Body
Safely Using Artificial Intelligence
Artificial Intelligence is a rapidly evolving field with numerous considerations depending on who is using it, and how it is being used. NIC IT strives for enabling novel and creative use of AI, while also ensuring adequate data protection and compliance. This memo is intended to be interim security guidance while our college continues to define and implement our AI strategy.
General Guidance for using any other AI tool:
- Prioritize data privacy. Always be cautious with the type of data you are using in a non NIC licensed AI tool. If you have questions regarding the type of data you are wanting to use, please contact the NIC IT Help Desk for guidance and we will review your request.
- Understand AI Limitations: Be aware that AI may generate false information. You should double check any facts and verify all code generated output. If you are generating code or any type of data processing agents, you should have a test plan in place and executed. Once tested, any AI generated code should also be peer reviewed before being put into a production environment.
- Using AI in communications: If you are using AI in a communication or document that you are perceived to be the author of, any misinformation of false facts remain as if you were to generate the content yourself. Either indicate that the information was generated by AI, or be sure to double check any information before sending or publishing.
- Cite your sources: If using AI for research, verify that any citations used are real and reputable if possible.
- Maintain critical thinking: AI is a wonderful tool that can greatly assist your day to day tasks. Use AI to foster -not replace - critical thinking skills. Outputs should be evaluated critically at all times.
- Public Record: Employees should be aware that AI prompts and outputs performed as NIC related work may be subject to public records law and may be requested as such, even if IT does not have direct access to the tools (i.e. non NIC Enterprise licensed software).
Data Classification
NIC Policy 3.08.03 (Data Stewardship, Security, and Protection) protects the use of NIC data based on it’s classification as “restricted", “sensitive”, or “public” to assist the college in remaining compliant and to focus security controls on the data that presents the most significant risk to the institution if it were exposed. Data uploaded to or downloaded from AI, including prompts, are subject to policy 3.08.03.
Restricted Data: Restricted data may only be used in an AI tool where a contractual relationship exists between NIC and the vendor and a full security review has been conducted by NIC.
If a tool is not in the Allowed AI service list and the Restricted column does not have a note in it then the use of restricted data is NOT authorized.
Predefined types of restricted data:
The following types of data have been predefined as restricted data at NIC:
- Authentication Information: passwords, shared secrets, security certificates, etc.
- Electronic Health Protected Information: Health records.
- Export Controlled Materials: Any data subject to US Export controls.
- Federal Tax Information: Tax returns or tax form information.
- Payment Card Information: Credit card numbers, CVC codes, Pins, etc.
- Personally Identifiable Education Records: Any student record.
- Personally Identifiable Information: Any first or last name combined with identifying information such as a social security number, driver’s license, etc.
- Protected Health Information: Like Personally Identifiable Information but linked to additional health information.
For more information, please see our knowledge base article on Data Stewardship, Security and Protection Guidelines.
Non-Approved AI Services
Deepseek AI Services are not allowed at NIC. Several states and agencies of the United States have already banned this service and NIC IT is also not allowing the use of this service currently.
As new federal and state laws and guidance are provided, this section will be updated accordingly.
Allowed AI Services (Contracted Protection)
The following list of AI tools have contractual data protection standards applied to them and approved to interact with NIC classified data where indicated by a X.
|
Service
|
Public
|
Sensitive
|
Restricted
|
|
Microsoft Copilot
|
X
|
X |
Not Allowed
|
| Microsoft Copilot Chat |
X |
X |
Not Allowed |
|
Zoom AI Companion
|
x
|
x
|
Not Allowed
|
|
Element451 Bolt
|
x
|
x
|
*IT Administrative controls used.
|
|
Voyatek
|
x
|
x
|
*IT Administrative controls used.
|
|
IT Licensed Security Products
|
X
|
X
|
*IT administrative controls used.
|
|
Yuja Panorama
|
X
|
X
|
Not Allowed
|
|
AI Captioning tools
|
X
|
X
|
Not Allowed
|
|
|
|
|
|
*IT Administrative controls used: Information Technology has reviewed individual data elements classified as restricted, and manages the access to specific data administratively within different systems.
Prohibited use of AI at NIC
| Prohibited Use |
Explanation |
|
Unless you have specific authorization and the data has been properly de-identified, you may not enter any restricted, or otherwise protected data into any generative AI tool or service. This information includes, but is not limited to:
1. FERPA-protected information, such as:
– Student ID photos
– NIC non-directory data such as student ID numbers
– Work produced by students to satisfy course requirements
– Student names and grades
– Student disability-related information
2. Health information protected by HIPAA
3. Information related to employees and their performance
4. Intellectual property not publicly available unless you are the owner of that intellectual property and fully understand the licensing agreement of the AI tool being used.
5. Material under confidential review, including research papers and funding proposals
6. Information subject to export control
|
NIC is obligated to protect sensitive information to comply with applicable state and federal privacy and security laws and regulations. Access to protected institutional data (Restricted Data and some Sensitive data) must be authorized and managed to protect individual privacy, maintain promised confidentiality, and ensure appropriate access and use. |
| Using an AI Tool for work related purposes using a personal account. |
Employees should refrain from using any personally licensed tool when conducting NIC related business. All AI tools used by an employee should be used under their NIC email account. If the tool being used is not an enterprise tool using single sign on and set up by the IT department. Users should access those tools using a different password than their NIC password. |
| You may not upload any data that could be used to help create or carry out malware, spam and phishing campaigns or other cyber scams |
NIC resources may not be used to disseminate unauthorized information or aid in the generation of unauthorized emails. |
| You may not direct AI tools or services to generate or enable content that facilitates sexual harassment, stalking or sexual exploitation or that enables harassment, threats, defamation, hostile environments, stalking or illegal discrimination. |
NIC policies prohibit discrimination or harassment on the basis of protected class, sexual harassment, stalking, dating violence, domestic violence and discrimination on the basis of disability. |
| You may not use AI tools or services to generate content that helps others break federal, state or local laws; institutional policies, rules or guidelines; or licensing agreements or contracts. |
NIC resources may not be used to violate laws, policies, or contracts. |
| You may not use AI tools or services to infringe copyright or other intellectual property rights. |
NIC resources may not be used to violate copyright or other intellectual property laws. Entering copyrighted material into a generative AI tool or service may effectively result in the creation of a digital copy, which is a copyright violation. Feeding copyrighted material into a generative AI tool or service could “train” the AI to output works that violate the intellectual property rights of the original creator. In addition, entering research results into a generative AI tool or service could constitute premature disclosure, compromising invention patentability. |
| You may not use AI tools to engage in illegal activity in violation of federal, state, or local law, including but not limited to Idaho Code § 67-6628A (Electioneering Communications – Use of Synthetic Media), Idaho Code § 18-6606 (Disclosing Explicit Synthetic Media), and Idaho Code § 18-1507C (Visual Representations of the Sexual Abuse of Children). |
System IT resources may not be used to violate laws such as distributing certain deepfakes (realistic AI-generated videos or audio) without consent if it causes harm or is used for fraud; deceptively representing through synthetic media a political candidate’s action or speech in an electioneering communication; and using generative AI to produce, distribute, receive, or possess visual depictions of a child engaging in explicit sexual conduct. |
| Students may not present the work or ideas produced from the use of generative AI as their own without specific and proper acknowledgment and/or citation. |
Failure to properly acknowledge and/or cite work or ideas produced through generative AI is considered plagiarism under the Student Code of Conduct and students found responsible may be sanctioned up to and including expulsion from NIC. |
| Intentionally using AI resources to attempt to circumvent NIC IT security policies. |
The NIC acceptable use policy prohibits using NIC resources to directly or indirectly bypass NIC security rules. This includes attempting to use AI to discover documents or materials that would normally not be available to an employee in his/her normal duties or to gain access to systems they are not authorized to. |