ITEC Policy 6200 - AI Acceptable Use Policy
1.0 TITLE: Artificial Intelligence (AI) Acceptable Use Policy
1.1 Effective Date:5/19/26
1.2 Type of Action: New
2.0 PURPOSE: The purpose of this policy is to provide a consistent and thoughtful approach to the acceptable use of artificial intelligence (AI). It aims to foster innovation while protecting the safety, privacy, and intellectual property rights of the State of Kansas, ensuring legal compliance, safeguarding data privacy, and promoting accuracy and efficiency in public service.
3.0 BACKGROUND: Artificial intelligence technologies, including chatbots, virtual assistants, generative content tools, and embedded AI features, are increasingly integrated into everyday software platforms and business processes. These systems may exist as standalone tools, be embedded within enterprise applications, or operate transparently as part of broader digital services. AI tools can provide meaningful benefits when used appropriately, however, AI technologies also introduce material risks, particularly when used without proper governance or when exposed directly to the public. These risks include inaccuracies, bias, unauthorized use of intellectual property, inappropriate reliance on automated outputs, and unintended disclosure of sensitive information.
Importantly, AI systems used internally by employees differ fundamentally from AI systems deployed externally or used to influence public-facing decisions, which may directly affect individuals’ rights, access to services, or trust in government. This policy reflects that distinction.
4.0 ORGANIZATIONS AFFECTED: All Executive Branch Boards, Commissions, Departments, Divisions, and Agencies of state government, hereafter referred to as entities.
5.0 REFERENCES:
5.1 K.S.A. 1998 Supp. 75-7203 authorizes the ITEC to: Adopt information resource policies and procedures and provide direction and coordination for the application of the state's information technology resources for all state entities.
5.2 ITEC Standard 7230A
5.3 State of Kansas Social Media Policy
5.4 ITEC 6000, 7000 series
6.0 DEFINITIONS:
6.1 Accountability and Oversight – AI systems developed, procured, deployed, or used by an entity shall require knowledgeable human review processes to promote proper auditing, monitoring, and risk management.
6.2 Adaptability and Continuous Improvement – AI policies and practices must be collaborative, flexible, regularly updated, and support continuous learning to keep pace with technological advancements and emerging risks.
6.3 Agentic artificial intelligence (Agentic AI) – AI systems designed to independently perform tasks or achieve goals on behalf of a user by making decisions, taking actions, and interacting with digital systems or data sources, often with minimal ongoing human input.
6.4 Artificial intelligence (AI) – Refers broadly to computer-based systems that mimic human intelligence and human cognitive functions like problem-solving and learning.
6.5 Autonomy – the degree to which an AI system can act or make decisions independently without human direction. This spectrum generally consists of the following, listed from least autonomous to most-autonomous:
- Assistive (Reactive / Limited Memory)
- Conversational / Generative
- Agentic (goal-seeking, tool-using)
- Autonomous decision-support
6.6 Bot – An autonomous program that can interact with users or systems. A bot can be a straightforward rule-based system or an advanced, AI-driven program capable of understanding natural language and learning from interactions.
6.7 CITO – Refers to the Executive, Legislative or Judicial Chief Information Technology Officer, with duties as defined in K.S.A 1998 Supp. 75-7205, 75-7206 and 75-7207
6.8 Entity – Any agency, board, or commission under the direction of the Governor, or any agent or contractor acting on behalf of any of those agencies, boards or commissions.
6.9 External or Customer-Facing AI – AI systems that:
6.9.1 Interact directly with members of the public, or
6.9.2 Generate outputs used to inform, influence, or automate decisions affecting public services, eligibility, rights, enforcement, or regulatory actions.
6.10 Generative artificial intelligence (GenAI) – AI that uses advanced technologies such as predictive algorithms, machine learning, and large language models to process natural language and produce content in the form of text, images, or other types of media.
6.11 Input – Information provided to an AI system that is used to perform tasks, make decisions or generate new information. This can include but is not limited to prompts and queries, structured or unstructured data, and data generated from other systems.
6.12 Internal AI Use – AI systems or capabilities used exclusively by State employees or contractors to support internal operations, administrative tasks, research, drafting, analysis, or productivity, where outputs do not directly interact with or make determinations affecting the public.
6.13 ITEC – Refers to the Information Technology Executive Council
6.14 Large language models (LLMs) – A category of models, common in AI, that are trained on immense amounts of data, making them capable of understanding and generating the kind of natural-appearing content that typifies AI.
6.15 Model – A term commonly applied to the core technology component that underlies AI and other AI tools, implementing the production of outputs from given inputs.
6.16 Output – The responses generated by an AI system based on the input it receives and the processing it performs.
6.17 Public AI – AI that is openly accessible to the general public directly through various cloud platforms as well as via application programming interfaces (APIs). Such tools are typically hosted and maintained by external providers and can be used by anyone with an internet connection.
6.18 Restricted use information (RUI) – is as defined in ITEC Standard 7230A.
6.19 Training (of AI models) – Incorporation of exemplifying data into models that they draw from to produce their outputs. Pre-training occurs as part of the model’s development. Some AI systems are also capable of ongoing training, continuously evolving their models over the course of their use, such as by including information from user inputs in the training data set.
7.0 POLICY: This policy shall serve as the primary governing document for usage of AI technology or related activities by the entities. While any entity may impose additional restrictions through their own policy, such policies must not conflict with the provisions outlined in this policy.
7.1 Definition and use of sensitive data for AI-use purposes: The following information types are considered “sensitive” and may only be entered as input when interacting with AI when all of the conditions of Section 7.1.1 are met.
- Material that is inappropriate for public release – (Refer to State Social Media Policy)
- Restricted Use Information (RUI) – (Refer to ITEC Standard 7230A Section 5.5 Restricted-Use Information)
- Data classified by entities, law or contractual agreement as Confidential
- Data classified by entities as Sensitive
7.1.1 Conditions:
7.1.1.1 Input and Output are not retained by, or used to, train the AI
7.1.1.2 Input or Output is not disseminated without explicit permission by agency appointing authority
7.1.1.3 Input and Output can be deleted or removed
7.1.1.4 Interactions with AI are logged and such logs are accessible by the entity
7.1.1.5 Runtime interactions shall not be used to modify or retrain models unless explicitly permitted by agency appointing authority
7.1.1.6 Inputs submitted by external users to agency-owned AI systems may be processed solely to perform the intended function, shall not be retained, reused, or used for training, and shall be automatically deleted upon completion of that function
7.2 External AI Use (Public/customer-facing)
7.2.1 Sensitive AI use is permitted as outlined in 7.1
7.2.2 Non-sensitive External AI use is permitted, provided that:
7.2.2.1 AI outputs are disseminated under defined guardrails with designated human accountability and the ability for timely human intervention.
7.2.2.2 Logging, monitoring, and escalation controls shall be implemented at the platform or system level where technically feasible. For AI capabilities embedded within end-user tools (e.g., chatbots or productivity assistants), entities shall implement alternative controls, including human review, usage guidance, and risk-based oversight as appropriate.
7.2.2.3 AI systems shall be designed to recognize uncertainty and escalate to human review when appropriate.
7.2.3 Responses generated from AI that are made available to others, in whole or in part, in a public-facing context or as part of an official communication generated substantially by AI, shall be clearly attributed to the AI application that created them through a footnote or other means perceptible to the user.
7.3 Internal AI Use (Employee facing)
7.3.1 Sensitive AI use is permitted as outlined in 7.1
7.3.2 Non-sensitive Internal AI use is permitted, provided that:
7.3.2.1 Inputs and outputs are not retained or used for training unless explicitly permitted by agency appointing authority;
7.3.2.2 AI outputs shall be reviewed by knowledgeable human operators for accuracy, appropriateness, privacy, neutrality, and security prior to use or dissemination, or through periodic evaluation and monitoring where real-time review is not feasible.
7.3.2.3 AI is not relied upon as a sole source for decisions;
7.3.2.4 Outputs are not presented as official State positions without appropriate validation.
7.3.2.5 Attribution: Internal use of AI does not require public disclosure; however, AI-generated content incorporated into official work products must be reviewed and approved as if authored by a human.
7.4 General AI Use
7.4.1 Any AI use must comply with relevant ITEC policies.
7.4.2 Copyrighted or proprietary materials shall not be entered into AI unless the entity has:
7.4.2.1 the legal right and contractual authority to do so, or
7.4.2.2 documented permission of the owner
7.4.3 Responses generated from AI shall not:
7.4.3.1 be assumed to be truthful, credible, or accurate,
7.4.3.2 be treated as a sole source of reference,
7.4.3.3 be solely relied upon for making final decisions, or
7.4.3.4 be used to impersonate individuals or organizations.
7.4.4 AI shall not be used for any activities that are harmful, illegal, or in violation of state policy or entity acceptable use policy.
7.4.5 Code Generation
7.4.5.1 All AI generated code that processes sensitive data, executes unattended, integrates with external services, or performs transactional/system actions must be reviewed by a qualified human developer or analyzed by application testing tools as appropriate.
7.4.5.2 All AI generated code shall only be implemented after the entity has identified and mitigated all business and security risks related to its use.
7.4.5.3 All usage of software code generated by AI shall be annotated.
7.4.6 Procurement
7.4.6.1 Entities shall ensure contractors disclose in their net new, amendment, and renewal contracts the utilization of AI or integrations with AI platforms.
7.4.6.2 Entity contracts shall prohibit contractors and their products or services from using State of Kansas RUI or other confidential data in AI unless all conditions in 7.1.1 are met.
7.4.6.3 Entities shall perform due diligence to ensure proper licensure of model training data for all AI services.
7.4.6.4 Entities shall conduct due diligence and vendor assessments regarding anomaly detection and security controls.
7.4.6.5 Entities shall ensure contractors attest in their net new, amendment, and renewal contracts that prompt and output data from AI systems used under State of Kansas contracts are not retained, shared, or used to train external models unless explicitly permitted by the entity appointing authority.
7.4.7 Deployment of AI Systems
7.4.7.1 Agentic or autonomous AI systems shall operate within explicitly defined scopes of authority, with safeguards to prevent unsupervised action or escalation.
7.4.7.2 Entities shall maintain the ability to suspend, restrict, or disable AI systems when risks exceed acceptable thresholds.
7.4.7.3 Prior to any AI implementation, entities are responsible for providing user training that covers appropriate usage and associated risks.
7.4.7.4 Bots provided by or on behalf of the State must clearly identify themselves as such prior to each use.
7.4.7.5 Entities shall document significant AI use cases through the OITS AI Inventory or an existing entity-maintained inventory. Entities with local inventories shall share summary-level information with OITS to support enterprise governance, oversight, and risk management objectives.
7.4.7.6 When AI capabilities are embedded within applications, agencies shall leverage available vendor-supported safeguards and configuration options to reduce unnecessary access to sensitive, confidential, or restricted data by AI functionalities.
7.4.7.7 Entities shall conduct regular reviews, at least annually, of current and future use cases to ensure compliance to all related policies.
7.4.7.8 The entity shall perform quality assurance on self-built or custom instances of AI to ensure accurate output.
7.4.7.9 Policy review shall be triggered when AI systems demonstrate materially new capabilities, autonomy, or risk profiles.
8.0 RESPONSIBILITIES:
8.1 Heads of entities are responsible for establishing procedures and controls for their organization's compliance with the requirements of this policy.
8.2 The Chief Data Officer is responsible for the maintenance of this policy.
9.0 CANCELLATION: This policy cancels and supersedes OITS Policy 8200 - Generative Artificial Intelligence Policy.