What Publication 1075 is
IRS Publication 1075 (Tax Information Security Guidelines for Federal, State and Local Agencies) is the IRS's controlling publication for protecting Federal Tax Information (FTI). It applies to any federal agency receiving FTI from IRS, any state or local tax agency, and any contractor operating systems that process FTI. It is rooted in the Internal Revenue Code Section 6103 (confidentiality of returns and return information) and overlaid with NIST 800-53 controls tailored for the FTI context.
IRS Publication 1075 governs federal tax information (FTI). AI systems handling FTI face additional controls beyond 800-53: mandatory employee background investigations, physical security requirements, and incident reporting to IRS within 24 hours.
For an AI system, "touches FTI" means the system ingests, processes, stores, or transmits tax-return or return information — including derivative data that could identify a taxpayer's return. Publication 1075's obligations attach to that system.
The core obligations
| Area | Requirement |
|---|---|
| Authorization | Safeguard Security Report (SSR) documenting how the agency or contractor protects FTI. Safeguard Procedures Report (SPR) documenting operational procedures. |
| Review | IRS Safeguard Review (on-site or remote) on approximately a triennial cycle. |
| Personnel | Background investigation for every person with access to FTI, re-investigated on schedule. Annual awareness training with documented acknowledgment. |
| Access control | FTI access strictly need-to-know. Two-factor authentication. Session timeouts. |
| Encryption | FIPS 140-3 validated crypto for FTI at rest and in transit. Key management procedures documented. |
| Logging | Audit every access to FTI. Retention per publication guidance. Review cadence documented. |
| Disclosure accounting | Track who accessed what FTI. On request, produce an accounting. |
| Incident reporting | Report to the IRS via the prescribed channel within 24 hours of suspected FTI breach. |
| Sanitization | FTI media sanitized per NIST 800-88 before disposal or reuse. |
Publication 1075 Compliance Areas — Implementation Burden for AI Systems
Disclosure accounting is the most AI-specific burden: every RAG retrieval and inference using FTI is an access event requiring logging and accounting. Plan for this in your system design — it is not addable after the fact.
How FTI complicates AI systems
FTI is CUI Specified. The Pub 1075 overlay is more stringent than NIST 800-171 or 800-53 Moderate. For AI specifically, these obligations bite:
- Model training on FTI. The trained model inherits FTI sensitivity. Storage, access, and inference all run under Pub 1075. You cannot "just deploy" the weights in a less-controlled environment.
- Prompt handling. Users will paste FTI into prompts. Your prompt log is an FTI store. Encryption, access control, retention, and disclosure accounting all apply.
- RAG retrieval. If the retrieval corpus includes FTI, each inference is an FTI access event subject to the disclosure-accounting obligation.
- Model outputs. If outputs include FTI, they are FTI. Downstream storage and access must match.
- Vendor endpoints. FedRAMP High is necessary but may not be sufficient for FTI — the CSP needs Pub 1075-specific attestation in many cases.
Cloud eligibility for FTI
The IRS publishes guidance on which FedRAMP-authorized environments are acceptable for FTI. In practice, the accepted-with-controls list has included AWS GovCloud and Azure Government with specific configurations. Not every FedRAMP High region is FTI-eligible. Check current IRS Office of Safeguards guidance before architecting.
Personnel and background investigations
Every person with access to FTI — including developers with access to training data or prompt logs — must hold a current background investigation at the appropriate level, typically moderate-risk public trust. Re-investigation on a defined cycle. Annual FTI awareness training with signed acknowledgment on file. A contractor running an FTI AI system must track, enforce, and document all of this.
State and local agency implications
State and local tax agencies receive FTI from the IRS for joint tax administration. Those agencies, and any contractor delivering to them, fall under Publication 1075 just as federal agencies do. An AI vendor selling a fraud-detection product to a state department of revenue that handles FTI inherits Pub 1075 obligations.
Safeguard Review preparation
The triennial IRS Safeguard Review is not a check-the-box audit. Reviewers read the SSR, walk the facility or virtual environment, interview staff, examine logs, and test controls. Typical preparation:
- SSR current and signed.
- SPR current and operationally accurate.
- Background-investigation status current for every person in scope.
- Awareness-training records on file, signed and current.
- Disclosure accounting logs producible on request.
- Incident-response exercise conducted in the review period.
- Encryption key management documented and demonstrable.
- Media sanitization log up to date.
Common mistakes
- Treating Pub 1075 as "like FedRAMP High but stricter." It overlaps but adds specific reporting, personnel, and disclosure-accounting obligations that are not automatic from FedRAMP.
- Sending FTI through a general-purpose log aggregator not configured for FTI handling.
- Fine-tuning a model on FTI, then attempting to export the weights to a non-FTI environment for inference.
- Underestimating the personnel overhead — background investigations take time and cost.
- Missing the 24-hour incident-reporting obligation, which is tighter than DFARS 7012's 72-hour.
Bottom line
IRS Publication 1075 governs federal tax information with an overlay stricter than FedRAMP High. For AI systems it extends to training data, model weights, prompt logs, RAG stores, and outputs. State and local tax agencies are in scope when they handle FTI. Plan for the SSR/SPR artifacts, personnel investigations, 24-hour incident reporting, and the triennial IRS Safeguard Review. Pub 1075 work is affordable when scoped into a dedicated FTI enclave and expensive when spread across a general-purpose AI platform.
Frequently asked questions
The IRS's controlling publication for protecting Federal Tax Information (FTI). Applies to federal agencies, state and local tax agencies, and contractors handling FTI. Rooted in IRC Section 6103, overlaid with tailored NIST 800-53 controls.
No. FedRAMP authorizes a cloud service. Pub 1075 is a separate authorization regime for FTI handling with its own SSR/SPR artifacts, personnel investigations, and 24-hour incident reporting. FedRAMP High is often a prerequisite but not sufficient.
With specific configurations and subject to current IRS Office of Safeguards guidance, yes. Not every FedRAMP High environment is FTI-eligible — check current guidance.
24 hours to the IRS via the prescribed channel for suspected FTI breach. Tighter than DFARS 7012's 72-hour window.
Yes. The trained model is an FTI artifact. Storage, access, and inference run under Pub 1075. Cannot be exported to less-controlled environments.
Yes, when they handle FTI received from the IRS. Contractors delivering to state departments of revenue that handle FTI are in scope.