DTS POLICY 4000-0008
Policy Type: Enterprise
Section/Group: IT Policies
Authority: UCA §63A-16-104; UCA §63A-16-205; Utah Administrative Code
Document History
Original Submission
Submitted On: September 2023
Submitted By: Chris Williamson
Approved By: Alan Fuller
Issue Date: September 6, 2023
Effective Date: September 6, 2023
Reviews
Last Reviewed Date: September 2023
Last Reviewed By: Chris Williamson, Chief Technology Officer
Next Review: September 2024
Purpose
The purpose of this policy is to provide guidance on the use of generative artificial intelligence (AI) for executive branch employees in Utah State government. The policy is created to promote the use of generative AI while protecting the safety, privacy, and intellectual property rights of the State of Utah.
Background
Generative AI refers to a class of artificial intelligence systems that are capable of generating content, such as text, images, video, or audio, based on a set of input data rather than simply analyzing or acting on existing data. Popular generative AI systems include GPT-3 and GPT-4/ChatGPT, Dall-E, Bard, Bing Chat, GitHub Copilot, and Lensa AI among many others. Generative AI technology is rapidly being incorporated into common online tools as standalone systems or embedded within other applications. These systems have the potential to support many state business functions and services, however their use also raises important questions, particularly around the sourcing of training data, ensuring proper attribution of generated content, and the handling of sensitive or public data, accuracy of outputs, bias, and stability. Further research into this technology may uncover issues that require more guidance or restrictions on its use.
Scope
This policy applies to all State of Utah executive branch employees, contractors, temporary workers, volunteers, and others (collectively referred to as users throughout the rest of this policy) who utilize generative AI technologies for or on behalf of the state.
Exceptions
None
Definitions
Generative Artificial Intelligence
A form of artificial intelligence in which algorithms automatically produce content in the form of text, images, audio and video.
Generative Pre-trained Transformer (GPT)
GPT is a type of artificial intelligence language model that was developed by OpenAI. GPT models are trained on a massive dataset of text and code, and they can be used for a variety of tasks, including text generation, translation, and summarization. GPT is a type of Large Language Model which reached popularity with the introduction of Chat GPT in November 2022.
1. Policy
1.1 Guidelines
Generative AI is a powerful tool that can be used to improve government services and operations. When making use of generative AI tools and capabilities, state agencies and users should consider the following general principles:
1.1.1. Transparency: Users and agencies must be transparent about how they are using generative AI. This shall include full attribution to which AI is used.
1.1.2. Accountability: Users and agencies are accountable for the decisions that are made and materials created using generative AI.
1.1.3. Fairness: AI systems can reflect the cultural, economic, and social biases of the source materials used for training, and the algorithms used to parse and process that content can be a source of bias as well. Users and agencies shall ensure that generative AI is used in a fair and equitable manner.
1.1.4. Privacy: Users and agencies must protect the privacy of individuals when using generative AI. This means that any models shall not be used to collect or store personal information without the consent of the individual. No private, controlled, confidential, or restricted data shall be added to a publicly accessible training model.
1.1.5. Security: Users and agencies shall take steps to protect the security and integrity of generative AI models. DTS cybersecurity staff are available to provide technical support in securing AI resources.
1.1.6. Training: Agencies shall mandate a minimum level of AI training for users responsible for business processes which are incorporating generative AI.
1.1.7. Legal: There are unresolved legal issues surrounding generative AI and the data inputs used to create AI models. AI systems may be trained using copyrighted material that has been sourced without regard for copyright or licensing terms. Sources of inputs to models must be reviewed and usage risk evaluated.
1.2 Requirements
1.2.1. All software services, even if they are free or part of a pilot or proof-of-concept project, must be reviewed by agencies to ensure the software meets all necessary security and privacy requirements. This requirement applies to downloadable software, Software as a Service (SaaS), web-based services, browser plug-ins, and smartphone apps. New software requests must also be reviewed by the DTS Architecture Review Board and the Enterprise Cyber Security Team.
1.2.2. Use of generative AI technology that is incorporated into existing services and products, such as internet search engines, does not require permission to use, however this policy’s guidelines and other requirements must be followed.
1.2.3. AI outputs must be reviewed by knowledgeable human operators for accuracy, appropriateness, privacy, and security before being acted upon or disseminated. AI outputs should not be assumed to be truthful, credible or accurate.
1.2.4. AI outputs shall not be used to impersonate individuals or organizations without their written permission.
1.2.5. Privacy:
1.2.5.1. State agencies must comply with all GRAMA, PRMA, records management, privacy and other applicable laws, rules, and policies to ensure the appropriate and reasonable protection of data and the protection of rights of persons that may be impacted by information furnished by AI.
1.2.5.2. No private, controlled, or confidential data shall be added to a publicly accessible AI service or training model.
1.2.5.3. Material that is inappropriate for public release shall not be entered as input to generative AI tools that have not been explicitly approved for the intended use case.
1.2.5.4. Agency contracts shall prohibit vendors from using State of Utah materials or data in generative AI queries or for building or training proprietary generative AI programs unless explicitly approved by the state.
1.2.6. DTS will provide training on proper usage of generative AI for users. Agencies shall ensure that all users of tools consisting of or incorporating generative AI complete this training before being granted access and annually thereafter.
1.2.7. All copyrightable works owned by the state that are created with the involvement of generative AI must include an accompanying annotation sufficient to meet the requirements of the U.S. Copyright Office for Works Containing Material Generated by Artificial Intelligence (88 FR 16190). The annotation should include at least the generative AI technology used and a description of how it was used to create the work.
1.2.8. Procuring agencies shall ensure vendors disclose the utilization of generative AI when producing works owned by the state and integration of generative AI in products used by the state.
1.2.9. Procuring agencies shall perform due diligence to ensure proper licensure of model training data for all generative AI services using non-state data.
1.2.10. All software code generated through the use of generative AI shall not be used in production until fully reviewed and tested for proper functionality and security. Any such use shall be properly documented.
2. Policy Compliance
State of Utah users are expected to comply with this policy. Additional policies and standards developed and implemented by State Agencies may include additional objectives or detail, but must be compatible with the objectives described in this policy document.
3. Enforcement
Violation of this policy by personnel employed by the State of Utah may be the basis for discipline including but not limited to termination. Individuals and contractors working with any State of Utah Agency found to have violated this policy may also be subject to legal penalties as may be prescribed by state and/or federal statute, rule, and/or regulation.
