SDK Quick Start — Government & Public Sector

Getting started: Government & Public Sector

This guide takes you from install to your first attributed governance record in government & public sector. You will install the SDK, configure a provider, instrument a workflow step with the real OTel attribute vocabulary from this vertical, and have a reviewable evidence record in your portal within an afternoon. There is no scaffolding project — just your API key and the three steps below.

Why this matters right now. As of March 2026, agentic AI in government and public sector is deployed across: automated benefits eligibility determination (Social Security, Medicaid, SNAP, unemployment insurance), AI-driven immigration document review and risk scoring (USCIS, CBP), predictive law enforcement tools (crime forecasting, recidivism risk scoring), AI-assisted procurement and contract vehicle management (GSA, DoD), automated FOIA request triage and redaction, AI-powered citizen services chatbots and case routing (VA, SSA, IRS), fraud detection and improper payment prevention (OMB paymentaccuracy.gov), federal cybersecurity threat detection (CISA CDM programme), AI-assisted legislative drafting and regulatory analysis, and open data portal AI (Data.gov, DOGE-related automation). OMB M-24-10 (March 2024) requires every federal agency to: designate a Chief AI Officer (CAIO), conduct annual inventories of all AI use cases, complete minimum risk practices for rights-impacting and safety-impacting AI by December 2024, and publish AI use case inventories. EO 14110 requires agencies with AI use in critical infrastructure or national security to conduct safety evaluations and report to OMB. The EU AI Act Annex III paras 5–7 explicitly classify AI used in public benefits administration, law enforcement, migration, and border control as high-risk. OMB M-24-10 Section 5 establishes minimum risk management practices for 'rights-impacting' and 'safety-impacting' AI — AI that meaningfully impacts the rights, opportunities, or access to critical resources of members of the public, or that could threaten the life or safety of individuals. These practices include: independent assessments before deployment, ongoing monitoring, testing for bias and disparate impact, providing human alternatives and timely human review, and public disclosure. Federal agencies that deploy such AI without completing these practices must pause or halt use. The EU AI Act Article 6(2) and Annex III para 5(a) make AI systems determining access to public benefits and services a high-risk category — applying from August 2, 2026 with a 12-month grace period for systems already in service. The Council of Europe AI Convention (CETS 225), which the US, EU member states, and other signatories opened for signature in September 2024, creates binding human rights obligations for AI across public and private sector applications.

How the layering works

You are not adopting a separate product surface for this vertical. You are adding a market-specific vocabulary layer on top of the same core session model used everywhere in VeriProof.

If you need the cross-industry baseline first, open the core SDK reference, Python core, or .NET core before continuing here.

Step 1 — Install

TypeScript / Node.js

npm install @veriproof/sdk-core

Python

pip install veriproof-sdk

.NET

dotnet add package Veriproof.Sdk

Step 2 — Configure

Call the configuration helper once, before any AI framework initialises. After that call, every OTel span in the process — whether emitted by your code or by a framework adapter — is exported automatically to VeriProof.

Your API key comes from the VeriProof portal. Try a live demo to see the portal before you register, or start a free Builder account and use the environment variable pattern above directly.

Need a production credential path rather than sandbox exploration? Get API access for a Builder account, or contact the team if you need an architecture or compliance review alongside implementation.

Step 3 — Instrument your workflow

The governance vocabulary for this vertical lives in the Government & Public Sector reference. Use the OTel attribute names below — they are the same names the portal uses in evidence records and the same names your policy engine will evaluate. Consistency here is the point.

TypeScript example

import { configureVeriproof, VeriproofClient, VeriproofSdkOptions, SessionMetadata } from '@veriproof/sdk-core';
import { FedRAMPAuthorizationStatus, FedRAMPAuthorizationStatusMeta, FIPSSecurityLevel, FIPSSecurityLevelMeta } from '@veriproof/sdk-core/verticals/government-public-sector';

// Call once at application startup
configureVeriproof(
  VeriproofSdkOptions.createProduction({
    apiKey: process.env.VERIPROOF_API_KEY!,
    applicationId: 'government-public-sector-app',
  }),
  { serviceName: 'government-public-sector-app', setGlobal: true },
);

// Instrument a governed workflow
const client = new VeriproofClient(
  VeriproofSdkOptions.createProduction({ apiKey: process.env.VERIPROOF_API_KEY! }),
);

const session = client
  .startSession('government.public.sector.review')
  .withSessionMetadata(SessionMetadata.forTransaction('txn-001').withEnvironment('production'))
  .addStep('evaluate', { output: { status: 'completed' } })
  .withMetadata(FedRAMPAuthorizationStatusMeta.otelAttribute, FedRAMPAuthorizationStatus.in_process)
  .withMetadata(FIPSSecurityLevelMeta.otelAttribute, FIPSSecurityLevel.level_1)

await session.complete();

Python example

import os
from opentelemetry import trace
from veriproof_sdk import VeriproofClientOptions, configure_veriproof
from veriproof_sdk.verticals import government_public_sector as gps

# Call once at application startup
configure_veriproof(
    VeriproofClientOptions(
        api_key=os.environ["VERIPROOF_API_KEY"],
        application_id="government-public-sector-app",
    ),
    service_name="government-public-sector-app",
    set_global=True,
)

tracer = trace.get_tracer(__name__)

# Instrument a governed workflow
with tracer.start_as_current_span("government_public_sector.review") as span:
    span.set_attribute(gps.FedRAMPAuthorizationStatus.__otel_attribute__, gps.FedRAMPAuthorizationStatus.in_process.value)
    span.set_attribute(gps.FIPSSecurityLevel.__otel_attribute__, gps.FIPSSecurityLevel.level_1.value)
    span.set_attribute(gps.FISMAImpactLevel.__otel_attribute__, gps.FISMAImpactLevel.low.value)
    ...

.NET example

using Veriproof.Sdk;
using Veriproof.Sdk.Core.OpenTelemetry.Verticals.GovernmentPublicSector;

// Configure once at application startup
builder.Services.AddVeriproof(options =>
{
    options.ApiKey = builder.Configuration["VERIPROOF_API_KEY"]!;
    options.ApplicationId = "government-public-sector-app";
});

// Instrument a governed workflow step
using var activity = ActivitySource.StartActivity("evaluate");
    activity?.SetTag(FedRAMPAuthorizationStatus.Metadata.OtelAttribute, FedRAMPAuthorizationStatus.in_process);
    activity?.SetTag(FIPSSecurityLevel.Metadata.OtelAttribute, FIPSSecurityLevel.level_1);
    activity?.SetTag(FISMAImpactLevel.Metadata.OtelAttribute, FISMAImpactLevel.low);

How teams use this in production

• FedRAMP & Cloud Security Authorisation: Fed RAMPAuthorization Status. OPA policy blocks any AI agentic workflow from routing federal data to a cloud-based AI service whose FedRAMP authorisation status is not 'authorized_agency', 'authorized_jab', or 'authorized_with_conditions'. 'Revoked' status triggers immediate data routing halt and CISO notification. (Fedramp Rev5: FedRAMP Rev 5 — Cloud services processing federal data at Low, Moderate, or High impact levels require FedRAMP authorisation)
• FedRAMP & Cloud Security Authorisation: FIPSSecurity Level. AI agent security posture registry records the FIPS security level of all cryptographic modules used by the agent. OPA policy enforces that AI agents processing CUI must use Level 2 or above. AI agents in physically unprotected field deployments processing classified data require Level 4. (Fips 140 3: FIPS 140-3 — Cryptographic module validation; federal agencies must use validated modules for all cryptographic operations)
• NIST SP 800-53 Control Compliance Monitoring: NISTSPControl Family. AI continuous monitoring agent generates automated evidence for each NIST SP 800-53 control it can assess. Evidence records are tagged with control family and specific control ID (e.g. AC-2, AU-6) for ingestion into eMASS or equivalent agency GRC platform.
• NIST SP 800-53 Control Compliance Monitoring: Continuous Monitoring Frequency. FedRAMP ConMon requires monthly vulnerability scanning, annual penetration testing, and continuous log monitoring. AI compliance agents schedule and execute control assessments at the required frequency and generate evidence with timestamp and frequency classification for the FedRAMP PMO.

Next steps

• Open the full Government & Public Sector governance reference for all 21 enum categories, policy patterns, and source standards.
• Review TypeScript SDK core for advanced session-builder options, batch export, and Merkle verification.
• Review Python SDK core for decorator-based annotations and framework adapter options.
• Review .NET SDK core for Semantic Kernel, AutoGen, and Activity-based instrumentation.
• Browse all vertical references to understand how the core governance vocabulary layers underneath vertical-specific attribute sets.
• Compare this guide with the public industry pages if you need the commercial and workflow framing behind the same vocabulary.