The Complete Guide to Using AI in the Government Industry in Mexico in 2025

Mexico's public sector in 2025 sits at a turning point: there's no single AI law yet but dozens of bills, a new Agency for Digital Transformation and a Department of Science shaping policy, while agencies from SAT (using AI for tax risk) to city traffic planners test systems that promise real efficiency gains - picture AI‑tuned traffic lights cutting commute time - even as privacy, IP and transparency concerns mount; for a legal roadmap see White & Case's Mexico practice guide and for fast‑moving constitutional and legislative proposals see coverage of the March 2025 bill to vest Congress with AI law powers, and for practical workforce upskilling Nucamp AI Essentials for Work bootcamp teaches prompts, tooling and governance so government teams can responsibly adopt AI rather than be surprised by it.

“[T]he flow of traffic will be reduced, as will air pollution, and time will be saved. We will be the first city in the country to have such a system.”

Mexico's legal framework for AI in 2024–2025 is a patchwork in motion: reforms have elevated tech governance - notably the creation of the Agency for Digital Transformation (an outcome of November 2024 organic‑law changes) and a new Department of Science - while Congress juggles dozens of AI bills that borrow EU‑style, risk‑based concepts such as high‑risk classifications, authorisation and registries; for a practitioner's overview see the Chambers/White & Case Mexico guide.

At the same time data privacy was overhauled when the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) was enacted on 20 March 2025, tightening consent, international transfer rules and penalties and moving enforcement powers away from INAI - details and practical compliance steps are usefully summarised in the 2025 LFPDPPP guide.

The draft federal AI bills range from proposals to create a National AI Commission and pre‑market audits to strict‑liability schemes that could impose heavy burdens on developers and deployers, so government teams planning procurement or pilots should treat registries, transparency obligations and potential ex ante authorisations as likely near‑term realities.

Picture AI‑tuned traffic lights turning stop‑and‑go into green waves - policy now needs to balance that promise with sharper privacy, IP and liability rules before scaling nationwide.

“[T]he flow of traffic will be reduced, as will air pollution, and time will be saved. We will be the first city in the country to have such a system.”

Central to Mexico's 2025 AI and digital governance picture is the newly elevated Agencia de Transformación Digital y Telecomunicaciones (ATDT), a secretaría de Estado charged with unifying government tech capacity, steering telecoms and radiodifusión policy, running government digital services and a public “fábrica de software,” and coordinating national ciberseguridad and data‑interoperability efforts; led by José Antonio Peña Merino, the agency absorbed many functions that had rested with the IFT and was tasked with practical programs such as the Llave MX identity initiative, a unified 079 contact number and even a planned satellite program.

For teams planning AI pilots or procurement, the ATDT is becoming the gatekeeper for technical dictámenes, data architectures and standards while also operating a national agenda on inclusion, simplified trámites and a public code school - so aligning projects with ATDT's timelines and technical lineamientos is now as important as meeting legal requirements.

For a clear sense of its mandate and ambitions see the ATDT's official overview and a detailed organigrama and functions summary at Wikipedia.

“Hay muchos lugares que no tienen cobertura, queremos que en esos lugares haya cobertura. ¿Cómo? […] la otra es que CFE‑Internet, Internet para Todos, pueda tener más facilidad para su cobertura.”

Legislative activity in 2025 has shifted from experiment to sprint: with over 60 AI bills filed since 2020, Congress now faces a high‑stakes push - led by Congressman Ricardo Monreal's February 19, 2025 constitutional amendment - to vest the federal legislature with explicit authority to pass a General Law on AI and then adopt secondary rules within 180 days, a timetable that could accelerate enactment of registries, ex‑ante audits and risk‑based obligations; the proposed architecture mirrors global conversations about tiered frameworks (minimal to “high” or “unacceptable” risk), centralised oversight and even strict‑liability schemes that industry warns could saddle developers and deployers with disproportionate exposure.

Key policy directions to watch: mandatory transparency and potential technical disclosure orders for high‑risk systems, requirements for national registries and pre‑market validation, and sectoral carve‑outs that would leave some domains subject to existing regulators while others fall under a new federal regime.

Standard‑setting is advancing in parallel - expect references to international tools (for example, ISO management standards) to appear in regulatory text as a way to operationalise impact assessments and audits - and the regional tide toward EU‑style, risk‑based rules means Mexican procurement and pilot teams should code compliance into projects from day one (imagine a public registry that lists every “high‑risk” traffic AI before it's switched on).

“[T]he flow of traffic will be reduced, as will air pollution, and time will be saved. We will be the first city in the country to have such a system.”

Data protection and automated‑decision risks are now front and center for Mexican government teams: the LFPDPPP that entered into force on 20–21 March 2025 expands ARCO rights and explicitly lets individuals oppose automated processing that produces adverse legal effects or significantly affects their rights, shifts enforcement from INAI to the Ministry of Anti‑Corruption and Good Governance, and broadens liability by treating processors within the scope of controllers (see the LFPDPPP explainer at Hogan Lovells).

Practically, this means any public pilot that scores citizens - for benefits, licensing, or traffic enforcement - must bake in explainability, human‑review pathways and updated privacy notices so a person can contest an AI‑driven decision and request intervention; White & Case's alert on the new regime highlights those rectification and objection rights and flags remaining regulatory gaps such as cross‑border transfer guidance.

For public bodies, sectoral guidance stresses mandatory impact assessments, tighter security controls and documentation of training data and monitoring workflows before deployment, underlining that non‑compliance risks fines and disciplinary measures while eroding public trust (see EBL Consulting on implications for the public sector).

The upshot: map every data flow, assume automated decisions will require auditable explanations and opt‑out or remediation routes, and align procurement and governance to the new oversight model before switching any “high‑risk” system live - because a single unexplained denial can undo months of efficiency gains and public confidence.

Mexico's government AI story in 2025 is as much about practical procurement and vendor oversight as it is about promising use cases: the SAT's increasingly sophisticated stack - now described as including machine learning and graph analytics that helped push tax credits up by an eye‑catching 522 billion pesos year‑over‑year - shows how automated risk‑scoring accelerates enforcement, yet also raises transparency and contestability questions that procurement teams must solve contractually and operationally (see the SAT's AI‑driven tax audits coverage).

Procurement playbooks now need clear clauses on explainability, audit trails, liability allocation, SLAs and cross‑border data flows, plus rigorous due diligence of developers and monitoring plans so an automated flag doesn't become an unexplained taxpayer sanction; the chambers practice guide on Mexico's AI landscape flags those supplier‑management and procurement challenges and stresses alignment with emerging registries and standards.

Parallel pressures - SAT's roll‑out of guidance letters to thousands of vulnerable‑activity taxpayers and a booming fraud‑detection market backed by rising AML/KYC scrutiny - mean procurement teams should build human‑in‑the‑loop checkpoints, mandatory impact assessments and transparent documentation of training data into RFPs; treating procurement as the point where governance meets technology turns theoretical rules into defensible, auditable systems that protect both revenue and rights.

“There is no magic formula. The formula is that the government has decided to be much more energetic and efficient in handling audits through the use of technology. They spent several years building a very sophisticated system, which today even includes artificial intelligence.”

Across finance, health, mobility and employment the 2025 picture in Mexico is pragmatic: fintechs and banks face tighter supervision from CNBV and Banxico even as more than 1,100 fintechs pursue cross‑border services and open‑banking opportunities, so regulators and vendors must bake compliance and AML/KYC into product design; meanwhile healthtech is leaping forward - COFEPRIS is already approving Software as a Medical Device (SaMD), and Medsi AI's platform that turns a 70‑second video selfie into a “treasure chest” of some 20 vital signs shows how rapidly clinical screening can scale if regulators, procurement teams and privacy officers align (see the Medsi AI approval).

Mobility pilots - from AI‑tuned traffic lights to citywide signal coordination - promise real time savings and cleaner air, but they hinge on transparency, data governance and public trust (for an overview of sectoral trends and legal context, see Global Legal Insights' Mexico chapter).

The common thread is workforce readiness: targeted retraining and contractual guardrails (on explainability, data rights and liability) will decide whether these sectoral gains translate into durable public value or regulatory friction; government teams that invest in skills and procurement that enforces governance will capture the win.

“[T]he flow of traffic will be reduced, as will air pollution, and time will be saved. We will be the first city in the country to have such a system.”

Mexico's emerging IP landscape now draws a clear line: the Second Chamber of the Supreme Court (SCJN) has held that works generated exclusively by AI do not meet the LFDA's human‑authorship and originality requirements, a finding crystallised in the denial of registration for the “Virtual Avatar” created via the Leonardo platform; for a concise report on the ruling see the Mexico News Daily coverage of the SCJN ruling and a Lexology practitioner summary of the SCJN ruling.

The practical upshot for government teams and vendors is immediate and concrete: where copyright protection is essential, document and preserve demonstrable human creative contribution - prompt engineering, editing, curatorial choices or substantial post‑generation transformation - and assume pure model output will not be protected.

That pushes organisations toward contracts, trade‑secret regimes and explicit ownership clauses for model outputs, and it raises due‑diligence questions for procurement, M&A and IP valuation: audit existing assets, tag which items relied on human authorship, and embed ownership and confidentiality terms into vendor agreements.

The ruling also sharpens training‑data concerns - if human direction matters for protection, procurement and governance must require provenance records, curation logs and retention of prompt/version history so authorship can be demonstrated; otherwise, valuable AI‑generated content risks remaining unprotected and freely reusable under Mexican practice.

Expect continued debate about where “enough” human input sits on the creativity spectrum, but for now the safest play is paperwork: capture human decisions as evidence, and protect models and outputs contractually rather than rely on copyright alone.

“The SCJN resolved that copyright is a human right exclusive to humans derived from their creativity, intellect, feelings and experiences.”

Liability in Mexico's 2025 AI landscape is anchored in traditional civil‑law rules even as novel tech tests those limits: Article 1910 of the Federal Civil Code supplies the baseline for repairing damage caused by unlawful acts and - together with Article 1913 on dangerous devices - frames civil exposure for AI‑driven harm, while consumer, administrative and even criminal routes remain possible for discrimination, unsafe systems or data misuse; for a practitioner overview see the White & Case: Mexico AI Guide 2025 - AI regulation and liability overview.

Crucially, no settled statutory allocation of responsibility exists for AI supply chains, so deployers often face the practical burden of compliance while developers may sit offshore - making robust contracting, insurance, SLAs and clear jurisdiction clauses essential in procurement.

Enforcement is also shifting: INAI's AI guidance still influences practice even as privacy powers move under the restructured anti‑corruption authority, and mishandling sensitive biometrics can carry steep sanctions (fines cited up to about US$1.8m), underlining the real cost of mistakes.

With proposed federal AI bills largely silent on neat liability formulas, government teams should bake fault‑allocation, audit rights and remediation processes into RFPs now - because a single unexplained automated denial or biased score can erase months of operational gains and trigger costly, multipronged legal exposure (civil, administrative and reputational); for practical negligence context see the Hogan Lovells: Professional duty rules and negligence in Mexico (practical summary).

Practical next steps for government teams in Mexico in 2025 boil down to three concrete habits: treat governance as operational (map every data flow, run privacy‑by‑design impact assessments and lock explainability and human‑in‑the‑loop checkpoints into procurement), build contracting and audit readiness (clear IP, liability and audit rights, cross‑border data clauses and regular third‑party reviews), and invest in people and standards so the organisation can manage AI day‑to‑day rather than be surprised by it; guidance on those legal and procurement priorities is usefully summarised in the White & Case Artificial Intelligence 2025 Mexico guide (White & Case Artificial Intelligence 2025 Mexico guide), while upskilling practical teams - prompts, tooling, impact assessment execution and vendor oversight - is an immediate win that programmes like the Nucamp AI Essentials for Work bootcamp are designed to deliver.

Assume stricter privacy rules (the LFPDPPP reforms), expect registries and pre‑market checks, adopt ISO/IEC 42001‑style management practices where possible, pilot in sandboxes, and document every human decision and dataset - because a single unexplained automated denial can erase months of efficiency gains and public trust.

“[T]he flow of traffic will be reduced, as will air pollution, and time will be saved. We will be the first city in the country to have such a system.”