What the SUNY AI Policy Requires
The SUNY policy sets a Dec. 31, 2026, deadline for new AI guidelines, with a possible one-time, two-month extension.
At minimum, campus policies must:
- Clarify AI roles and responsibilities for campus stakeholders
- Provide training on safe and responsible AI use
- Add procurement safeguards to protect SUNY data and prevent biased use of AI
Campuses must also account for differences across teaching, research and administrative uses of AI and apply greater oversight to higher-risk AI systems and regularly review their policies.
“One of our major concerns is making sure that SUNY data — including students’ personal information and academic records — is protected,” said SUNY CISO Jesse Sloman told EdTech when the new policy was announced. “We don’t want a SUNY student using a SUNY AI tool and have that data used to train external models outside of narrow, contractually defined terms.”
DISCOVER: How to build an AI Center of Excellence on your campus
Procurement Safeguards for AI tools: Vetting Vendors Under a Governance Framework
Without strong governance practices, AI adoption can spread throughout a campus faster than institutional oversight can keep up, leaving campus leaders to discover risks only after AI tools have already embedded themselves into teaching, research or administrative tasks. Gartner notes that AI governance is still maturing, and that AI is particularly difficult to govern because it requires organizations to evaluate tools and vendors “under conditions that involve complexity, ambiguity and rapid technology evolution.”
Rather than accepting vendor assertions at face value, colleges and universities should develop detailed risk assessments and mitigation strategies as part of their AI procurement process. Schools may also collaborate with one another to share insights about AI-specific tools.
Bias Evaluation in Practice: How IT Teams Can Build and Document AI Review Processes
AI tools can generate biased outputs due to biases in their training data. EDUCAUSE recommends regular audits of AI algorithms and data sets for potential biases, testing systems with diverse data to identify and mitigate discriminatory outcomes.
The organization also recommends training AI models with diverse and representative data sets, ensuring that AI tools comply with antidiscrimination laws and establishing clear policies that prohibit discrimination in AI applications.
LEARN MORE: Why should IT leaders start their AI plans with data readiness?
Data Privacy and Student Information: The Infrastructure Implications of Responsible AI
Colleges and universities are responsible for safeguarding enormous volumes of sensitive data, including academic records, financial aid information, payroll records and donor data. AI raises the stakes around how this data is governed and connected across institutional systems. During procurement, institutions can require vendors to document how they protect user data, whether they use uploaded information to train their AI models and how data is anonymized.
Protecting sensitive data may require campuses to modernize their data access, identity, security and monitoring infrastructure.
Scaling AI Governance Across a Diverse Campus System
The SUNY policy highlights the reality that not all universities have the same resources to devote to AI governance. This may mean that governance is applied unevenly across the higher education sector, but individual schools and campuses must still meet minimum standards to mitigate risk, eliminate bias and address other potential problems.
Ideally, AI adoption will scale alongside governance. In practice, however, AI tools are often implemented before governance policies are in place. According to one study, fewer than 40% of institutions have policies that outline acceptable use for AI in higher education.
The Empire AI Consortium Gives Universities More Control Over Compute and Data
Empire AI is the first statewide consortium of public and private research institutions aimed at advancing AI research, with members including SUNY, the City University of New York, Cornell University, Columbia University and others. The consortium launched the first stage of its high-performance computing system on the University at Buffalo campus in October 2024, and the full Empire AI computing center is scheduled for completion in 2028.
Access to this sort of dedicated compute power for AI can help colleges and universities reduce their reliance on commercial public cloud platforms for certain AI workloads, giving higher education leaders more control over how sensitive research, student or institutional data is stored, processed and governed.
Building an AI Governance Framework Without Starting From Scratch
AI does not require campuses to entirely rewrite their governance policies. In fact, SUNY is encouraging campus leaders to consider how their AI governance framework aligns with existing policies surrounding IT governance and procurement.
“We don’t want campuses to re-create all of their existing policies in a separate AI document,” Sloman said. “Instead, they should think about how AI fits into their existing policy frameworks and update those where necessary — or develop a standalone policy if needed.”
Ultimately, higher education cybersecurity teams are being asked to provide many of the same governance assurances now as before. Rather than re-creating their governance frameworks from scratch, they must find ways to apply their policies to the fast-moving, complex world of AI.
