Skip to main content
← Back to Insights
ComplianceApril 2026

The ATO Timeline Survival Guide for AI Teams

The number one reason government AI projects stall has nothing to do with the technology. It is the ATO.

Authorization to Operate. The process that determines whether your system can actually run in a government environment. It typically takes 6 to 12 months. And if you don't plan for it from the start, it will kill your project.

We have built AI systems that passed ATO on multiple federal programs. Here is what we have learned.

Start with the security architecture, not the model

Most AI teams start with the model. They pick a framework, train on sample data, and build a prototype. Then they hand it to the security team and say “how do we get this authorized?”

By that point, the architecture decisions have already been made. And most of them are wrong for a compliance environment.

Start the other direction. What is the target environment? What authorization boundary will this system live in? What data classification levels are involved? What NIST controls apply? Answer these questions before writing a line of code.

Build your SSP as you build your system

The System Security Plan is the document that describes how your system meets each security control. Most teams write it after the system is built. That is a mistake.

If you document your security controls in parallel with development, two things happen. First, you catch compliance gaps early, when they are cheap to fix. Second, your SSP is ready when the system is ready, not 6 months later.

We keep a running SSP document from week one of every government engagement. Engineering decisions get documented against the relevant controls as they are made. By deployment, the SSP is 80% complete.

Know the difference between an ATO and a pilot authorization

Many programs use interim authorizations, limited ATOs, or pilot approvals to get systems running faster. These are useful, but they are not the same thing as a full ATO.

A pilot authorization typically has a time limit, a restricted user base, and a limited data scope. It lets you prove value while the full ATO is in progress. But you need to plan for the full authorization from day one, or the pilot becomes a dead end.

We scope engagements to deliver within pilot authorization timelines while building toward full ATO. The system is running and useful while the paperwork catches up.

Pick your deployment environment early

Cloud, on-premise, air-gapped, hybrid. The answer determines everything from infrastructure costs to data handling procedures to the specific control set you need to implement.

We have seen teams build for commercial cloud and then learn the program requires IL5 or air-gapped deployment. That is a full rebuild. Six months lost. Budget gone.

Confirm the deployment environment in the first week. Not the first month. The first week.

Treat the ISSO as a team member, not a gatekeeper

The Information System Security Officer is not there to block your project. They are there to make sure it can actually run. Bring them in early. Show them the architecture. Walk them through the data flow. Ask what they need.

Teams that treat the ISSO as an obstacle spend months going back and forth on remediation items. Teams that treat the ISSO as a collaborator get their controls documented correctly the first time.

The bottom line

The ATO process does not have to add a year to your timeline. But it will if you treat it as an afterthought.

Build for compliance from day one. Document as you go. Pick the environment early. Work with security, not around it.

We have done this on multiple federal programs. We build AI systems that pass ATO because we plan for it before we write the first line of code.

Building AI for a government environment?

We will tell you exactly what the compliance path looks like for your use case. 30-minute call.