Artificial Intelligence Use Rule
This IT Rule is currently under review by the University Policy Committee and is being considered for future implementation as a Board-delegated policy.
| Responsible office | Office of Information Technology |
|---|---|
| Enforcement official | Office of Legal Affairs, Risk, and Compliance, General Counsel |
1. Overview
Generative artificial intelligence (“Gen-AI”) is a type of artificial intelligence tool or technology that can learn from and mimic large amounts of data to create content such as text, images, music, videos, code, and more, based on inputs or prompts. The University supports responsible use of Gen-AI by Users of University’s IT Resources and Data (“Users”), provided such use is consistent with the law and University policy. Users must keep important considerations in mind when using Gen-AI, including considerations related to information security, data privacy, compliance, intellectual property rights, and academic integrity.
2. Purpose of Rule
The use of Gen-AI is becoming increasingly prevalent in the University community and worldwide. While Gen-AI offers Users opportunities for increased productivity, innovation, and creativity, it also introduces serious risks, such as the potential for data leaks, misuse of data, and use of incorrect or false information. Gen-AI must be used responsibly to minimize its risks to security, safety, and ethical considerations. This rule establishes a framework to help ensure the secure, safe, and responsible use of Gen-AI across the University and to limit the risks that Gen-AI poses.
This rule is intended to: (1) establish high level University-wide rules and expectations regarding appropriate and responsible use of Gen-AI, consistent with the law and University’s Policies, Mission, and Vision; (2) support Users in navigating the appropriate use of Gen-AI, enabling them to benefit from the unique opportunities Gen-AI offers; (3) ensure transparency in Users’ use of Gen-AI; and (4) minimize the risks Gen-AI poses, including but not limited to risks to privacy, security, copyright and intellectual property concerns, bias, equity, safety, and ethical conduct.
3. Stakeholders Most Impacted by the Rule
All members of the University community and all Users of University’s IT Resources (including students, faculty, staff, researchers, guests, and other Affiliate Users) must follow this rule and work to minimize any and all risks associated with Gen-AI use that could impact the University.
4. Scope
This rule governs the use of any Gen-AI programs, tools or technology (collectively, “Gen-AI”) by Users and other members of the University Community, whether the Gen-AI is used in performing functions for or on behalf of University or in any other use of IT Resources and/or Data. The Office of Information Technology (“OIT”) may publish more detailed guidelines regarding Gen-AI use (“OIT Guidelines”) in compliance with this rule. This rule and related OIT Guidelines shall be construed in a manner consistent with and supplemental to applicable Federal and State law and applicable University Policies.
Gen-AI is a rapidly and constantly evolving technology. The University will continue to monitor developments in Gen-AI technology, its use at the University and elsewhere, and responses received from the University community. This rule and any OIT Guidelines will necessarily evolve and be updated regularly. Users must review this rule and any OIT Guidelines frequently to check for updates. Users should contact OIT with any questions or concerns regarding the appropriate use of Gen-AI.
5. Rule
Users and all members of the University community are expected and required to be good stewards of University Data and IT Resources and to use them in a safe, responsible, ethical, and legal manner. Users’ must utilize Gen-AI in a manner that complies with all University rules and policies, OIT’s published guidelines, the Student Code of Conduct (which requires academic honesty, integrity, and ethical conduct), University contracts, employee handbooks, collective bargaining agreements, and State and Federal law. Users must also comply with Gen-AI guidelines established by their respective University departments and units, provided that those guidelines do not contradict this rule or OIT Guidelines.
An individual’s continuing ability to use University IT Resources is contingent upon their appropriate and responsible use of this and other University policies. Failure to adhere to this rule or other relevant policies and guidelines may result in disciplinary action, up to and including termination of employment (employee) or a dismissal from the University (student).
5.1 APPROVED GEN-AI TECHNOLOGIES
Users must only use Gen-AI technologies that have been vetted and approved through OIT’s Technology Planning and Compliance Review Process, per the University’s Information Technology Acquisition Policy. Only Gen-AI technologies that provide sufficient enterprise or commercial data protection controls will be considered for approval. OIT shall maintain an updated inventory or list of all University-approved Gen-AI technologies (“Approved Gen-AI”). This Approved Gen-AI inventory may be found at go.wmich.edu.
5.1.1 Procuring AI Technologies (including free software or tools): Users must adhere to the Information Technology Acquisition Policy when acquiring software or tools that include, reference, or otherwise utilize Gen-AI technologies regardless of cost.
5.1.2 Contract Required. No Gen-AI shall be approved unless and until it has been reviewed and approved by OIT and is subject to a written agreement between University and the Gen-AI vendor, approved through University’s established contract review procedures.
5.2 RISKS OF GEN-AI USE
The University supports the responsible use of Gen-AI, but recognizes that all Gen-AI technologies pose significant limitations and risks. The fact that Gen-AI is based on algorithms that “learn” from all data and information that any user inputs, introduces significant risks related to information security, data privacy, copyright, and academic integrity, and the risk that the output may be biased, misleading, or inaccurate. Thus, use of Gen-AI by faculty, staff and students could pose serious risks and legal liabilities to those individuals and to the University, including but not limited to, increased potential for data leaks and the dissemination of confidential data, misuse of data, and transmission of incorrect or false information.
This rule describes some known risks of Gen-AI use, but does not cover every potential risk. Users must educate themselves about the potential risks of Gen-AI, take precautions to avoid them, and make sure their Gen-AI use does not violate any law or University rule/policy.
5.3 AUTHORIZED USES
Users must only use and engage with Gen-AI in a responsible, legal manner. Users must use Gen-AI in a manner reflective of its inherent limitations, being careful to avoid those limitations and other risks.
5.3.1 Limited Use Only. Users must only use Gen-AI for approved academic and/or research activities that align with the University’s objectives, values, and policies, and Users must comply with University ethical standards when using Gen-AI. Users must use Gen-AI only for low-risk purposes, such as to begin research or assist with editing non-confidential information. Users must use their University accounts, not personal accounts, when using approved Gen-AI to perform activities for or on behalf of the University.
5.3.2 Citation Required. Gen-AI-generated content is not original content. When using Gen-AI output as a source or resource, Users must always cite (1) the Gen-AI model used, (2) the date and time they used it, and (3) the query or prompt the User(s) entered into the Gen-AI.
5.3.3 Check Output Accuracy. Each User is responsible for the content of their work product. Users are responsible for checking Gen-AI output before using it for any purpose related in any way to University, to verify that information is unbiased, authorized for use, accurate and complete.
5.4 MAINTAIN DATA PRIVACY AND SECURITY
5.4.1 Users must limit the types of data and information which they input into Gen-AI and must not enter confidential, sensitive, restricted or otherwise protected data or information into any Gen-AI tool or service. The University is required by State and Federal laws and regulations to protect sensitive information in its possession.1 University requires all Users to protect sensitive and/or confidential information in University’s possession.
5.4.2 Users are required to carefully review the University’s Data Classification Policy before entering information into Gen-AI and to ensure their familiarity with University’s current classifications of information and/or data. Users must NEVER input information classified as Restricted, Confidential, or Internal into any Gen-AI platform.
5.4.3 Gen-AI is based on algorithms that “learn” from data and information that users input. If a User inputs private, confidential, sensitive, or personal information, that input could become public. The Gen-AI may distribute that information to others who have no right to that information and may use it for inappropriate or illegal reasons.
5.4.3.1 The sole exception to this rule is where the data or information the User proposes to enter has undergone appropriate internal review and User has received written authority from the head of the respective University Department or Unit to enter the data or information into the specified Gen-AI tool or service.
5.4.3.2 Do not input any Personal Information related to University employees, students, faculty, or other stakeholders into a Gen-AI tool except when specifically approved in writing by OIT and Human Resources and security controls are in place.
5.4.4 Redact (Delete) or Anonymize Information, As Necessary. Before entering any information or document into Gen-AI that contains or might be expected to contain Personally Identifiable Information, Personally Identifiable Health Information, or any other sensitive or confidential information, Users must review the information or document carefully and redact (delete) or anonymize any portion that contains sensitive or confidential information.
5.4.5 Opt-Out of Gen-AI’s Use of Input. Many Gen-AI systems have settings that allow Users to limit the sharing of their input data, to “opt out” of Gen-AI’s use of the input data to train future iterations of the Gen-AI system. Wherever that option is available, Users must choose the opt out settings, asking the Gen-AI system not to use the User’s input for training the Gen-AI system.
5.5 RESPECT COPYRIGHT AND INTELLECTUAL PROPERTY RIGHTS
When using Gen-AI, Users must comply with laws regarding copyright and intellectual property (“IP”) rights, exercising caution to avoid infringement of copyright or IP rights held by the University or third parties. Users must independently verify their rights to data and information before inputting it into Gen-AI and must also verify any output received from Gen-AI.
5.5.1 Input. Before inputting any information, document, or data into Gen-AI, Users must ensure they have the necessary rights and permissions to do so. If a User gives Gen-AI access to confidential information or trade secrets, the User may forfeit any IP rights they had in that input information and/or incur legal liability for violating the IP rights of the University and third parties.
5.5.2 Output. Gen-AI outputs may violate the intellectual property rights of others, and might not themselves be protected by intellectual property laws. Any content generated by Gen-AI models may constitute an unauthorized derivative work of copyrighted material that was previously used in training the underlying Gen-AI model. This creates a risk of infringement liability; Users and/or the University may be held liable for unintentionally violating third-party copyrights by reproducing copyrighted material without authorization or permission.
Users must not represent or claim any output generated by Gen-AI as the User’s own work. Any content generated by Gen-AI models may constitute an unauthorized derivative work of copyrighted material that was previously used in training the underlying Gen-AI model. This creates a risk of infringement liability; the User and/or University may be held liable for violating third-party copyrights by reproducing copyrighted material without authorization or permission. Users wishing to quote, paraphrase or borrow ideas from Gen-AI output, must first verify that the output is accurate and use proper citations to avoid plagiarizing another party’s work or otherwise violating another party’s IP rights. Users unable to determine the licensing of or rights to use content generated by a Gen-AI tool must either not use that content or consult with an attorney specializing in IP Rights.
5.6 GEN-AI OUTPUT MAY BE INACCURATE, MISLEADING, OR FALSE
Users must confirm the accuracy of Gen-AI output before using it. Gen-AI output often contains errors, cites to inappropriate or nonexistent sources, or is otherwise inaccurate, misleading, or false. Gen-AI output, while responsive to input prompts, necessarily reflects a combination of a myriad of unverifiable, unattributed sample data points found in the training data set. Gen-AI uses predictive models to create sentences and paragraphs. These predictions are not always accurate, occasionally causing factual errors and nonexistent citations.
Ensure you are familiar with the below-documented limitations of generative AI and avoid overreliance on the models. When using generative AI, approach output with skepticism and use a range of other quality assurance methods.
Users must check the accuracy of information generated by Gen-AI tools prior to relying on such information. Gen-AI tools should not be relied upon without confirmation of accuracy from additional sources. It is possible for AI-generated content to be inaccurate, biased, or entirely fabricated (sometimes called “hallucinations”). Note that such AI-generated content may contain copyrighted material. are responsible for any content that Users publish that includes AI-generated material.
5.7 BIAS, FAIRNESS, AND OVERSIGHT
Gen-AI may produce outputs and decisions that are biased, discriminatory, inconsistent with University rules, regulations, and policies, and/or in violation of applicable law. Gen-AI “learning” algorithms necessarily mean that Gen-AI output has both explicit and implicit biases baked into it, including stereotypes. Users must not rely on any Gen-AI output that is indicative of or poses a risk of potential bias.
Before utilizing Gen-AI output to create content for any use related to University, Users must review the output carefully to ensure that it does not perpetuate or amplify stereotypes, discrimination, or other harmful content. When in doubt, Users must contact the Office of Diversity and Inclusion (ODI) for help reviewing and evaluation the output for fairness, inclusivity, errors, biases, and inappropriate content and to recommend adjustments required to mitigate these risks.
5.8 PROHIBITED USES.
The University expects Users to use and engage with Gen-AI technologies in a responsible, legal manner.
5.8.1 Contracts. Users must not input information that violates any University contract, including but not limited to the terms and conditions of the University contracts under which the Users are using Gen-AI tools. Vendor license agreements govern many of the digital resources maintained by the University Library, and some publishers’ licenses prohibit their digital resource’s content being used in or with AI tools. Users must contact the Library for assistance in defining acceptable uses for licensed content with Gen-AI.
5.8.2 Users must not input data into Gen-AI (or use any Gen-AI output) to Perform or facilitate dangerous, illegal, or malicious activities, including but not limited to (A) facilitation or promotion of illegal activities or violations of law; (B) abuse, harm, interference, or disruption of any University, utility, or government services (or to enable others to do the same); (C) to Generate and distribute content intended to misinform, misrepresent or mislead, including but not limited to help create or carry out malware, spam and phishing campaigns or other cyber scams; (D) attempts to override or circumvent safety filters or intentionally drive the model to act in a manner that contravenes University policies; (E) Generation of content that may harm or promote the harm of individuals or a group; (F) Misrepresentation of the provenance of generated content by claiming content was created by a human, or represent generated content as original works, in order to deceive; (G) to Generate sexually explicit content, (does not include content created for scientific, educational, documentary, or artistic purposes); to produce malicious content, such as malware, viruses, worms, and trojan horses that may have the ability to circumvent access control measures put in place by University or any third-party to prevent unauthorized access to their respective networks.
5.8.3 Users must not use AI-generated code within institutional IT systems or services.
5.9 TRANSPARENCY AND DISCLOSURE
All members of the University community have a shared responsibility to promote intellectual honesty and scholarly integrity and a duty to protect those values from being undermined by Gen-AI-generated content. Users must be transparent when relying on the output of a Gen-AI tool. Users who utilize Gen-AI to produce any written materials or other work product must include clear labels and disclaimers, stating that their work product is based on or derives from the use of Gen-AI output which might be factually inaccurate.
5.10 TRAINING AND AWARENESS
Employees will be provided training opportunities and are expected to complete assigned training on the safe and effective usage of Gen-AI.
5.11 REQUIRED REPORTING
5.11.1 Users must report any actual or suspected legal or ethical issues or concerns they encounter while using Gen-AI to the Office of Legal Affairs, Risk, and Compliance.
5.11.2 Any User who has provided or has a legitimate business reason to provide any sensitive or confidential information to a Gen-AI application must report it to OIT via oit-security@wmich.edu.
5.11.13Any member of the University community who learns of or has reason to suspect a Gen-AI related concern, including but not limited to unauthorized access, disclosure, or misuse of data, must report it to OIT via oit-security@wmich.edu.
5.12 ACCOUNTABILITY
5.12.1 University students who fail to follow this rule and associated procedures will be subject to disciplinary action, up to and including dismissal from the University, consistent with applicable procedures under the Student Code of Conduct.
5.12.2 University employees who fail to follow this rule and associated procedures will be subject to disciplinary action, up to and including dismissal from employment by the University, consistent with applicable procedures and Collective Bargaining Agreements.
5.12.3 Any User(s) who fails to follow this rule and associated procedures or guidelines may also be subject to legal and/or criminal liability.
6 Related Documents:
6.1 When using Gen-AI tools, Users should always keep in mind the usual rules and policies concerning privacy, honor code, academic integrity, research conduct, information security and other such rules.