Overview
Guidance on risk classification:
University policy (APM 30.11) classifies data based on the risk, as "Low," "Moderate," or "High" to assist the university to remain compliant and to prioritize security controls on the data that presents the most significant risk. Data uploaded to or downloaded from AI, including prompts, are subject to APM 30.11.
In general, data given to any AI, even approved AIs, should be anonymized, generalized, or otherwise rendered non-impactful to the extent possible.
High risk data would include any data where the potential effect on loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on university operations, individuals, or assets such as SSNs, Personal health data, regulated research data, or credentials to UI systems and applications (!DO NOT PROVIDE API KEYS IN PROMPTS!). This would include sufficient information that could be used to breach high risk data such as potential methods of bypassing controls.
Moderate risk data would include data that the potential effect of loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on university operations, individuals, or assets. This includes non-public information related to the University infrastructure including vendors we utilize, IP addresses or hostnames of non-public UI systems, database content.
Low risk data would include asking about general programming concepts. A general rule of thumb is that if you wouldn't ask stack overflow, you shouldn't ask an unapproved AI.
Guidance on handling output:
Any response from AI tools, even approved tools, should be treated as non-expert opinion. These should be reviewed for accuracy prior to any usage, as well as tested through standard mechanisms to ensure it executes as expected. While AI and algorithmic review tools for review can be helpful, it is recommended that human performs a direct review of the AI generated content as well as any automated review methods.
Guidance on intellectual property issues:
Please read terms of service of AI tools. Any code developed on behalf of the university is likely considered U of I property (see FSH 5300). If the terms of service of a tool claims ownership of it's output, that would be a conflict that must be avoided.
*While using the services through an @uidaho account.
^Only low risk, unless used within Github Copilot
#Only when used with an OIT-approved repository, and managed to OIT standards
+Please note for Microsoft Copilot, moderate risk data is only approved within an instance that is covered by our Enterprise data protection, which should result in a green shield in the top corner of the window:
1Only approved to the risk level defined within the SSP. If you are unsure if a system has an approved SSP, please feel free to reach out to OIT Security.
DeepSeek use should be limited, outside of specific research contexts approved by the OIT Security Office. It is not actively blocked at this time.
Any AI services from banned vendors.
If you have questions about AI usage options, data classifications, or responsible use of AI, please submit a request to the OIT Security Office.
Any unapproved, non-banned AI provider may be used if:
- Our usage of it would not violate any terms of service or license requirements
- Our usage of it is low risk data that is not specific to the University of Idaho
- Output is adequately reviewed prior to usage