Important: Read first
This state government AI policy resource is a planning and governance framework for Mississippi state agencies, not a final policy, not legal advice, and not a mandatory model. Adapt it to your agency’s mission, legal environment, data, and risk posture, and review it with your leadership, IT, legal counsel, and records officials before adoption.
2. What this template covers
3. Introduction: purpose of this state government AI policy framework
4. What this state government AI policy template is, and what it is not
5. Foundational principles agencies may adopt
6. Governance, roles, and authority
7. Acceptable use and prohibited use
8. Data classification, privacy, and security
9. Public records and records retention
10. Procurement and vendor review
11. Human resources and employment uses
12. High-risk and consequential decisions
13. Transparency and public communication
14. Accessibility and inclusion
15. Training and workforce readiness
16. Risk management and incident response
17. Governance review and continuous improvement
18. Key authoritative resources to monitor
19. Implementation checklist
20. Closing statement agencies may adapt
Start here: the Mississippi ITS AI Acceptable Use Policy
For Mississippi state agencies, the first stop is not this page. It is the Mississippi Department of Information Technology Services (ITS) AI Acceptable Use Policy. Under Executive Order 1584, ITS leads statewide AI strategy, guidelines, and governance, so the ITS policy is the authoritative baseline for executive-branch agencies.
Align your agency policy with the ITS framework first, then use this template to fill in agency-specific detail. The ITS policy is built on principles of fairness, innovation, privacy, security and safety, transparency, accountability, accessibility, validity, and reliability, and it requires that employees keep human control over AI systems and remain responsible for final decisions. ITS also maintains a restricted-technologies list.
- ITS AI Acceptable Use Policy (overview)
- ITS Enterprise Policies (security, acceptable use, data)
- State Personnel Board AI Use Policy for HR
What this template covers
This state government AI policy framework follows a consistent pattern for each topic: purpose, key questions, sample guidance language, implementation considerations, common pitfalls, and stakeholders to involve. Sections include foundational principles, governance and roles, acceptable and prohibited use, data and security, public records and retention, procurement, human resources, high-risk decisions, transparency, accessibility, training, risk management, and ongoing review.
Introduction: purpose of this state government AI policy framework
This document helps a state agency develop, review, and maintain its own approach to artificial intelligence and generative AI in a way that complements the ITS policy. A sound agency approach does three things at once: it enables legitimate efficiency and innovation, it protects people and public data, and it preserves human judgment wherever legal, financial, or safety stakes are high. Most agencies are best served by a short framework plus targeted procedures by function, rather than one master document that tries to cover every scenario.
What this state government AI policy template is, and what it is not
Policy sets mandatory rules, authorities, and consequences. Guidance explains how to apply policy in practice. Procedures define operational steps, approvals, and controls. Best practices are recommended approaches that change faster than policy. Assign each topic to the right level so durable rules stay stable while tool-specific direction can evolve. Where a rule is already set by ITS or state law, your agency policy should point to it rather than restate or contradict it.
Foundational principles agencies may adopt
Purpose of this section
Establish the core values that anchor every downstream AI decision the agency makes.
Key questions
What values should anchor agency AI use, and how will each value translate into a concrete control?
Sample guidance language
“The agency grounds its use of AI in human oversight and accountability, lawful and mission-aligned use, privacy and security of state data, transparency appropriate to context, fairness and non-discrimination, accessibility, validity and reliability of outputs, and proportionality, so that controls match the level of risk.”
Implementation Considerations
Tie each principle to an operational control rather than leaving it as a slogan, for example mapping human oversight to a documented review step for consequential uses.
Common Pitfalls
Principles with no owner or measurable control.
Stakeholders to Involve
Agency head, CIO or IT director, information security officer, legal, privacy, records officer, HR.
Governance, roles, and authority
Purpose of this section
Define who decides, who reviews, and who is accountable for AI use across the agency.
Key questions
Who decides, who reviews, and who is accountable for AI use across the agency? How are enterprise decisions, approved tools, and exceptions authorized and recorded?
Sample guidance language
“The agency designates an accountable owner for AI governance and establishes a cross-functional review group including IT, information security, legal, privacy, records management, and program leadership. Enterprise decisions, approved tools, and exceptions require designated approval consistent with ITS requirements.”
Implementation Considerations
Keep a central inventory of approved tools, restricted uses, exceptions, and incidents. Require periodic reporting to agency leadership on adoption, training, and compliance.
Common Pitfalls
Shadow AI use, fragmented adoption, and unclear accountability.
Stakeholders to Involve
Agency head, CIO, ISO, general counsel, division directors.
Acceptable use and prohibited use
Purpose of this section
Make clear which AI uses are encouraged, which require review, and which are prohibited.
Key questions
Which uses are encouraged, which require review, and which are prohibited outright? How will employees know the difference before they act?
Sample guidance language
“Employees may use agency-approved AI tools for authorized public-business purposes, consistent with ITS policy and state law. Employees must not enter confidential, regulated, or otherwise restricted state data into AI systems that are not approved for that data category, and must not use AI products on the ITS restricted-technologies list. Human review is required before AI output is used in any decision, record, communication, or public service.”
Implementation Considerations
Publish a short, plain-language list of approved, restricted, and prohibited uses, and route new or unusual uses through the review group before they spread informally.
Common Pitfalls
Treating all AI as banned or all AI as acceptable, and informal automation of decisions that affect the public.
Stakeholders to Involve
IT, ISO, legal, program leaders, HR.
Local and self-hosted models
“Agency IT and technical staff may run open-source or self-hosted AI models on agency-controlled hardware for evaluation, experimentation, and learning without tool-by-tool approval, as long as the model runs entirely on local hardware and no state data is sent to any external service. This lane applies only while the work is exploratory. Using a locally hosted model to drive real decisions, official records, or public-facing services, or running it in production, returns to normal governance and review.”
Conditions for this lane
- The environment is offline or configured so that no prompts, data, or outputs leave it, with telemetry, cloud sync, and auto-update features disabled, and it meets the agency’s baseline endpoint-security standards and the ITS security model.
- Model weights and datasets come from reputable sources and are treated as executable code, since a downloaded model is a supply-chain item, not just a file.
- The user is already authorized to access and use any data involved, and data minimization applies.
- Regulated or restricted data, including personal data, CJIS criminal-justice data, and other confidential state data, follows its own rules regardless of where the model runs.
- Fine-tuning or training on confidential or restricted state data may trigger data-use, records, and security review, so check first.
- Human review is required before any output informs a consequential decision, official record, or public service, and model and dataset licenses are respected.
Avoid
Assuming a tool is “local” when it still sends telemetry or syncs to the cloud, running unverified downloaded model weights, or moving a local prototype into production without review.
Data classification, privacy, and security
Purpose of this section
Protect state, personal, and regulated data in AI use.
Key questions
What data may be entered into which AI tools, and what must never be? How are privacy, security, and confidentiality protected at each data-classification level?
Sample guidance language
“No employee may input restricted, confidential, or regulated state data into an AI system unless that system is approved for the data category and the appropriate contractual, technical, and administrative controls are in place. The agency applies data minimization, access control, logging, and retention controls, and reviews vendor model-training and data-use terms before approval.”
Implementation Considerations
Map AI use to the ITS Enterprise Security Policy and your data-classification scheme. Require enhanced review for personal data, health data, financial data, and any law-enforcement or criminal-justice data subject to CJIS rules.
Common Pitfalls
Uploading sensitive data to public tools and assuming vendor defaults are safe.
Stakeholders to Involve
ISO, CIO, privacy officer, legal, records management.
Public records and records retention
Purpose of this section
Keep AI use consistent with the Mississippi Public Records Act and state records-retention requirements.
Key questions
How do AI prompts and outputs fit the agency’s public-records and retention obligations? What must be captured, retained, or produced on request?
Sample guidance language
“AI prompts, outputs, and related communications may be public records subject to disclosure and to applicable retention schedules. Employees must manage AI-related records in accordance with the Mississippi Public Records Act and the agency’s approved retention schedule, and must not use AI tools in ways that circumvent records-retention or open-government obligations.”
Implementation Considerations
Coordinate with your records officer and the Mississippi Department of Archives and History on retention of AI-related records.
Common Pitfalls
Storing official communications in tools that are outside records capture.
Stakeholders to Involve
Records officer, legal, IT.
Procurement and vendor review
Purpose of this section
Ensure AI tools are contractually and technically suitable and properly acquired.
Key questions
How are AI tools and vendors reviewed before purchase or deployment? What security, data-handling, and contractual requirements must a vendor meet?
Sample guidance language
“All AI-enabled products and services follow applicable state procurement requirements and ITS acquisition processes, and undergo review for privacy, security, accessibility, data ownership, retention, model-training rights, and the ITS restricted-technologies list before acquisition or deployment.”
Implementation Considerations
Add AI-specific procurement questions: Is agency data used to train vendor models? Can that be disabled by contract and in practice? What logs and audit trails exist? Where is data stored?
Common Pitfalls
Acquiring AI features embedded in ordinary software without reviewing data and security implications.
Stakeholders to Involve
Procurement, CIO, ISO, legal, privacy officer.
Human resources and employment uses
Purpose of this section
Guide AI use in employment processes with heightened caution.
Key questions
Where may AI support hiring, evaluation, or workplace decisions, and where is human judgment required? How are fairness, notice, and employee rights protected?
Sample guidance language
“The agency exercises heightened caution where AI may influence hiring, screening, evaluation, discipline, or workplace monitoring. Such uses require human review, legal review, and bias evaluation before deployment, consistent with State Personnel Board requirements.” Link this section to the State Personnel Board AI Use Policy for HR.
Implementation Considerations
Require human review, legal review, and documented bias evaluation before any AI use in employment processes, and give applicants and employees appropriate notice.
Common Pitfalls
Using AI in hiring or evaluation without validation or notice.
Stakeholders to Involve
HR, legal, ISO.
High-risk and consequential decisions
Purpose of this section
Keep human judgment and accountability in decisions with significant legal, financial, or safety stakes.
Key questions
Which decisions are consequential enough to require human control? What review, documentation, and fallback steps apply before AI informs an outcome?
Sample guidance language
“AI must not make final decisions that affect benefits, eligibility, licensing, enforcement, employment, safety, or legal rights. Such decisions require authorized human review, documented controls, and clear accountability, with a manual fallback process maintained.” Use a simple risk-tier model (low, moderate, high) and require enhanced review for high-risk uses.
Implementation Considerations
Classify uses into low, moderate, and high risk, and require enhanced review plus a documented manual fallback for anything in the high tier.
Common Pitfalls
Letting AI quietly drive consequential outcomes without review, documentation, or a manual fallback.
Stakeholders to Involve
Program leaders, legal, ISO, agency head.
Transparency and public communication
Purpose of this section
Be clear with the public about where AI shapes information or services, and keep a person reachable.
Key questions
When and how should the agency disclose AI use to the public? How can a resident reach a human for questions or review?
Sample guidance language
“Where AI materially shapes information or services provided to the public, the agency provides appropriate disclosure and ensures a person can reach a human for questions or review.”
Implementation Considerations
Keep public-facing AI accurate and reviewable, and avoid presenting unverified AI output as official guidance.
Common Pitfalls
Presenting unverified AI output as official guidance, or offering no human point of contact.
Stakeholders to Involve
Communications, program leaders, legal.
Accessibility and inclusion
Purpose of this section
Ensure AI tools, content, and services are accessible to all residents and employees.
Key questions
How will AI-related tools and content meet Section 508 and ADA expectations? Who validates accessibility before deployment?
Sample guidance language
“AI-related technologies, content, and services must meet the agency’s accessibility obligations, including Section 508 and ADA expectations. Accessibility review is part of AI procurement and content workflows.”
Implementation Considerations
Make accessibility review part of AI procurement and content workflows, and verify rather than assume that AI-generated captions, alt text, and translations are sufficient.
Common Pitfalls
Assuming AI-generated captions, alt text, or translations are automatically sufficient.
Stakeholders to Involve
Accessibility lead, IT, communications, procurement.
Training and workforce readiness
Purpose of this section
Build the AI literacy and role-based skills employees need to use approved tools responsibly.
Key questions
What training does each role need to use AI responsibly and recognize risk? How will training stay current as tools change?
Sample guidance language
“The agency provides role-based AI training so employees can use approved tools responsibly, protect state data, and recognize the limits of AI output.”
Implementation Considerations
Use the Mississippi Artificial Intelligence Network (MAIN) free AI training to build foundational literacy and responsible-use skills across teams, and refresh training as tools and policy evolve.
Common Pitfalls
One-time training that is never refreshed as tools and risks change.
Stakeholders to Involve
HR, IT, program leaders, training coordinators.
Risk management and incident response
Purpose of this section
Manage AI risk in proportion to impact, data sensitivity, and system autonomy, and respond to incidents.
Key questions
How are AI risks identified, monitored, and escalated? What happens when an AI tool fails or causes an incident?
Sample guidance language
“The agency manages AI risk using a documented, risk-based approach proportionate to impact, data sensitivity, and system autonomy. AI-related incidents are reported and handled through the agency’s existing incident-response process in coordination with ITS.”
Implementation Considerations
Route AI-related incidents through the agency’s existing incident-response process in coordination with ITS, and revisit risk classifications as tools change.
Common Pitfalls
Treating ethics and risk as optional, and not revisiting risk classifications as tools change.
Stakeholders to Involve
ISO, legal, privacy officer, internal audit.
Governance review and continuous improvement
Purpose of this section
Keep the framework current as law, technology, and practice evolve.
Key questions
How often is the AI policy reviewed, and what triggers an earlier update?
Sample guidance language
“The agency reviews this framework and related AI policies and procedures at least annually, and sooner when there are significant legal, regulatory, technological, or operational changes, or after an incident.”
Implementation Considerations
Keep policy stable and update procedures and guidance more often. Watch for updates to the ITS policy, since the statewide baseline may change.
Common Pitfalls
Letting the framework go stale while tools and the ITS baseline move on.
Stakeholders to Involve
CIO, ISO, legal, records officer, program leaders.
Key authoritative resources to monitor
- Mississippi ITS AI Acceptable Use Policy and ITS emerging-technology resources
- NIST AI Risk Management Framework and the NIST Generative AI Profile
- Mississippi AI Regulation Task Force (PEER) report
- Mississippi Public Records Act and Department of Archives and History retention schedules
Implementation checklist
- ✓Have we aligned with the ITS AI Acceptable Use Policy first?
- ✓Have we named an accountable owner and a cross-functional review group?
- ✓Have we defined approved, restricted, and prohibited uses?
- ✓Have we tied AI use to data classification and the ITS security policy?
- ✓Have we addressed public records and retention of AI-related records?
- ✓Have we built AI questions into procurement and vendor review?
- ✓Have we set heightened review for HR and other high-risk uses?
- ✓Have we addressed accessibility, transparency, and human oversight?
- ✓Have we provided role-based training?
- ✓Have we set a review cycle and incident-response path?
Closing statement agencies may adapt
“This framework supports responsible, effective, and human-centered use of AI in public service. Because AI, law, and practice continue to evolve, the agency treats it as a living resource and adapts it in consultation with ITS, legal counsel, security and privacy leaders, and program experts.”
Sources and references
This template is MAIN’s own synthesis, informed by the following authoritative sources. It is a planning resource, not legal advice.
- Mississippi ITS AI Acceptable Use Policy and ITS Enterprise Policies
- Executive Order 1584 (statewide AI governance through ITS)
- Mississippi State Personnel Board AI Use Policy for HR
- Mississippi AI Regulation Task Force (PEER) report
- NIST AI Risk Management Framework and the NIST Generative AI Profile
- Mississippi Public Records Act and Mississippi Department of Archives and History retention schedules
- FBI Criminal Justice Information Services (CJIS) Security Policy, for any law-enforcement data