Many district leaders we talk to have done the responsible thing. They've written an AI policy. Some have been through board approval. A few have parent communication to go with it. That work matters. But there is a version of "done" that creates more risk than it resolves, and it sounds like this: "We have a policy that says staff can't use unapproved AI tools with student data."
That sentence is a statement of intent. It is not a control.
This issue is about the difference between governing AI on paper and governing it in practice. And it comes at a moment when state legislators across the country are starting to write that distinction into law.
Some folks have reached out to us asking how to subscribe themselves or their colleagues to this newsletter. Click here to do so. We send a newsletter every two weeks about the latest happenings with K-12 and AI.
IN THIS ISSUE:
Why a written AI policy creates compliance theater if there's nothing technical behind it
Why 53 state bills in 25 states is actually good news for districts that are ready
78%
Educators using AI tools beyond their school's security policies [Source]
89,000
Students enrolled in Denver Public Schools when the district acknowledged in January 2026 that it had never explicitly approved ChatGPT for student use — despite widespread use. [Source]
53
AI-in-education bills are moving through state legislatures in 2026, across 25 states [Source]
28%
Teachers in high-AI-use schools who report a large-scale data breach, compared to 18% in low-AI-use schools [Source]
The pattern these numbers describe is consistent: AI use is widespread, oversight is thin, and the exposure grows with adoption. The districts most at risk right now are not the ones that banned AI. They are the ones that wrote a policy and moved on.
In January 2026, Denver Public Schools blocked student access to ChatGPT. The reason buried in Chalkbeat's coverage deserves more attention than it got: the district acknowledged it had never explicitly approved ChatGPT for its 89,000 students in the first place. It had simply never addressed it. Use had been happening at scale, unmonitored, and the district only acted when a new feature prompted a review.
Denver is not an outlier. It is a mirror.
When a teacher opens a free AI tool and pastes in a student's name, IEP goals, behavioral history, or assessment data, that information is transmitted to a third-party server. It may be used to train a model. It almost certainly cannot be retrieved or deleted. And under FERPA, that transmission is an unauthorized disclosure of an education record unless that vendor has a formal data processing agreement with the district, signed and in place, designating them as a school official with a legitimate educational interest.
Consumer AI tools do not come with that agreement. Free tiers of ChatGPT, Gemini, and similar tools are designed for general public use. Their terms of service were not written with FERPA in mind. A policy that says "staff may not use unapproved tools with student data" does not create a technical barrier to that transmission. It creates a paper trail for after-the-fact.
There is also the question of what "approved" actually means. As one policy alone, one director of technology at a Texas district put it in a February 2026 interview with Tech & Learning: "Once a data leak gets into AI, you can't remove it. OpenAI doesn't have a way to pull that data back out." That is the structural problem with relying. Unauthorized data sharing with a misfiled physical document has a remedy. Unauthorized data sharing that feeds a training dataset does not.
The practical implication for district leaders is straightforward: if you do not have a district-managed AI platform with access controls, you do not know which tools your staff is using or what data those tools are receiving. A policy prohibiting unapproved use does not give you visibility. It gives you grounds for a conversation after something surfaces.
OUR TWO CENTS
We want to be honest about something: this is not a problem that policies are designed to solve. Policies govern intent. Technical controls govern behavior.
If a teacher is using a free AI tool at 7pm on a personal laptop to draft IEP accommodations, your acceptable use policy is invisible to that interaction. The only things that actually change what data leaves your district are managed platforms with role-based access, network monitoring that surfaces unapproved tools, and vendor agreements that carry real contractual obligations about data use.
Districts that have not yet moved to a managed AI environment are not failing their teachers out of negligence. They are usually waiting for the right budget cycle, the right product evaluation, or cleaner guidance from the state. That caution is reasonable. But "we have a policy" cannot be the interim answer while the district decides, because the data is not waiting.
The question every technology director should be able to answer right now is simple: if a staff member entered student information into an AI tool this morning, would you know about it? If the answer is no, the policy is not doing the work it appears to be doing.
Ask your IT team one direct question: can we detect when a staff member uses an unapproved AI tool on district devices or networks? If the answer is no, that is the gap to close before the policy matters.
Review every AI vendor contract currently in place and confirm it includes explicit language prohibiting the use of student data for model training. If that language is not present, it should be added at renewal or renegotiation.
Separate your approved-tool review into two tiers: tools approved for general staff use, and tools approved for use with student data. These carry different liability profiles and should be evaluated differently.
If you are not yet running a managed AI platform, consider what interim visibility looks like. Network-level monitoring and regular staff surveys about tool usage are not substitutes for a managed environment, but they are better than nothing while procurement moves forward.
Georgetown University's FutureEd team is tracking 53 AI-in-education bills across 25 states in 2026. That is not a wave. That is a rewrite of the operating environment for K-12 AI adoption, and it is happening faster than most district leaders realize.
Some of the legislation is narrow. Some of it is sweeping. But the direction is consistent: states are moving toward requiring districts to have formal AI governance structures, not just written policies, and toward extending meaningful protections to students and families around how AI data is collected and used.
Ohio is the furthest along. The state now legally requires every public school district to adopt a comprehensive AI policy by July 1, 2026. That deadline is months away. Ohio's model policy, released in early 2026, requires districts to address data privacy, vendor oversight, staff training, and student access standards. It is a floor, not a ceiling, but it is the first binding state-level mandate of its kind in the country.
South Carolina's bill sets a higher bar. It would require written parental opt-in consent before student data can be used in AI systems, annual public disclosure of every AI tool in use and what data it collects, strict data minimization requirements, mandatory data deletion timelines, and an explicit prohibition on commercial use of student data. Parents would have enforcement rights. Washington state's legislation, which passed the Senate in February, would ban AI-only disciplinary decisions, prohibit facial recognition surveillance in schools, and bar predictive "risk scores" from being used to flag students for behavioral intervention.
These bills are significant not just for the states where they pass. They signal where the national conversation is headed. The districts that are building governance infrastructure now, vendor vetting processes, data inventories, parental transparency frameworks, will be positioned when those requirements arrive. The districts waiting for their state to mandate action will be building those systems under a deadline.
OUR TWO CENTS
There is a version of this story that feels like a burden: more compliance requirements, more documentation, more things to explain to a school board.
We want to offer a different frame.
For district leaders who have been trying to make the case internally for taking AI governance seriously, this legislative moment is actually useful. The conversation is no longer "should we think about this." It is "how much of this do we want to do proactively versus reactively."
The districts we see getting this right are not waiting for their state legislature to hand them a checklist. They are building the pieces that every strong framework has in common: a clear data inventory, vendor contracts with real teeth, a managed platform with visibility and controls, and a parent communication strategy that explains what tools are in use and why. Those pieces take time to build. They are much easier to build deliberately than to retrofit under a compliance deadline.
The legislative wave is not a threat to well-governed districts. It is a description of what well-governed districts are already doing.
Check FutureEd's tracker and identify what is moving in your state. If your state has a bill in committee, your policy and governance work this year may be directly relevant to what becomes law next year.
If you are in Ohio, the July 1 deadline is real. The state has released a model policy worth reviewing even if you are not in Ohio, because it identifies the elements any comprehensive framework needs to address.
Build a simple data inventory of every AI tool in use across your district, who uses it, what student data it touches, and what your current contract says about data use. That inventory is the foundation for every governance conversation that follows, and it is the first thing any state audit or parental inquiry will ask for.
Identify one person in your district, whether a CIO, a privacy officer, or a designated administrator, who is accountable for AI vendor oversight. Governance without ownership is a plan, not a practice.
The Coming Wave: AI, Power, and Our Future by Mustafa Suleyman (Crown, 2023)
Suleyman co-founded DeepMind and now leads Microsoft AI, which makes him one of the few people who has spent a decade both building powerful AI systems and thinking seriously about how to contain them. His central argument is that the challenge of our era is not whether to adopt AI, but whether the institutions responsible for governing it can move fast enough to maintain meaningful control.
Chat with ClassCloud
We’re listening. Let’s Talk!
This newsletter works best when it’s a conversation, not a broadcast. If you want to talk through how any of this applies to your district specifically—or if you have feedback on what would make this more helpful—just hit reply. We read and respond to everything.
Schedule a Virtual Meeting
Thanks for reading,
Russ Davis, Founder & CEO, ClassCloud ([email protected])
Sarah Gardner, VP of Partnerships, ClassCloud ([email protected])
ClassCloud is an AI company, so naturally, we use AI to polish up our content.
