 [footnotes omitted]
INTRODUCTION
1.0 PURPOSE
The purpose of the Artificial Intelligence (AI) Policy is to embrace the innovative benefits AI can
provide to increase productivity and citizen experience, while reducing risks and concerns in
using this emerging technology. This policy protects the safety, privacy, and intellectual property
rights of the State of North Dakota by ensuring all forms of AI are handled in a transparent,
consistent, responsible, ethical and secure manner.
2.0 BACKGROUND
Artificial Intelligence develops data processing systems that perform functions normally
associated with human intelligence, such as reasoning, learning, and self-improvement.
Generative AI is a prevalent example of AI and includes examples such as chatbots, virtual
assistants, and other systems based on it, including:
• Standalone systems (i.e. OpenAI – ChatGPT, DALL-E, Microsoft Copilot),
• Integrated as features within search engines (i.e. Microsoft Bing chat, Google Bard), or
• Embedded in other software tools.
Generative AI tools can enhance productivity by assisting with tasks, like drafting documents,
editing text, generating ideas, creating images, and software coding. However, these
technologies also come with potential risks that include inaccuracies, bias, and unauthorized use
of intellectual property in generated content. Content created by AI, and the public availability
of information submitted to AI, could pose security and privacy concerns.
The State of North Dakota consulted the following sources:
• National Institute of Standards and Technology (NIST) Special Publication (SP) 1270
Towards a Standard for Identifying and Managing Bias in Artificial Intelligence,
• NIST AI 100-1 Artificial Intelligence Risk Management Framework, and
• Other regulatory frameworks for AI requirements.
Cybersecurity is one of the greatest challenges facing organizations in North Dakota State
Government. Protecting information and communications technology (ICT) from threats and
vulnerabilities is critical to ensuring that the confidentiality, availability, and integrity of citizen
and organizational data remains protected.
3.0 SCOPE
This policy applies to all North Dakota executive branch state agencies including the University
Systems Office but excluding other higher education institutions, i.e., campuses and agricultural
and research centers. All other state agencies outside the scope of this policy are encouraged to
adopt this policy or use it to frame their own.
4.0 STATEMENT OF MANAGEMENT COMMITMENT
The North Dakota Chief Information Officer (CIO) directs that Information Technology (IT) Policy
be created, as defined within the North Dakota Century Code (Chapter 54-59-09). The
Governance Review Team is responsible for review and updating of this policy. Reviews and
updates to the policy and procedures will be a coordinated effort, routinely reviewed, and
updated annually, or as immediate changes are required.
North Dakota’s Chief Information Security Officer (CISO) directs that this policy is created to
provide appropriate security and privacy safeguards and countermeasures against the threats
and vulnerabilities that may impact the confidentiality, integrity, and/or availability of
information and information systems. 
5.0 GOVERNANCE AND COMPLIANCE
Violations of this policy will be handled in accordance with applicable State of ND policies,
procedures, laws, executive orders, directives, regulations, standards, and guidelines. Team
members may report non-compliance with this policy to the NDIT Security Governance, Risk,
and Compliance team for initial review. The Report for Non-Compliance is completed through
NDIT’s ServiceNow platform. NDIT will address submissions with Entity leadership.
This policy shall take effect upon publication. Compliance is expected with all State policies,
procedures, and standards. Policies, procedures, and standards may be amended at any time.
If compliance with this policy is not feasible or technically possible, or if deviation from this
policy is necessary to support business function, entities shall request an exception through
NDIT’s exception process. Exceptions to this policy shall be requested though the Policy
Exceptions request.
6.0 DEFINITIONS
Artificial Intelligence (AI) – A field in computer science that focuses on independent decisions
based on supervised and unsupervised learning.
Machine Learning (ML) – A subfield of AI that focuses on the development of algorithms and
statistical models to make independent decisions, but still needs humans to guide and correct
inaccurate information. ML is the most common type of AI.
Large Language Models (LLMs) – A type of AI that has been trained on large amounts of text
and datasets to understand existing content and generate original content.
Deep Learning – A subfield of machine learning that focuses on algorithms that adaptively
learn from data without instruction or labeling. Also referred to as "unsupervised learning."
Examples: self-driving cars, facial recognition, ChatGPT et al.
Generative AI – A type of AI that uses machine learning to generate new outputs based on
training data. Generative AI algorithms can produce brand new content in the form of images,
text, audio, code, or synthetic data.
Business Owner – an Entity’s senior or executive team member who is responsible for the
security and privacy interests of organizational systems and supporting mission and business
functions.
Data Owner – individual/individuals responsible and accountable for data assets.
Data Steward – individual/individuals with assigned responsibility for the direct operational level management of data.
7.0 POLICY
It is important for Entities and users to identify the characteristics of trustworthy AI systems so
organizations can continue innovation and growth through AI while reducing risks
7.1 VALID AND RELIABLE
AI technologies shall be reliable and consistently valid or accurate in their responses.
• Entities shall confirm the validity and reliability of output produced by AI technologies.
7.2 TRANSPARENCY1
Increased transparency increases trust in AI technology. AI technology transparency utilized
with risk management strategy, can minimize the impact of risks and negative outcomes.
Transparency on use of AI shall be clearly explained and understandable.
• Entities shall be transparent about AI technologies and their outputs, disclosing where
citizens are interacting with AI, the outcome and/or impact, if applicable, and the
business purposes where AI is used.
• When using medium to high-risk data outlined in the NDIT Data Classification Policy,
Entities shall ensure all systems and processes employing artificial intelligence (AI) for
decision-making, or output generation, be clearly marked to enhance transparency and
accountability. The decision to inform end-users about the use of AI falls under the
discretion of the business process owner or related governing body.
7.3 ACCOUNTABILITY1
• Entities shall ensure AI used within systems is securely developed, assessed for risk, and
monitored regularly.
• Entities shall ensure AI is used responsibly, operating correctly, and compliant with
applicable laws, regulations, policies, procedures, standards, guidelines, and best
practices.
• Team members shall not use state-managed passwords to log into third-party
applications that are not managed by the State’s digital identity management solution
(Single Sign-on/Active Directory). Use of a state-issued email as a user ID is permissible
if a different password is used.
7.4 SECURITY AND RISK MANAGEMENT
Entities utilizing AI system technologies shall incorporate NDIT’s Security Risk Management
Program (SRMP) into system development and operations, when applicable.
• Privacy impact assessments, third-party and security risk assessments shall be conducted
regularly to ensure that security, safety, confidentiality, civil liberties, civil rights, and
privacy are protected while continuing to promote and empower the use of AI to benefit
the State of North Dakota and its citizens.
• Users shall not input any content into public AI/ML technology services (i.e. ChatGPT)
that contains moderate-risk or high-risk data based on the NDIT Data Classification
Policy. Low-risk data, which is publicly available data, is permitted for use with AI/ML
technologies.
• The data/business owner shall establish appropriate controls and risk mitigation
strategies with advisement from NDIT to mitigate identified risks and ensure the use of
AI does not compromise the safety, soundness, or integrity of the Entity’s data and
systems.
7.4.1 Training
• NDIT shall provide AI training through the cybersecurity education and awareness
platform and provide AI workshops.
• The data/business owner shall provide role-based training to team members for
specific and unique AI technologies used for their business purposes.
7.4.2 Use of Approved Products
• All AI technologies shall be properly vetted by NDIT, including free software
services.
• An AI technology inventory list shall be maintained by NDIT.
• Entities shall use approved technologies and request an evaluation of new
technologies through the NDIT Initiative Intake request.
7.4.3 Privacy
• The data/business owner shall comply with all applicable data protection and
privacy laws, regulations, and guidelines.
• Citizen, Entity and regulated data will be collected, stored, processed, and shared in
a secure and confidential manner, with explicit consent obtained where required.
• Entities shall design and implement procedures for specific AI technologies being
used.
• Entities and users shall evaluate the accuracy and compliance of AI technologies on
a regular basis.
7.5 ETHICS, FAIRNESS, AND BIAS1
• AI technologies shall be ethical, fair, and unbiased in a manner that isn’t
discriminatory and negatively affects a specific group of people.
• Human rights, civil liberties, and dignity shall be protected, while making the
selection of AI technologies and using their output.
• Users and Entities shall ensure that AI technologies utilize an ethical and fair
representation of culture, economics, and society within their data sets, and that
benefits are accessible to all citizens.
7.6 LEGAL AND COPYRIGHT
AI uses data models to generate output, and submitted data may incorporate source materials
that are owned by individuals or organizations, especially using public AI sources. Source
material generated into output and, if used without permission, could violate copyright or
licensing terms.
• End-user licensing agreements, terms of use, privacy policies, and other legal
documents shall be reviewed in detail to determine the risks and legal parameters for
use of AI.
• The U.S. Copyright Office has determined AI-generated content is not protected by
copyright. Content must be human authored to be considered protected under
copyright laws.
• Use of AI technology is subject to open records as defined in NDCC 44-04-18. Open
records policy is not bound to any specific system, device or platform, nor by its owner.
