AI Use Without Institutional Guidelines: It’s Up to Us to Protect Data and Privacy
AI is officially “everywhere” in higher ed work, and that’s not a future-tense statement.
A new EDUCAUSE report (Jan. 12, 2026) found that 94% of respondents have used AI tools for work in the past six months, and 81% feel enthusiastic or a mix of caution and enthusiasm about AI. But here’s the gap that should make every administrator, faculty member, and staff professional pause: only 54% say they’re aware of institutional policies or guidelines meant to guide that use.
That’s the “Wild West” moment we’re living in. High adoption, uneven guardrails, and constant new tools. In that environment, protecting privacy and institutional data can’t wait for the perfect policy. Until clear guidance is in place (and widely communicated), the day-to-day protection of data is often happening at the individual level.
So what do we do while policies catch up?
Here are five practical, role-agnostic guardrails you can share with your campus (and actually implement tomorrow):
1) Use a simple rule: “If it’s not public, don’t paste it.”
Treat most public AI chat tools like a public-facing space unless your institution has explicitly approved the tool and account configuration.
Do not input:
Student identifiers or case details (even “just context”)
HR/personnel info (performance, salaries, disputes)
Donor information, budgets not meant for release, contract language
Research data you wouldn’t email broadly
Anything covered by confidentiality norms or policy
This aligns with EDUCAUSE’s emphasis on privacy/data protection and risk minimization.
2) Default to institution-approved tools (or enterprise versions) whenever possible
If your institution provides an approved AI tool, use it. If not, push for one. The goal is a version that supports:
clearer data-handling terms
admin controls
reduced training-on-your-data risk (varies by vendor/account)
auditability
3) Practice “prompt hygiene”: redact, generalize, and summarize
When you do use AI:
Remove names and identifiers (“Student A,” “Staff Member B,” “Course X”)
Abstract the scenario (focus on the pattern, not the person)
Summarize instead of uploading (paste a de-identified excerpt or your own paraphrase)
Avoid attachments unless you’re certain the environment is approved and protected
This is the difference between “help me draft a rubric” and “here’s a student’s full submission and accommodations letter.”
4) Keep a human in the loop for anything that impacts people
AI can help draft, brainstorm, summarize, and generate options. It should not be the final decision-maker for:
advising or student-support interventions
performance evaluations
disciplinary actions
official policy language
anything that materially affects a person’s standing
EDUCAUSE’s ethical guidelines explicitly call for accountability and a designated human responsible for AI outputs.
5) Make “risk review” a habit, not a one-time training
Until your institution’s policies are mature, create a lightweight routine:
Ask: “What data am I about to share?”
Check: “Is this tool approved or configured for privacy?”
Decide: “Can I achieve the same outcome with less data?”
Document (for sensitive workflows): what tool was used, what data class was involved, and what human verified the result
If you want a framework for this mindset, NIST’s AI Risk Management Framework is built around making risk management repeatable and operational.
A closing push (because this is the moment)
The EDUCAUSE findings aren’t an indictment of AI use, they’re a signal flare: adoption has outpaced governance.
If you’re a leader, the takeaway is clear: speed up guidance, training, and vetted tool access. If you’re a faculty or staff member, the immediate move is just as clear: treat privacy as part of AI literacy.
Until the rules are written and shared, the safest assumption is simple: you are the guardrail.