 [footnotes and tables omitted]
I. Purpose
The purpose of this policy is to provide statewide planning, implementation, procurement,
security, privacy, and governance requirements forthe use of Artificial Intelligence (AI). The policy
authorizes the implementation of AI, while establishing an operational framework that will assist
in protecting Ohioans’ Data and the Integrity and Quality of the information delivered through AI
solutions. The first occurrence of a defined term in the policy is in bold, italic type, and is
hyperlinked to the definition in Section IV.
II. Scope
This policy applies to all state agencies, boards, and commissions under the authority of the
Governor (collectively referred to as Agency or Agencies).
III. Policy
While AI can deliver significant business value to the State of Ohio, responsible implementation
requires a deliberate and detailed approach. Agencies considering the implementation of AI shall
ensure that processes are in place to effectively manage the technology and achieve the desired
results. This policy details the requirements for integrating AI technologies into state solutions.
A. AI Solution Development: As part of AI planning and implementation, Agencies shall follow
the iterative activities outlined below:
1. Defining a formal process for identifying, documenting, reviewing, and approving AI use
cases. Agency use cases and solutions shall align with the core AI Principles. 
2. Submission of Agency approved use cases to the AI Council as appropriate (refer to
section F. for additional information).
3. Designing an approved use case pilot prior to a full production implementation.
4. Conducting any necessary data quality testing for pilot and full production of AI
deployments, including:
a) Reviewing and testing any AI generated output for proper functionality and security.
b) Testing the Data sets for AI Models to determine the degree of Underfitting,
Overfitting, and errors related to bias and variance.
c) Testing activities shall be properly documented.
5. Defining the hand-off criteria to determine when judgment and decisions from an AI
solution are transitioned to a human.
6. Charging human operators with reviewing AI outputs for accuracy, appropriateness,
privacy, and security before being acted upon or disseminated. AI outputs shall not be
assumed to be truthful, credible, or accurate.
7. Ensuring that a human verification process is in place for decisions made by AI that have
a legal, financial, human resources, legislative, organizational, or regulatory impact.
8. Ongoing monitoring of AI generated output to validate that errors or Data bias are not
introduced as the Model evolves.

B. Workforce Requirements: The Ohio Department of Administrative Services (DAS), in
coordination with Agencies, shall establish AI training for the state’s workforce that addresses
the implications of and appropriate use of AI, which includes:
1. Authorization for Use: The use of Generative AI for work purposes must be approved by
the Agency director or designee and must be in alignment with the requirements defined
by the AI Council (refer to section III.F. for additional details).
2. Disclosing Use: When Generative AI is used to create a deliverable for Agency use,
employees, contractors, and temporary personnel shall be required to disclose this
information to their Agency (e.g., written documentation, research, correspondence, and
software code).
3. Data Input Restrictions: If a state employee, contractor, or temporary personnel is
authorized to use a Generative AI tool for state business, they are required to only enter
data into the tool that is considered a public record.
4. Importance of Verifying Accuracy: Review, revise, and fact check via multiple sources any
output from a Generative AI solution before use. The human user is responsible for any
material created with AI support.
5. Ethical Considerations: The training shall create awareness regarding the ethical
considerations surrounding the use of AI, in particular, Generative AI
a) AI outputs shall not be used to impersonate individuals or organizations without
their written permission.
b) Material that is inappropriate for public release shall not be entered as input to AI
tools unless explicitly approved by the Agency director, chief legal counsel, chief
information officer or designee for the intended use case.
c) Generative AI can make assumptions based on past stereotypes and the information
provided may need to be corrected.
6. Secure Use: The security, privacy, and Data concerns surrounding the use of AI.

C. AI Procurements: When seeking to procure an AI solution, Agencies shall adhere to the
following requirements:
1. AI procurement solicitations offered by suppliers must align with the requirements of this
policy.
2. All AI software services, even if they are free or part of a pilot or proof-of-concept project,
shall be reviewed by the Agency to ensure the software meets all necessary security and
privacy requirements. This requirement applies to downloadable software, Software as
a Service (SaaS), web-based services, browser plug-ins, and smartphone apps.
a) The following elements shall be captured and evaluated for any AI solution during
the procurement process:
(i) Technical/design details of the AI system and algorithms
(ii) How the AI system was trained (including personnel and documentation)
(iii) How the AI system works (i.e., what are the inputs and outputs)
(iv) Data sources (documentation of all Data sources)
(v) Audit Logging
(vi) Change Management details and documentation that impact the AI system
algorithms (i.e., decisions, inputs, outputs)
(vii) Testing practices and results
(viii) Timeframe documentation (captures time periods of testing, governance
approval, deployment, and other critical milestones the of AI solution)
b) New AI software requests shall be submitted for review and possible approval to the
AI Council (refer to section F.).
3. Agency contracts shall prohibit suppliers from using State of Ohio materials or Data in
Generative AI solutions, unless such use is explicitly approved by the Agency director or
designee.
4. Procuring Agencies shall ensure suppliers disclose the utilization of Generative AI when
producing works owned by the state or the integration of Generative AI in products used
by the state.
5. Procuring Agencies shall perform due diligence to ensure proper licensure of Model
training Data for all Generative AI services using non-state Data.
6. All copyrightable works owned by the state that are created with the involvement of
Generative AI must include an accompanying annotation sufficient to meet the
requirements of the U.S. Copyright Office for Works Containing Material Generated by
Artificial Intelligence (88 FR 16190). The annotation should include at least the Generative
AI technology used and a description of how it was used to create the work.

D. Security and Privacy: Agencies shall ensure that AI solutions adhere to state IT security
and privacy laws, policies, and standards. In addition, Agencies shall comply with the
following requirements:
1. Security: Agencies shall implement the following security controls when designing AI
solutions:
a) Conduct a risk assessment of a proposed AI solution, including considerations of
exploitation by malicious actors or inadvertent uses by authorized users. Determine
appropriate security controls to mitigate against such risk.
b) Establish controls to prevent adversarial learning attacks that try to influence or
corrupt the Data Model by detecting abnormal network traffic.
c) Ensure that authentication and authorization controls align with state and Agency
policy.
d) Sensitive Data, including Personally Identifiable Information (PII) and
Confidential Personal Information, shall not be input into unconstrained
Generative AI tools and publicly accessible service or training Models.
2. Privacy: Agencies shall protect the privacy of individuals when using AI solutions. This
includes, but is not limited to, implementing the following privacy controls:
a) AI Models shall not be used to collect or store PII without the consent of the
individual.
b) AI solutions shall only collect, use, share, and store Data in accordance with federal
and state privacy and personal Data laws and policies.
c) The AI solution shall disclose to the user thatthey are interacting with a State of Ohio
AI solution and the Data sources for the information shall be provided.

E. Data Governance: The State of Ohio Chief Data Officer (CDO) Council shall be responsible for
establishing and maintaining statewide Data governance requirements, including those for AI
solutions. The requirements shall define information management controls, procedures, and
processes for Data set selection, evaluation, and preparation. The controls shall address, but
not be limited to, the following principles:
1. Data Availability, Quality, and Integrity are critical for AI systems. AI systems shall not be
trained with Data that is biased, inaccurate, incomplete, or misleading.
2. AI systems shall only have access to the Data sources they need for the specific context.
3. Data shall be regulated through established Data sharing agreements that identify the
applicable federal and state laws and policies for the AI solution use case. The
agreements shall outline the acceptable terms for Data use, storage, and transmission.
4. Data sources used with AI Models shall be properly parsed into multiple, randomized
Data sets consisting of training, cross-validation, and test Data.
5. Data validation procedures shall be in place to select, analyze, clean, and certify the
Integrity of the Data sources that will be used for AI automation solutions.
6. Data Steward, Data Owner, and Data Custodian roles shall be responsible for
maintaining the Quality and Integrity of Agency AI Data Models.
7. Every proposed Generative AI solution’s Data Model must receive Agency executive
approval followed by the AI Council (refer to section F.) prior to implementation.

F. AI Council: DAS shall establish a multi-Agency AI Council to govern the statewide use of
Generative AI solutions. The AI Council shall include representatives from the Governor’s
Office; DAS and Agency business, human resources, information technology, security, privacy,
Data analytics, and legal functional areas; and the DAS Office of Opportunity and Accessibility.
The AI Council shall provide oversight for the following:
1. Directing the establishment of and the ongoing use of a statewide sandbox environment
to safely explore the use of Generative AI to enhance the experience of the workforce and
Ohioans.
2. Examining the social, economic, and legal impacts of AI adoption on the workforce,
Ohioans, and business operations.
3. Defining the legal requirements for the use of third-party AI services, contracts, licenses,
agreements, and specific AI solution use cases.
4. Establishing the framework for evaluating and authorizing the use of AI technology (e.g.,
architecture frameworks, software, infrastructure, and relevant tools).
5. Developing and maintaining a statewide central repository that captures approved
Generative AI use cases.
6. Documenting protocols and procedures for assessing and handling inquiries or incidents
regarding AI system anomalies.
7. Auditing AI current and future solutions to ensure alignment with the requirements of
this policy.

IV. Definitions
A. Artificial Intelligence (AI). Interdisciplinary field, usually regarded as a branch of computer
science, dealing with Models and systems for the performance of functions generally
associated with human intelligence, such as reasoning and learning.1
B. AI Principles. As defined by Gartner, the core AI Principles include:
1. Fair (minimize bias)
2. Accountable (purposeful and ethical – human feedback loop)
3. Secure and Safe (Data privacy, security framework, risk management)
4. Explainable and Transparent (build trust)
5. Human-Centric and Socially Beneficial (service to the public)2
C. Availability. Ensuring timely and reliable access to and use of information.3
D. Chief Data Officer (CDO) Council. The CDO Council serves as Ohio's data governance and
analytics recommending body, providing support to the State CDO to help guide and advance
Ohio's strategic data roadmap. The CDO Council membership consists of the State CDO, who
serves as the council's chair, and agency CDOs.
E. Confidential Personal Information. Personal information that falls within the scope of Section
1347.15 of the Ohio Revised Code and that an agency is prohibited from releasing under Ohio’s
public records law.
F. Data. Coded representation of quantities, objects, and actions. The word, “Data,” is often used
interchangeably with the word, “information,” in common usage and in this policy.
G. Data Custodian. A person responsible for the safe custody, transport, and storage of state
Data, as well as the implementation of any applicable federal, state, or AgencyData protection
requirements.
H. Data Owner. A person responsible for ensuring that all Data and Data products within their
domain are protected and managed appropriately pursuant to law, policy, and procedures.
The Data Owner is also responsible for authorizing access and/or sharing of their Data, in
consultation with their designated legal and privacy representatives.
I. Data Steward. A person responsible for the day-to-day management of a dataset and serves
as the subject matter expert who understands and communicates the meaning and use of
information.
J. Generative AI. A kind of AI capable of generating new content such as code, images, music,
text, simulations, 3D objects, videos, and so on. It is considered an important part of AI
research and development, as it has the potential to revolutionize many industries, including
entertainment, art, and design.4
K. Integrity. Guarding against improper information modification or destruction and includes
ensuring information non-repudiation and authenticity.5
L. Model. For the purposes of this policy, a Model is something that is trained on a broad set of
unlabeled Data that can be used for different tasks, with additional fine-tuning.6
M. Overfitting. Overfitting occurs when a Model tries to predict a trend in Data that is too noisy.
Overfitting is the result of an overly complex Model with too many parameters. A Model that
is overfitted is inaccurate because the trend does not reflect the reality of the Data. An
overfitted Model is a Model with a trend line that reflects the errors in the Data that it is trained
with, instead of accurately predicting unseen Data.
N. Personally Identifiable Information (PII). Information that can be used directly or in
combination with other information to identify a particular individual. It includes:
1. a name, identifying number, symbol, or other identifier assigned to a person,
2. any information that describes anything about a person,
3. any information that indicates actions done by or to a person,
4. any information that indicates that a person possesses certain personal
characteristics.8
O. Quality. Degree to which the characteristics of Data satisfy stated and implied needs when
used under specified conditions.
P. Sensitive Data. Sensitive Data is any type of Data that presents a high or moderate degree of
risk if released, disclosed, modified, or deleted without authorization. There is a high degree
of risk when unauthorized release or disclosure is contrary to a legally mandated
confidentiality requirement. There may be a moderate risk and potentially a high risk in cases
of information for which an Agency has discretion under the law to release Data, particularly
when the release must be made only according to Agency policy or procedure. The Data may
be certain types of Personally Identifiable Information that is also sensitive such as medical
information, social security numbers, and financial account numbers. It includes Federal Tax
Information under IRS Special Publication 1075, Protected Health Information under the
Health Insurance Portability and Accountability Act, Criminal Justice Information under
Federal Bureau of Investigation’s Criminal Justice Information Services (CJIS) Security Policy,
and the Social Security Administration Limited Access Death Master File. Sensitive Data may
also be other types of information not associated with a particular individual such as security
and infrastructure records, trade secrets and business bank account information.
Q. Underfitting. Underfitting occurs when a statistical Model cannot adequately capture the
underlying structure of the Data. 

V. Authority
ORC 125.18
VI. Resources
Document Name Location
Ohio Administrative Policy IT-13, Data
Classification https://das.ohio.gov/technology-andstrategy/policies/it-13
Ohio Administrative Policy IT-14, Data
Encryption and Securing Sensitive Data https://das.ohio.gov/technology-andstrategy/policies/it-14
Ohio IT Standard ITS-SEC-02, Enterprise Security
Controls Framework https://das.ohio.gov/technology-andstrategy/policies/its-sec-02-enterprisesecurity-controls-framework
National Institute of Standards and Technology
(NIST) Special Publication 800-53, Security and
Privacy Controls for Federal Information
Systems and Organizations
https://csrc.nist.gov/publications/sp
NIST Trustworthy & Responsible AI Resource
Center https://airc.nist.gov/home

VII. Inquiries
Direct inquiries about this policy to:
State IT Policy Manager
Office of Information Technology
Ohio Department of Administrative Services 

30 East Broad Street, 39th Floor
Columbus, Ohio 43215
1-614-466-6930 | DAS.State.ITPolicy.Manager@das.ohio.gov
State of Ohio Administrative Policies may be found online at
https://das.ohio.gov/technology-and-strategy/policies
VIII. Revision History
This policy shall be reviewed no less than every two years and updated as needed.
