Policy for the Use of Artificial Intelligence (AI) Tools and Confidential Information
Activeoperationalongoingversion history ↗The Board adopts a policy establishing guidelines for Village employees and elected officials regarding responsible use of AI tools, verification of AI-generated content, and prohibition of sharing sensitive or confidential information with AI systems.
First seen
2026-03-23
Latest event
2026-03-23
adopted
Expires
—
Resolution text
RESOLVED
- The Policy for the Use of Artificial Intelligence (AI) Tools and Confidential Information is hereby adopted, establishing that employees may use AI tools to assist with tasks such as drafting content, summarizing information, or generating ideas, but must verify all AI-generated content, must not input confidential or personally identifiable information into AI tools, must cite any AI use in documents, and must use AI tools as supportive aids rather than replacements for professional judgment
Legal analysisissues for consideration
Computer-generated analysis using NY State statutes and OSC guidance. Not legal advice. Frames concerns as questions, not pronouncements. Trustees and counsel make the call.
The most important considerations for this resolution are: (1) whether the policy adequately addresses FOIL obligations for AI-assisted records and whether the Board has authority to bind elected officials alongside employees (counsel review recommended); (2) whether the prohibition on inputting PII is sufficiently defined and paired with an incident-response protocol consistent with New York's breach-notification requirements; and (3) whether OSC's IT Governance guidance expectation of training, enforcement mechanisms, and periodic policy review has been met. Procedural concerns are minor — the mover and seconder are recorded and a quorum clearly acted — but the minutes should identify the dissenting trustee and confirm the policy text is attached to or incorporated by reference in the resolution.
mediumStatute
Does the Board have clear statutory authority to adopt an AI-use policy that binds both employees and elected officials, and does the policy adequately address obligations under New York's Freedom of Information Law (FOIL) and Public Officers Law regarding records generated or used with AI tools?
Village Law Articles 3–6 grant the Board of Trustees broad operational authority, but the policy purports to bind elected officials as well as employees, which may raise separation-of-powers or home-rule questions worth counsel review. Additionally, AI-generated or AI-assisted records used in official Village business may constitute public records subject to FOIL (Public Officers Law [FOIL] §84 et seq., cited in the corpus as PBO §85). The policy does not appear to address retention, disclosure, or FOIL-response obligations for such records. Counsel should consider whether the policy needs a FOIL-compliance provision and whether the Board's authority to restrict elected officials' use of AI tools is coextensive with its authority over employees.
PBO §85 · source ↗
“§ 85. Short title. This article shall be known and may be cited as the 'Freedom of Information Law.'”
VIL §4-412
mediumStatute
Does the prohibition on inputting personally identifiable information (PII) into AI tools adequately account for New York's data security and breach-notification obligations under General Business Law §899-aa and any applicable state or federal privacy frameworks?
The RESOLVED clause prohibits inputting 'confidential or personally identifiable information' into AI tools but does not define those terms or cross-reference New York's breach-notification statute (GBL §899-aa) or applicable federal frameworks (e.g., HIPAA if health data is involved). Without defined terms and a clear remediation or breach-reporting procedure, the policy may leave employees without actionable guidance in the event of an inadvertent disclosure. Consider whether counsel should add definitions and an incident-response protocol to the policy text.
mediumOSC Guidance
The policy appears to align with OSC's IT Governance guidance on the need for written IT policies, but consider whether the Board has addressed the full 12-area IT security framework OSC recommends, particularly IT security training and awareness (Area #2) and written procedures for policy enforcement.
OSC's Information Technology Governance LGMG identifies 'IT Policy' (Area #1) and 'IT Security Training and Awareness' (Area #2) as key areas of concern. The guidance notes that 'the best policies ever written are just paper unless they are clearly conveyed to staff, and then enforced.' The adopted policy requires AI citation and verification but does not specify a training program, a designated enforcement officer, or a periodic review cycle. OSC guidance suggests that policies should be accompanied by training protocols and monitoring mechanisms. The Board may wish to direct the CEO or department head to develop an implementation and training plan.
OSC LGMG: Information Technology Governance (LGMG) · source ↗
“The governing board's internal control responsibilities primarily involve authorization, oversight and ethical leadership. Generally, governing boards do not design internal controls or develop the written policies they adopt. The governing board instead relies upon management, primarily the chief executive officer (CEO), to create the policies needed to help ensure that operations are performed effectively and assets are safeguarded.”
OSC LGMG: Information Technology Governance (LGMG) · source ↗
“Although no single practice or policy on its own can adequately safeguard your IT investments, a number of internal controls appropriately implemented and monitored, collectively increase the odds that systems and data will remain safe.”
lowOSC Guidance
OSC IT Governance guidance recommends that governing boards periodically review IT policies; consider whether the adopted resolution includes a scheduled review cycle.
OSC's IT Governance LGMG emphasizes ongoing monitoring and review of IT internal controls, not merely one-time adoption. The RESOLVED clause as recorded does not establish a review period or assign responsibility for policy updates as AI technology evolves. A low-cost best practice would be to direct the CEO or IT manager to present an annual policy review to the Board, particularly given the rapid pace of change in AI tools.
OSC LGMG: Information Technology Governance (LGMG) · source ↗
“Management, including the governing board, is responsible for ensuring that the right IT internal controls are in place and performing as intended. This can be a challenging task, given the rapid pace of technological innovation, the ever-increasing sophistication and number of cybersecurity threats and the fact that IT is integral in nearly all aspects of local government and school operations.”
lowProcedure
The vote was 4-1; consider whether the minutes identify which trustee voted in the negative and whether any dissenting reasoning was recorded.
A 4-1 vote on a substantive policy resolution is not procedurally defective, but best practice under Robert's Rules and sound municipal record-keeping suggests that the dissenting trustee's identity and, if offered, their stated reason for dissent be documented in the minutes. This protects the record in the event of a future challenge and reflects the deliberative process. If the minutes do not identify the dissenting voter, the clerk should be asked to clarify the record.
VIL §4-414
lowProcedure
The RESOLVED clause as summarized does not indicate whether the full policy text was attached to the resolution or incorporated by reference; consider whether the record adequately identifies the policy document being adopted.
When a Board adopts a written policy by resolution, best practice is to either attach the policy as an exhibit to the resolution or reference a specific dated document so the public record unambiguously identifies what was adopted. If the policy text exists only as a separate document without clear linkage to this resolution, future questions about the policy's content or amendment history may be difficult to resolve. The clerk should confirm that the policy document is appended to or cross-referenced in the official resolution record.
Analysis provenance
- Prompt
- legal_analysis_v1
- Model
- claude-sonnet-4-6
- Generated
- 2026-04-29T10:17:57+00:00
- Prompt hash
- 44de9258e1d54c05
- Corpus hash
- add22d4dd34c41d2 (950 entries)
Document references
Cites or incorporates
- 2026-03-09Resolution Establishing a Policy on the Use of Artificial Intelligence Tools in Village GovernanceDocument A is a working policy draft and Document B is the adopted resolution form of the same singular policy decision, both dated same day.
Cited by
- 2026-03-09Resolution Establishing a Policy on the Use of Artificial Intelligence Tools in Village GovernanceDocument B is a revised and condensed version of Document A's AI policy, adopted 14 days later by the same board on the same singular artifact (the village AI governance policy), with substantive edits to scope, emphasis, and structure but addressing the identical decision slot.
Lifecycle (1 event)
2026-03-23adoptedvote: 4-1
Adopt the Policy for the Use of Artificial Intelligence (AI) Tools and Confidential Information.
moved by Smith · seconded by Maccarini
Show text snapshot for this event
Resolved
- The Policy for the Use of Artificial Intelligence (AI) Tools and Confidential Information is hereby adopted, establishing that employees may use AI tools to assist with tasks such as drafting content, summarizing information, or generating ideas, but must verify all AI-generated content, must not input confidential or personally identifiable information into AI tools, must cite any AI use in documents, and must use AI tools as supportive aids rather than replacements for professional judgment
Subject key:
ai_policy