator, LLM System Integrator, and LLM Service Provider clearly defined, and are the flowdown paragraphs accurately presented?
4. Is implementation of flowdown clauses understandable?
5. Does the clause adequately address risks related to foreign ownership of LLMs, where changes to the LLM could covertly affect Government Data, outputs, or decisions without changing the contracting entity?

Although GSA has narrowed the clause’s applicability to instances in which Government Data is being processed by an LLM and removed other requirements that could be contentious, the clause will still impose significant compliance obligations. Therefore, contractors that intend to offer LLM systems or services to the Government and contractors that intend to use LLM systems in the performance of contracts should review GSA’s proposed clause and consider attending the public listening session and submitting comments.

Wiley’s Government Contracts and Privacy, Cyber, and Data Governance practices will continue to monitor and report on these issues. We counsel clients on AI compliance, risk management, and regulatory and policy approaches, and we engage with key government stakeholders in this quickly moving area. If you have any questions, please contact one of the authors listed on this alert.