Federal law enforcement agencies rely on facial recognition technology as an active investigative tool, according to GAO report GAO-24-107372, published in March 2024 — the most recent in a series of oversight reports the Government Accountability Office has produced on the subject over the past several years. The finding is not a surprise, but the continuity of GAO scrutiny across multiple report cycles tells its own story: this is a capability that has embedded itself into federal law enforcement practice faster than governance has followed.

What the GAO Has Been Tracking

The GAO's engagement with facial recognition in federal agencies spans at least three years of structured inquiry. In June 2021, the office surveyed 42 federal agencies that employ law enforcement officers about their use of the technology — the first systematic federal-level audit of its kind. That same report documented that U.S. Immigration and Customs Enforcement had assessed the privacy risks associated with its own facial recognition use, a finding notable as much for what it implied about agencies that had not conducted such assessments as for what it said about ICE.

By June 2022, GAO testified before Congress on federal agency use of facial recognition technologies and the associated privacy issues, with 18 of the 24 agencies mentioned in the review noted in that testimony. A year after that, in September 2023, GAO published GAO-23-105607, which examined the risks federal law enforcement agencies faced in deploying the technology — framing the audit squarely around risk management rather than simple capability inventory. The March 2024 report is the most recent data point in that arc.

Taken together, the sequence is methodical: survey the landscape, examine privacy implications, document risks, then confirm operational use. Each report has built on the prior, and the cumulative picture is of a technology now woven into federal investigative practice without a corresponding federal statutory framework to govern it.

The Technology in Practice

Facial recognition as used by federal law enforcement operates primarily as an investigative lead-generation tool — a probe image is run against one or more enrolled databases, and candidate matches are returned for human review. It is not, in operational best practice, used as standalone evidence of identity or guilt. The GAO's consistent focus on risk management reflects the known failure modes: false positive rates that vary significantly by demographic group (documented extensively in NIST FRVT evaluations), the distinction between cooperative and non-cooperative image matching, and the provenance and accuracy of the reference databases being queried.

The concern is not theoretical. A facial recognition match generated in an uncontrolled environment — a surveillance frame, a cell phone photograph — carries materially different reliability characteristics than a match against a controlled booking photograph. The risk profile changes again depending on whether the agency is querying its own database or accessing a commercial system with its own data-ingestion and algorithmic characteristics. The 2021 GAO survey of 42 agencies revealed that some were using commercial systems, including tools that scrape publicly available images — a data sourcing approach that raises distinct questions about consent, accuracy, and audit trail.

The Municipal Counter-Movement

While federal agencies have expanded operational use, a parallel regulatory movement has run in the opposite direction at the local level. San Francisco became the first U.S. city to ban facial recognition use by city agencies in May 2019, a prohibition that extended to information derived from external systems employing the technology — a clause designed to prevent circumvention via third-party data. According to reporting from the Electronic Frontier Foundation, at least 16 additional municipalities had enacted similar bans in the three years following San Francisco's move.

The divergence between the federal trajectory and the municipal one is structurally significant. Cities and counties have enacted hard prohibitions; federal agencies have continued operational deployment while subject to oversight recommendations that, by GAO's own design, are not legally binding. Federal agencies receive recommendations; they are not compelled by statute.

Worth flagging here: this is not a new dynamic in the relationship between technology capability and governance. The history of federal surveillance tool adoption — wire intercepts, pen registers, cell-site simulators — follows a consistent pattern in which operational use precedes statutory authorization by years, sometimes decades. Facial recognition appears to be tracking that same curve.

The Accountability Architecture Problem

The core issue surfaced by the multi-year GAO inquiry is not simply whether agencies use facial recognition, but whether they have documented policies, risk assessments, training standards, and audit trails in place. The 2023 risk-focused report and the 2024 confirmation of operational use together suggest that some agencies have made progress on governance — and that gaps remain.

For practitioners familiar with zero-trust security architecture, the analogy is instructive: logging and auditability are not constraints on operational capability, they are prerequisites for operating at scale without systemic risk accumulation. An agency that deploys facial recognition without documented query logs, without analyst training standards, and without a privacy impact assessment is operating a high-stakes identification system with no audit surface — exactly the condition that makes errors undetectable and accountability impossible.

ICE's documented privacy risk assessment, noted in the 2021 GAO report, is a data point on the right side of that ledger. The implicit question raised by the same report is how many of the other surveyed agencies had done equivalent work.

No Federal Statute, No Federal Standard

As of the date of the most recent GAO report, March 2024, no comprehensive federal statute specifically governs law enforcement use of facial recognition technology. Proposals have circulated — the Facial Recognition and Biometric Technology Moratorium Act was introduced in Congress, and various appropriations riders have restricted specific uses — but nothing has passed into law. The result is a patchwork: some agencies with internal policies, some without; commercial systems in use alongside government-operated ones; and a GAO that can recommend but cannot mandate.

The regulatory gap is not unique to facial recognition. Broader federal AI governance frameworks, including the Biden administration's 2023 Executive Order on AI and NIST's AI Risk Management Framework, provide guidance architecture that agencies can voluntarily adopt. Whether facial recognition deployments are being evaluated against those frameworks in practice is, at this point, not publicly documented at the level of specificity the GAO's technology-specific audits have provided.

Looking at what this means for the near term: the GAO's audit cadence — a new report roughly every twelve to eighteen months — functions in the absence of statutory oversight as the closest thing to a federal accountability mechanism in this space. That is a reasonable stopgap, but audits are retrospective by nature. They document what has happened; they do not set prospective conditions on deployment. The gap between those two functions is where risk accumulates.

What Comes Next

The presence of facial recognition as a confirmed, active investigative tool in federal law enforcement is now an established fact across multiple independent audit cycles. The governance question — who authorizes use, under what documented standard, with what logging and accountability mechanisms — remains formally unresolved at the federal statutory level.

For technology professionals working on identity systems, biometric infrastructure, or public-sector AI deployments, the GAO's multi-year record here is worth reading as primary source material. The reports are unusually specific about which agency types were surveyed, what documentation standards were or were not met, and what risk categories were identified. That granularity is rare in federal oversight documents and provides a clearer picture of where the accountability architecture actually stands than most secondary accounts convey.

The technology is deployed, it is operational, and it is working alongside human analysts to generate investigative leads in federal criminal cases. The infrastructure to govern it at a federal level remains, as of March 2024, incomplete.