SUNY: Strict AI Guidelines, a Challenge for CIOs

SUNY: Strict AI Guidelines, a Challenge for CIOs

Leaders of the 64 campuses of the State University of New York (SUNY) have until the end of the year to establish or update guidelines related to artificial intelligence (AI), including standards for bias assessment, student privacy protection, and responsible AI usage.

This mandate stems from an AI governance policy adopted in May, which tasks SUNY campus IT leaders with finding ways to evaluate AI vendors, implement governance frameworks, protect institutional data, and support the responsible large-scale adoption of AI.

The framework is already having an impact beyond New York State, with CIOs and IT leaders from public university systems viewing this announcement as an early indicator of AI policy expectations in higher education.

What SUNY's AI Policy Requires

The SUNY policy sets a deadline of December 31, 2026 for new AI guidelines, with a possible one-time extension of two months.

At a minimum, campus policies must:

• Clarify roles and responsibilities related to AI for campus stakeholders
• Provide training on the safe and responsible use of AI
• Add procurement safeguards to protect SUNY data and prevent biased AI usage

Campuses must also consider the differences between educational, research, and administrative uses of AI and apply increased oversight to high-risk AI systems, while regularly revising their policies.

“One of our main concerns is ensuring that SUNY data — including students' personal information and academic records — is protected,” said Jesse Sloman, SUNY's CISO, to EdTech during the announcement of the new policy. “We don’t want a SUNY student using a SUNY AI tool and having that data used to train external models outside of contractually defined terms.”

Procurement Safeguards for AI Tools: Vendor Assessment within a Governance Framework

Without strong governance practices, AI adoption can spread across a campus faster than institutional oversight can keep up, leaving campus leaders to discover risks only after AI tools have already been integrated into teaching, research, or administrative tasks. Gartner notes that AI governance is still maturing and that AI is particularly difficult to govern because it requires organizations to evaluate tools and vendors “under conditions involving complexity, ambiguity, and rapidly evolving technology.”

Rather than taking vendor claims at face value, colleges and universities should develop detailed risk assessments and mitigation strategies as part of their AI procurement process. Institutions can also collaborate with one another to share information about specific AI tools.

Bias Assessment in Practice: How IT Teams Can Build and Document AI Review Processes

AI tools can generate biased outcomes due to biases in their training data. EDUCAUSE recommends regular audits of AI algorithms and datasets to detect potential biases, testing systems with diverse data to identify and mitigate discriminatory outcomes.

The organization also recommends training AI models with diverse and representative datasets, ensuring that AI tools comply with anti-discrimination laws, and establishing clear policies prohibiting discrimination in AI applications.

Data Privacy Protection and Student Information: The Infrastructure Implications of Responsible AI

Colleges and universities are responsible for protecting vast amounts of sensitive data, including academic records, financial aid information, payroll records, and donor data. AI raises the stakes regarding the governance and connection of this data across institutional systems. During procurement, institutions can require vendors to document how they protect user data, whether they use uploaded information to train their AI models, and how data is anonymized.

Protecting sensitive data may require campuses to modernize their data access, identity, security, and monitoring infrastructure.

Scaling AI Governance Across a Diverse Campus System

The SUNY policy emphasizes that not all universities have the same resources to dedicate to AI governance. This may mean that governance is applied unevenly across the higher education sector, but individual schools and campuses must still adhere to minimum standards to mitigate risks, eliminate biases, and address other potential issues.

Ideally, AI adoption will grow alongside governance. In practice, however, AI tools are often implemented before governance policies are in place. According to a study, less than 40% of institutions have policies that define acceptable AI usage in higher education.

The Empire AI Consortium Gives Universities More Control Over Computing and Data

Empire AI is the first state consortium of public and private research institutions aimed at advancing AI research, with members including SUNY, the City University of New York, Cornell University, Columbia University, and others. The consortium launched the first phase of its high-performance computing system on the University at Buffalo campus in October 2024, with the full Empire AI computing center planned for 2028.

Access to this type of dedicated computing power for AI can help colleges and universities reduce their reliance on commercial public cloud platforms for certain AI workloads, giving higher education leaders more control over how sensitive research, student, or institutional data is stored, processed, and governed.

Building an AI Governance Framework Without Starting from Scratch

AI does not require campuses to completely rewrite their governance policies. In fact, SUNY encourages campus leaders to consider how their AI governance framework aligns with existing policies surrounding IT governance and procurement.

“We don’t want campuses to recreate all their existing policies in a separate AI document,” Sloman said. “Instead, they should think about how AI fits into their existing policy frameworks and update those as necessary — or develop a standalone policy if needed.”

Ultimately, higher education cybersecurity teams are invited to provide many governance assurances similar to those from before. Rather than recreating their governance frameworks from scratch, they should find ways to apply their policies to the complex and rapidly evolving world of AI.