At Glance Background
AI-Safe Legacy Modernization for Government

AI-Safe Legacy Modernization for Government

AI-Safe Legacy Modernization for Government | VOLO

February 24, 2026 | Author: Levon Hovsepyan

TABLE OF CONTENTS

  • The Government Legacy Modernization Problem
  • What AI-Safe Modernization Looks Like in Practice
  • Data and Evidence: Where Public Sector AI Stands Today
  • Practical Implications for Established Public Sector Organizations
  • Frequently Asked Questions
  • Conclusion

Smart sensors monitor bridge integrity in real time. Citizen portals process benefit claims in minutes. Fraud detection systems flag suspicious payments before they clear. This is the promise of AI in government, and it is already delivering results in the agencies that did the infrastructure work first.

Underneath those wins, a compounding problem runs quietly. The IRS still processes filings on COBOL-based systems older than the Apollo program. The Social Security Administration manages tens of millions of lines of legacy code written by engineers who have since retired. According to a July 2025 GAO report, the U.S. federal government spends over $100 billion on IT annually, and roughly 80% of that budget goes toward operating and maintaining aging systems, some of which are more than 50 years old.

For CTOs, CIOs, and technology leaders in government and public sector organizations, the question is no longer whether to modernize. The challenge is how to bring AI into environments built decades before the internet existed, without disrupting the services that millions of citizens depend on every day.

This article covers what makes legacy modernization in government a different problem from the private sector, how AI works as a safe accelerant in this context, and what a phased, compliance-first approach looks like when it actually works.

KEY TAKEAWAYS

  • 80% of the U.S. federal IT budget goes toward maintaining existing systems per the GAO, leaving only 20% for new development.
  • AI-safe modernization means building the next layer while keeping the current one operational, not replacing everything at once.
  • The strangler fig approach lets agencies retire legacy components one at a time with no high-risk cutover events.
  • McKinsey found agentic AI modernization programs deliver significant developer productivity gains when human experts stay in the loop.
  • By 2029, Gartner projects 60% of government agencies globally will use AI agents to automate citizen interactions, up from less than 10% today.
  • NIST AI RMF, FedRAMP, and Section 508 compliance must be designed in from the start. Retrofitting it at the end always costs more.

The Government Legacy Modernization Problem

The scale of technical debt is unlike anything in the private sector

GAO's July 2025 review of 69 federal legacy IT systems identified 11 systems most in need of modernization across 10 agencies. Eight use outdated programming languages. Four run on unsupported hardware. Seven operate with known cybersecurity vulnerabilities that cannot be remediated without a full modernization effort. These are not internal back-office tools. They are systems processing federal benefits, managing tax compliance, and supporting national security operations.

The financial picture compounds the urgency. The 10 critical legacy systems GAO identified in its 2019 review cost approximately $337 million annually to operate and maintain. Six years later, only three of those modernization projects are complete. The rest continue consuming budget that would fund new capabilities, while the security risk grows with every year of inaction. Nextgov reported in May 2025 that agencies face a narrowing window for structured knowledge capture, with institutional expertise leaving faster than it can be documented or transferred.

The integration gap is what kills most AI pilots

Most government AI programs do not fail because of a lack of vision. They fail when a promising pilot meets real infrastructure. Government data lives in silos across legacy systems, cloud environments, and on-premises servers that were never designed to communicate. The pattern is familiar: an AI tool performs well in a controlled environment, then stalls the moment it needs data from three different legacy databases with incompatible schemas and no API layer.

McKinsey's 2025 State of AI report confirms that nearly two-thirds of organizations remain stuck in pilot mode, with fragmented data and legacy technology consistently cited as the top structural barriers to scaling AI. That finding applies with particular force in government, where data environments are older and more fragmented than in most private sector contexts.

The compliance bar is non-negotiable and getting tighter

Federal agencies must align AI deployments with the NIST AI Risk Management Framework. Systems handling federal data must operate within FedRAMP authorization scope. Section 508 accessibility standards apply to any citizen-facing interface. OMB Memoranda M-25-21 and M-25-22 require documented AI strategies, procurement guardrails, and maintained human oversight for high-stakes decisions.

NIST's AI RMF is designed to help organizations manage AI-associated risks across the full lifecycle and continues to expand with guidance covering generative AI and agentic deployments. Gartner's 2025 Hype Cycle for Government Services notes that fear of public failure and low community trust in government AI are significant brakes on citizen-facing deployment, making governance architecture a political prerequisite, not just a technical one.

What AI-Safe Modernization Looks Like in Practice

Building around legacy systems rather than tearing them out

The strangler fig pattern is the foundation. New capabilities are built around the legacy system rather than inside it. API layers wrap existing services so modern applications can consume data without the legacy system changing. Specific functions then migrate to the new architecture in controlled increments, with the legacy system running in parallel until each component is fully validated. There are no high-risk cutover events, and the agency adjusts pace based on operational conditions and budget cycles.

AI as an accelerant inside a supervised workflow

When AI is applied to legacy modernization inside a human-supervised workflow, it compresses timelines significantly. AI-powered code analysis maps a legacy codebase's dependency structure in days rather than weeks. API scaffolding that would take weeks to write manually can be generated, reviewed, and refined in a fraction of that time. McKinsey's LegacyX program found meaningful developer productivity improvements when human experts set the target state and validate AI outputs at every stage. The human role shifts from doing the volume work to setting guardrails and validating results.

Human oversight built in as a design requirement

The NIST AI Risk Management Framework is explicit: for high-stakes decisions, humans must remain in the loop across the full AI lifecycle. AI-generated code, architecture recommendations, and migration scripts all need validation by engineers who understand the policy context, data sensitivity, and operational dependencies before anything reaches production.

A phased roadmap sequenced by risk and citizen impact

Modernization starts with a complete, current inventory of what actually exists. AI-assisted code analysis produces that documentation in days, without relying on institutional knowledge that may already be heading out the door. From that assessment, the roadmap sequences work by risk level, citizen impact, and technical dependency. High-risk, deeply entangled systems get API-wrapped first. Lower-risk components get refactored or rebuilt in parallel using modern, cloud-native architectures. Security and compliance requirements are embedded in every layer from the start.

Also read: How GovTech Leaders Are Closing the Digital Service Gap

Also read: AI Compliance in the Public Sector: What CTOs Need to Know

Data and Evidence: Where Public Sector AI Stands Today

The results are visible in agencies that did the infrastructure work first. U.S. Treasury Department machine learning systems recovered over $4 billion in fraudulent payments in fiscal year 2024. The Centers for Medicare and Medicaid Services denied hundreds of thousands of fraudulent claims in 2025 using AI-enhanced review. Both outcomes share the same prerequisite: clean, accessible data and an integration layer that made AI deployment viable before AI was deployed.

Gartner's 2025 Hype Cycle for Government Services found that sovereign AI and AI agents have both reached the Peak of Inflated Expectations in the public sector, meaning expectations are running significantly ahead of actual delivery. The agencies that close that gap in the next three to four years will be the ones that resolved the legacy integration problem during this period.

Gartner's 2026 CIO Survey found that 74% of government CIOs have already deployed or plan to deploy AI within the next 12 months, with generative AI interest even higher at 78%. What separates agencies that convert that intention into operational results from those that remain in pilot mode is almost always the quality of the underlying data and integration infrastructure.

McKinsey's State of AI 2025 report found that organizations realizing the most significant AI impact shared one characteristic: they treated AI as a catalyst for organizational transformation, scaling systematically rather than running disconnected pilots. Agencies that modernize infrastructure first and deploy AI second consistently outperform those that attempt both simultaneously on aging systems.

Practical Implications for Established Public Sector Organizations

For government agencies operating with dedicated IT leadership, multi-year technology roadmaps, and real accountability for service continuity, AI-safe legacy modernization requires a partner with engineering depth and institutional understanding, not just implementation capability.

The starting point is always an objective assessment of what actually needs to change. Not every legacy system is a liability. Some are stable, well-understood, and performing their function adequately. The ones that move first are the ones creating operational risk, carrying security vulnerabilities that cannot be patched in place, and blocking AI integration that would meaningfully improve citizen services.

From that assessment, a phased roadmap sequences work by risk level, dependency, and citizen impact. High-risk systems get API-wrapped first. Lower-risk components get incrementally migrated. Security, accessibility, and compliance requirements are embedded in every layer from the start.

VOLO works with established public sector organizations at exactly this intersection. When an agency needs to extend its digital infrastructure, integrate legacy systems with modern platforms, or build the data foundation that makes AI viable, VOLO builds the custom systems, handles the integrations, modernizes the legacy components, and provides the ongoing support that allows the organization to operate and grow without building a large in-house engineering team.

If your agency is evaluating a legacy modernization roadmap, talk to VOLO's public sector engineering team. The first step is always an honest assessment of where your systems stand today.

Conclusion

Government legacy modernization has never been more urgent, and the window to approach it thoughtfully is narrowing. With 11 of the most critical federal systems still running on outdated languages and unsupported hardware, and Gartner projecting AI agent adoption in government to increase sixfold within four years, the agencies building solid infrastructure today will be the ones positioned to meet citizen expectations through the next decade.

AI-safe modernization is about moving intelligently, phasing the work to manage risk, embedding compliance from the start, keeping human oversight in every decision that matters, and building toward an architecture that can carry the AI capabilities already arriving. For public sector technology leaders facing these decisions, the right partner is one that understands both the engineering complexity and the institutional reality, and can execute without disrupting the services citizens depend on.

VOLO works alongside established public sector organizations to build the custom systems, integrations, and modernization paths that make this possible, without requiring agencies to staff up a large internal engineering team to get there.

At Glance Background
levon hovsepyan avatar

Levon is an experienced technology consultant leading the strategic direction of VOLO. His work focuses on AI enablement, digital transformation, and how organizations adopt and govern technology at scale.

With a background in engineering and product leadership, he brings a systems-level perspective to technology and business decisions. His writing explores AI adoption, engineering discipline, and leadership in building reliable digital systems in complex, regulated environments.

Levon Hovsepyan Chief Business Officer

Related Blogs

Cta Background

Subscribe to our Newsletter

Frequently Asked 
Questions

Still have a question?

Contact us We'll be happy to help you.

Levon Hovsepyan

The foundational technique is the strangler fig approach: new capabilities are built around the legacy system rather than inside it. API layers wrap existing services so modern applications can access data without the legacy system changing. Specific functions migrate to the new architecture in controlled increments, with the legacy system running in parallel until each component is fully validated. This eliminates high-risk cutover events and allows modernization to proceed at a pace the agency can absorb. GAO's research consistently shows that agencies lacking documented modernization plans with clear milestones face significantly higher rates of cost overrun and schedule failure.

Procurement readiness must be built before an opportunity arises. This means current security certifications, documented past performance in public sector environments, and the ability to clearly map a modernization approach to an agency's stated requirements and compliance obligations. VOLO engages government clients at the requirements stage where possible, so technical scope and procurement considerations are aligned from the start rather than reconciled under deadline pressure at the end.

Section 508 of the Rehabilitation Act applies to any citizen-facing interface built for or procured by a federal agency. VOLO incorporates WCAG 2.1 AA compliance as a baseline requirement for citizen-facing output, with Section 508 conformance testing embedded in the QA process rather than treated as a final delivery check. For state and local work, accessibility requirements are assessed at the outset of each engagement based on the applicable jurisdiction's standards.

In most cases, yes, and this is almost always the right first step. The integration pathway involves building a data abstraction layer that standardizes how data flows in and out of the legacy system, making it accessible to modern tools without requiring the core system to change. Legacy government systems often have poorly documented schemas, inconsistent data quality, and no native API capabilities, making this work non-trivial but achievable with the right engineering approach. McKinsey's AI research confirms that organizations scaling AI successfully almost always cite clean, integrated data access as the foundational prerequisite, and government is no exception.

For federal engagements, the baseline expectations include alignment with the NIST AI Risk Management Framework, FedRAMP authorization scope awareness, zero-trust architecture practices consistent with CISA guidance, and Section 508 accessibility compliance for any citizen-facing output. For state and local work, SOC 2 Type II and GDPR-compliant data handling are standard requirements. A capable modernization partner should map their engineering practices to these frameworks explicitly before any code is written.

A structured implementation typically follows a 90-day foundation phase covering assessment, dependency mapping, architecture design, and initial pilot deployment, followed by a 6 to 18 month implementation period depending on system complexity, data quality, and agency size. For mid-size agencies with a defined scope, meaningful progress is achievable within 90 days and full capability delivery within 12 months. GAO's 2025 findings show that agencies without documented plans that include clear milestones consistently run longer and cost more, making structured planning the most reliable predictor of whether a modernization program stays on track.

Let’s build something transformational together

Book Consultation
  • 24 hrs average response time
  • Team of Experts
  • 100% delivery rate