The Architects Are Working One Side of the Table

AI is redistributing power inside the Freedom of Information Act. The agency side has spent two years designing for itself. The requester side has not been designed at all.

Twelve papers at one academic workshop. Seven federal agencies already deploying or piloting AI in FOIA processing. One architecture proposal sitting inside the official body that recommends FOIA reform to the Archivist of the United States. The agency side of the Freedom of Information Act is being designed in public. The requester side is being designed by no one.

This is an essay about that asymmetry, and about what the next decade of public records depends on someone building.

PART I  /  The Agency-Side Architecture, As Designed

The AIOG 2026 workshop at ICAIL in Singapore, June 8, will publish the most concentrated single drop of FOIA-AI architectural thinking in the history of the field. The headline paper is Jason R. Baron and Devanshu Kejriwal's "An AI-Orchestrated Architecture for Responding to FOIA Requests" [1], which proposes a five-stage agency pipeline: an intake chatbot, a search and preservation layer, a sensitivity-review classifier for exempt material, a generative determination-letter author, and an audit substrate. It is the most fully specified architecture for AI-mediated FOIA processing in print, and the authors acknowledge in their related-work section that they could not find prior work on multi-stage AI orchestration in this space.

It is not alone. Larooij and Graus at the University of Amsterdam show that a Qwen3.5-9B model running air-gapped on a single consumer GPU, prompted with chain-of-thought and few-shot error examples, outperforms BERT and prior classifiers on Exemption 5 deliberative-process classification [2]. Romana Afroze at Delaware Law School proposes a deontic-logic framework that beats fine-tuned BERT by 14.4 points of precision on 847 D.C. Circuit Vaughn-index entries, arguing that current agency-side ML classifiers "are operating outside the legal framework they are supposed to instantiate" [3]. Ravi Mahajan at SUNY Buffalo lifts retrieval recall on a 512-document NARA-and-MuckRock benchmark from 51 percent to 86 percent with a multimodal RAG pipeline aimed at the 78 percent of NARA's holdings that exist only as scans [4]. Jack McKechnie at Glasgow argues that sensitivity-aware search must be implemented as a cascading pipeline where every retrieval stage, not just the final classifier, is sensitivity-aware [5].

These are not careless papers. They engage live engineering problems with real benchmarks and real deployment concerns. They will be read by every serious FOIA-AI researcher for the next several years.

Every one of them assumes the agency is the operator.

In Baron and Kejriwal's architecture, the requester appears as a dialogue partner for Stage 1's chatbot and the eventual recipient of Stage 4's determination letter. They never appear as an actor with their own tooling, intent, or strategy. The clarification loop assumes the requester arrives in good faith looking for help disambiguating their request. In 2026, that is no longer a defensible baseline. Capable requesters are drafting with large language models, mapping custodians from Office of Inspector General reports, and reverse-engineering exemption patterns from agency reading rooms and prior releases aggregated on the FOIA Project's lawsuit database [10]. A chatbot whose job is to resolve ambiguities is going to meet ambiguities that are deliberate tradecraft, not error. The architecture does not account for a move it is going to see immediately.

The Stage 3 to Stage 4 chain creates a second problem. A learned classifier, in Baron and Kejriwal's specification a fine-tuned Legal-BERT model, produces the withholding decision. The Stage 4 generative model then writes the legal narrative that explains it, retrieving FOIA case law and prior agency decisions through a RAG pipeline. Today's clumsy determination letters leak. They show their seams. A RAG-narrated letter citing on-point case law will read more defensible than the underlying decision actually is, because the classifier did not consult the case law the letter cites. Requesters lose the diagnostic value that today's awkward letters quietly provide: the visible seam between the redaction call and its legal scaffolding. The append-only audit log in Baron and Kejriwal's Figure 3 gives oversight a record. It does not give the requester insight. Those are not the same accountability surface.

The third failure is the one the authors themselves flag. Section 4 item 5 of the paper concedes that AI cannot reliably evaluate the foreseeable-harm standard that Congress codified in the FOIA Improvement Act of 2016 [14]. That standard is not a small concession. The D.C. Circuit in Reporters Committee for Freedom of the Press v. FBI required "a focused and concrete demonstration" of why disclosing "the particular type of material at issue" would "actually impede" agency deliberations, "given the specific context of the agency action at issue," and held that "a perfunctory statement that disclosure of all the withheld information would jeopardize the free exchange of information will not suffice" [12]. Exemption 5 with the foreseeable-harm gate is where the post-2016 litigation lives. An architecture that automates everything except the legal pressure point has not been tested against the work that actually drives appeals.

Only Afroze, among the entire AIOG cohort, formalizes the foreseeable-harm predicate at all, and even Afroze places it inside the agency's own reasoning, not as a tool the requester can wield [3]. Larooij and Graus, with the candor that good engineers bring to public papers, write that "recall is more important than precision, as the impact of forgetting to redact sensitive information can be much larger than suggesting to redact too much" [2]. That loss function is honest. It is also a structural decision to privilege withholding. Once productionized inside an agency, it does not stop at the redaction step. It is the agency's posture, encoded.

PART II  /  The Architecture Is Also Underbuilt On Its Own Side

This is not an academic exercise.

Per the National Archives Office of Government Information Services 2024 Records Management Self-Assessment, 18.6 percent of federal agencies, 50 of 269 respondents, already use artificial intelligence or machine learning in FOIA processing [8]. The Office of Management and Budget's federal AI use case inventory lists 3,611 use cases across 56 agencies in 2025.

The federal AI-in-FOIA roster is varied in maturity. In current production: Relativity eDiscovery, Microsoft Purview, FOIAXpress AI Assist, and Veritas Clearwell at the Department of Commerce [9]; and ArkCase at DOJ INTERPOL, the Office of Personnel Management, and the Equal Employment Opportunity Commission. In formal pilot: an AI/LLM-based redaction pilot at the Centers for Medicare and Medicaid Services (built consistent with Department of Justice guidance per HHS reporting), and a separate AI/LLM-based responsiveness-and-redaction pilot inside the Department of Health and Human Services Office of the Secretary [16]. Explored or partially piloted: MITRE's FOIA Assistant at the Consumer Products Safety Commission, which flags Exemption 4 monetary figures, Exemption 5 deliberative language, and Exemption 6 personally identifiable information per MuckRock's agency-disclosure investigation.

Adjacent records-AI deployment is even further along. The State Department's Machine Learning Declassification Pilot, operational since October 2022, made correct declassification decisions on 1997 diplomatic cables 99.29 percent of the time and reduced State Department labor on cable declassification by over 60 percent [15]. Declassification is not FOIA processing, but it is the federal records-AI maturity frontier. None of this is speculative. Production, pilot, and adjacent are all happening at once.

The DOJ Office of Information Policy, the official voice for federal FOIA policy, calls AI "an emerging and promising area" while emphasizing "the importance of ensuring that there is sufficient human monitoring and that appropriate safeguards are established so that the government is operating consistent with our obligations under FOIA" [7]. OGIS, whose mandate is FOIA oversight, observes that AI and machine learning "have the potential to aid in FOIA processing" and qualifies in the next sentence that they "are not a substitute for the judgment of FOIA professionals on application of exemptions and foreseeable harm" [8]. The critical academic voice in the field, Ronald Capaldi's 2025 article in the Journal of the National Association of Administrative Law Judiciary, argues that without algorithmic audits and mandatory disclosure of deployment, agency AI converts FOIA into "an empty promise of openness" [6]. He is right about the risk. He stops one move short.

So the agency side is being deployed, the official posture says human FOIA professionals must remain in the loop on the legal layer, the academic critic warns that agency AI without audits hollows the law, and in the official materials surveyed here - DOJ OIP guidance, OGIS reporting, FOIA Advisory Committee output, and the academic-policy literature - no source addresses the question of whether the requester side gets to operate AI at all. The redistribution-of-power frame appears nowhere in the official record.

Even granting the agency-side architecture its own premises, the system being sketched is not deployable at the scale the next four years will demand. Five structural omissions sit underneath the design.

First, cost. An architecture that demands GPU-accelerated inference, managed vector databases at scale, and continuous Stage 5 oversight is not a budget-neutral migration from current human-only processing. Federal AI procurement at FedRAMP-grade authorization runs in the millions to tens of millions of dollars per agency per year, with vendor lock-in to a small number of cleared LLM and infrastructure providers. Most agencies cannot afford it. The architecture as proposed quietly assumes a Treasury, Health and Human Services, or Department of Homeland Security budget.

Second, workforce. The system requires a supervisor breed that does not exist in the federal FOIA workforce today: senior FOIA professionals who can evaluate model outputs, adversarially test classifier decisions, and rule on edge cases at speed. The trilemma is hard. That person cannot be hired at General Schedule pay grades. They cannot be substituted by contractors without budgets no agency actually has. The roughly five to seven thousand federal FOIA staff across all agencies are a niche workforce already, and the AI-FOIA-supervisor specialization is narrower still.

Third, security. A Stage 3 BERT classifier trained on classified or controlled material is itself a data-handling problem. Vector embeddings of FOIA-processed documents in managed databases can be inverted, at least partially, into their source text using techniques that are well-developed in the machine learning security literature. The append-only audit log that Stage 5 maintains is a high-value target precisely because it captures input and output snapshots of the very sensitive material the system was processing. The Stage 1 chatbot is an attack surface: prompt injection in request text, jailbreaks to extract the classification rubric, side-channel inference of exemption thresholds. None of this is addressed in the published architectures.

Fourth, what might be called meta-FOIA recursion. The pipeline generates records. The append-only audit log is a federal record. The classification decisions are federal records. The chatbot transcripts are federal records. The model versions and training data are discoverable in litigation. All of them are subject to NARA retention schedules. All of them are subject to future FOIA requests. The architecture creates its own FOIA exposure. The more comprehensive the audit, the larger the exposure surface. There is no FOIA-specific NARA schedule addressing AI intermediate state in the published guidance, and no FOIA Advisory Committee recommendation addressing what happens when a requester FOIAs the audit log of the AI that processed their original request.

Fifth, demand. The 1.5 million federal FOIA requests of fiscal year 2024 are the last figure the Baron and Kejriwal paper cites [1]. The system is being designed for that volume. Per ProPublica and Gizmodo reporting on the Heritage Foundation's Oversight Project, the campaign filed on the order of one hundred thousand AI-generated FOIA requests in roughly two months, generating intake rates that some impacted FOIA offices reported as one per second and consuming a documented share of staff days at the targeted agencies [18][18a]. Some agencies subsequently lost FOIA personnel to reductions in force in mid-2025, partly in connection with the strain. That episode is the canary. A single requester-side actor with AI forced visible structural change at federal FOIA offices in months, not years. The next actor with AI will face the question of what they should be building for, not whether the demand will arrive. The architecture being designed at AIOG is being designed for the demand environment of 2025, not the demand environment of 2029.

There is one further fact that is not technical, but is the hardest fact in this essay.

Jason Baron is the lead author of the AIOG 2026 architecture paper. He also co-chairs the Implementation Subcommittee of the FOIA Advisory Committee - NARA's standing advisory body whose recommendations shape federal FOIA reform - in the committee's current 2024-2026 term [8b][8c]. The committee has 17 members across two structural bins: 7 government seats (representing the agencies that process FOIA requests) and 10 non-government seats (representing requesters, academics, journalists, and the commercial requester community). Audited across all 17: none of the 7 government members has published a peer-reviewed FOIA-AI architecture proposal. None of the 9 other non-government members has either. Baron is the only one, and his architecture serves the agency side from a non-government seat. The closest near-misses are Ryan Mulvey's AFPF policy essays and Nicholas Wittenberg's Armedia vendor commentary; neither is architecture-specific or peer-reviewed.

PART III  /  The Other Half of the Problem Belongs to the Requester

The honest current state of the requester side is not zero. It is also not the architectural counterweight the situation demands.

MuckRock has filed 176,343 requests across 28,198 agencies, fulfilled 58,809, and released 11.9 million pages [9]. Its production platform has no AI. Its only AI build is a research prototype called Agent Moss, a retrieval system over public records retention schedules, second-stage, not productionized [9b]. The FOIA Project's lawsuit database covers 18,742 FOIA cases through March 2026, useful for litigation research and unavailable for request generation [10]. The Reporters Committee for Freedom of the Press maintains the Open Government Guide and a legal hotline; their iFOIA tool was sunset and the URL now redirects to their main site [11].

Several AI-native entrants have arrived in 2025 and 2026. FOIA Fluent, built at the NYC Data Science for Social Good civic project, is the most architecturally complete to date: corpus-search-grounded request drafting against statute and prior outcomes, a 1,600-agency federal transparency hub with success-rate/response-speed/fee/portal-availability rankings across 54 jurisdictions, per-agency exemption-pattern deep-dives, one-click appeal generation, and a daily-feed pattern engine that watches court opinions, agency enforcement actions, recalls, IG reports, and regulatory dockets over 60-day windows [19]. Open FOIA Project, built by James Scott, ships an exemption anticipator that predicts which of the nine federal exemptions an agency will invoke and offers pre-written challenge strategies, a case-law library including controlling FOIA precedent, an appeal letter generator citing case law, and 100+ agency profiles with denial rates and common exemptions across all fifty states [25]. EZFOIA offers AI document analysis on already-received releases at $75 per single request and up to $500 per month for unlimited filing [20]. FOIAflow, launched in April 2026 by a high-school student and his brother and covered respectfully by FOIA Advisor, claims autonomous filing, follow-up, appeals, and document analysis from a topic input [21]. FOIA Buddy operates a sub-fifty-cent-per-request service with a documented appellate history. Narrower legacy tools include FOIA Friend's request drafting workflow [22] and FOIA Machine's open-source IRE-lineage letter generator. AILA's FOIA Toolbox is a 735-page PDF that costs $181 and is not software [24].

These are real builds. FOIA Fluent and Open FOIA Project in particular are doing serious engineering work, between them covering partial pieces of the first four asymmetric-layer elements at marketing depth. What has not been built, by anyone at production-grade depth, is the full integrated stack - and specifically, the two elements that most precisely counter agency-side AI: per-analyst correspondence intelligence, and counter-AI vendor fingerprinting. Those remain uncontested territory.

Five concrete elements of the requester-side architecture are uncontested territory.

One. An agency intelligence layer with portal-depth precision and per-analyst granularity. Not just a directory of which agency holds what kind of record, but the working knowledge of how each FOIA office actually behaves: the correct submission method this month (the Treasury Department moved its requests off its portal in December 2025), the current fee schedule, the appeal authority's mailing address and deadline, the recent reading-room releases that establish what the office considers segregable, the per-component routing inside large agencies where the wrong DHS sub-component can cost a requester six months, and the per-analyst behavior signatures that emerge from years of agency correspondence: which analyst routinely closes early, which writes substantive determination letters, which loses on appeal, which makes Glomar responses on what topics. None of the existing platforms maintains this at portal depth across the fifty states, where FOIA-equivalent statutes (state public records laws) double the addressable market and triple the agency surface. None mines correspondence at the analyst level on any jurisdiction.

Two. Intake counter-tradecraft. An agent that interviews the requester about the actual records sought before composing the request, that decides when ambiguity is strategically valuable and should be preserved, that knows when a deliberately broad request forces a more honest search than a narrow one, and that knows when to file a Privacy Act request alongside the FOIA to widen the legal lever. The opposite of Baron and Kejriwal's clarification loop, which is designed to narrow the requester into the agency's preferred scope before any record gets pulled.

Three. Per-agency exemption-pattern reverse engineering. Agencies release documents under FOIA every day. Those releases reveal, over time, which exemptions a given office invokes most aggressively, which categories of material they have historically released and then later withheld, which redactions they have lost on appeal, and which language in determination letters consistently maps to which underlying decisions. None of the existing requester-side tools mines its own past releases this way at the per-agency level. The intelligence is already in the documents. It is just not being extracted.

Four. Appeal drafting and foreseeable-harm rebuttal generation. The Reporters Committee v. FBI standard requires the agency to provide a focused, concrete, particularized demonstration that disclosure would harm a protected interest. A requester-side AI that knew the case law and could draft an appeal that named the agency's failure to meet that standard, exemption by exemption, with cited cases and a request for in-camera review on contested redactions (a procedural ask for the judge to inspect the unredacted documents privately and test the withholding against the record), is not a hypothetical capability. The underlying legal corpus is public. None of the existing requester-side platforms produces this output today.

Five. Deadline orchestration plus counter-intelligence against agency AI redaction tools. The agency side is already deploying or piloting MITRE's FOIA Assistant, FOIAXpress AI Assist, ArkCase (at DOJ INTERPOL, OPM, EEOC), and various Relativity and Purview integrations at Commerce, plus the CMS and HHS Office of the Secretary AI redaction pilots [9][16]. The general machine-learning literature documents recall-vs-precision tradeoffs, classifier bias under class imbalance, and tool-specific output fingerprinting techniques. Tool-specific failure modes for the named federal AI-in-FOIA deployments are largely undocumented in the public record today - which is itself the opening. A requester-side architecture that learned each tool's behavior in the field, surfaced its failure modes, and drafted appeals tuned to those failure modes is the asymmetric layer. No one is building it at production-grade depth.

There is a bilingual layer that none of the existing platforms touches: the sixty million Spanish-primary residents of the United States who have the same legal right to public records and zero end-to-end Spanish-language workflow available to them.

And there is a knowledge-base architecture that none of the existing platforms has attempted: a demand-weighted, user-contributed map of how agencies actually behave, updated by every request, every appeal, every release, every denial, that compounds in value as more requesters use it. Each user makes the next user's request more effective. No competitor has attempted this, and the longer it stays unbuilt, the more compounded the advantage to whoever ships it first.

The framing shift that the next decade of public records depends on is small in words and very large in consequence. Artificial intelligence does not merely help the Freedom of Information Act work better. It redistributes power inside the Freedom of Information Act. The agency side has been working that redistribution to its own advantage for two years, in academic workshops, in federal procurement pilots, and inside the official body that recommends reform to the National Archivist. The requester side has been waiting for permission to do the same work. That permission was never coming. The work starts now.