IT Policy Development

In the past few months, we've worked with partners who've run into the same challenge with AI adoption. They rolled out policies or guidelines without bringing people into the conversation first—no workshop, no consensus building, just documents that needed signatures or implementation. Unsurprisingly, the result was frustrated staff expected to enforce or follow rules they had no part in creating, and leaders facing resistance instead of adoption. Both AI policies and guidelines are critical for responsible AI adoption, but they have to be built intentionally, with stakeholders driving consensus, or they most likely won't work. After working with hundreds of districts, we've created the resource below. Here are the best practices we recommend. Policies are your compliance layer and are designed to protect your district. We suggest adaptations to existing: ✔️ Acceptable use policies ✔️ Data privacy/FERPA protections ✔️ Academic integrity standards ✔️ Cyberbullying policies (to add deepfakes) Guidelines are your change management layer. They are the "why" that brings people along. We recommend including the following in your AI guidelines: 💡 Vision for GenAI adoption across your district 💡 GenAI misuse/academic integrity response protocols 💡 GenAI chatbot and EdTech tool vetting processes 💡 Digital wellbeing, data privacy, and student safety practices 💡 Implementation tips and instructional supports 💡 AI Literacy training opportunities and expectations What matters most is that both policies and guidelines should be built with stakeholders, not handed down to them. They should evolve with feedback, evidence of impact, and technical advancements. In all of our guideline and policy development work, we always start with AI literacy. It's important to build foundational understanding across stakeholders so that when policies and guidelines are developed, people can contribute meaningfully to the process and understand the "why" behind what they're being asked to implement. Intentional stakeholder engagement isn't a nice-to-have. It's what we've seen drive adoption. #AIforEducation #GenAI #ChangeManagement #AI

Policy Writing And Policy Development Are Not The Same Thing You can write a policy in a few hours (or even minutes with GenAI tools), but developing a policy that will work for your organization and employees can take months. Policy writing and policy development are two different things in my mind. The writing part is often not that hard or time consuming, but the development stage is. This is where you need to spend time learning about and speaking with the people your policy will cover, understand how they will be impacted and what friction your policy might create for them, and how much change management (and potentially resistance) you can expect and need to work through. This means talking to your employees and getting their input, feedback and ideas - you cannot do this in a day; this takes a lot of time, but it is time well spent. So policy development takes time, but what are some of the benefits of doing this? 1. Ask anyone who has ever gone through the lengthy process of getting a tailor made suit and they will likely say it is the best suit they have ever bought. The time consuming process and attention to detail mean you have a product that is uniquely customized to you. It’s the same with policies - you need to customize them and perhaps in ways you might not otherwise expect. 2. You can reduce the gap between the policy on paper and the policy in practice. A policy that might look great on paper might not be the policy in practice. Start by finding out how the policy can work in practice and then write the policy to get to that desired outcome (not the other way round as is often the case). To understand how it will work in practice, you need to speak with employees who will be impacted by the policy or who can otherwise influence the policy in practice. 3. As mentioned above, policies often involve change management. Sometimes that can mean more or less change management than we might anticipate. This matters for both what your policy ends up saying and also how you roll it out and communicate it. It also helps with change management when you involve the people who are likely to experience the change - if you can help them understand the “why” behind your policy and make them feel part of the process, then you are already helping with the change management before the policy is even drafted. 4. Finally, taking the time to speak to your employees and get their input on program elements that will impact them demonstrates to your employees that they are a key stakeholder in your program. It’s a good way to design and build your program with people in mind. _____ #SundayMorningComplianceTip #EthicsAndComplianceForHumans 📚 Want to get more compliance ideas and suggestions like this? Connect with me here on LinkedIn or get your copy of my book called Ethics & Compliance For Humans (published by CCI Press available in print and kindle format on Amazon and various other online book stores)

Let me set the record straight: there is no RIGHT way to create an AI policy. But you cannot afford to miss these 6 steps: 1/ 𝗔𝘂𝗱𝗶𝘁 𝘆𝗼𝘂𝗿 𝗔𝗜 ➥Start by tracking down every AI tool and use case in your org. ➥The audit should cover usage, data sources, security measures, and any previous legal or ethical issues tied to these tools. 2/ 𝗥𝗮𝗹𝗹𝘆 𝘁𝗵𝗲 𝗿𝗶𝗴𝗵𝘁 𝗽𝗲𝗼𝗽𝗹𝗲 ➥Gather the folks who matter - legal, IT, InfoSec, HR, and those teams on the ground using AI every day. ➥Present the business case, highlight real-world risks and rewards, and make it clear this policy is there to protect everyone, not just tick a box. 3/ 𝗖𝗼𝘃𝗲𝗿 𝗲𝘃𝗲𝗿𝘆𝘁𝗵𝗶𝗻𝗴 ➥Draft clear, practical rules: what’s allowed, what’s not, who signs off, and how data is handled. ➥Don’t forget sections on ethics (like bias), legal requirements, and what to do if things go wrong. 4/ 𝗧𝗲𝘀𝘁 𝗮𝗻𝗱 𝗿𝗲𝘃𝗶𝗲𝘄 ➥Make sure you consult both federal and state laws where applicable, as well as international regulations if your company operates across borders. ➥Test how the policy stands up to real scenarios, and address the gaps. 5/ 𝗟𝗮𝘂𝗻𝗰𝗵 & 𝘁𝗿𝗮𝗶𝗻 ➥Roll out the policy with real world examples and tailored training. ➥Get people involved and keep the feedback loop open. 6/ 𝗥𝗶𝗻𝘀𝗲 & 𝗿𝗲𝗽𝗲𝗮𝘁 ➥AI moves fast. Check in on your policy regularly, update as needed, and stay plugged into new laws, regulations and tech trends. Building a GenAI policy isn’t a one and done checklist. It’s an ongoing group project. What’s the hardest step you’ve faced when creating an AI policy? #LegalOps #GenAI #AIPolicy #LegalTech #ScalingLegal

The AI Policy Guide and Template, published by the Australian Government (industry.gov.au/NAIC), provides a practical framework for organizations to design, implement, and maintain effective AI governance. It serves as both a policy model and an operational guide to ensure that AI systems are developed and deployed responsibly, transparently, and in alignment with ethical and legal expectations. What the guide outlines • Every organization using AI should have a clear, written AI policy that defines how AI is adopted, managed, and governed. • It aligns with Australia’s AI Ethics Principles and the Voluntary AI Safety Standard to ensure responsible, human-centered use of AI across all sectors. • The policy template includes model statements that organizations can adapt to their own values, risks, and operating structures. Why this matters • AI is becoming central to business and public sector operations, but without policy, even well-intentioned systems can cause unintended harm. • A documented AI policy protects stakeholders, supports ethical decision-making, and demonstrates readiness for emerging regulation. • Building trust in AI requires consistent governance, transparency, and accountability at every stage of the AI lifecycle. There’s a saying in governance: “Policy before practice.” In AI, this means setting expectations and accountability before algorithms start making decisions. Key principles and practices • Risk and impact assessment: Systems must undergo structured risk and impact evaluations before deployment, especially where they may affect vulnerable groups. • Quality, reliability, and security: AI must be rigorously tested before release and continuously monitored for performance, bias, and emerging risks. • Fairness and inclusion: Systems should reinforce diversity and inclusion, avoiding bias or discrimination in decision-making. • Transparency and contestability: AI use must be transparent, with mechanisms allowing individuals to understand or challenge outcomes. All deployed systems should be logged in an AI register. • Human oversight and control: Humans must always have the ability to intervene, pause, or deactivate systems. Manual fallback processes should be maintained for critical operations. Who should act • AI policy owner: A senior leader responsible for championing responsible AI use and ensuring ongoing compliance. • Policy approvers: Executives or boards formally approving and updating the AI policy. • Compliance monitors: Teams that audit AI documentation, verify risk assessments, and report on policy adherence. Action items • Maintain a comprehensive AI register to track deployed systems and their oversight requirements. • Review and update the AI policy annually, or after any significant incident, regulatory change, or new AI capability. • Provide regular staff training on responsible AI use, transparency, and risk reporting.