The Statewide GenAI policy is designed to support the responsible use of GenAI while safeguarding our state’s data and systems. We understand that GenAI offers significant opportunities to improve efficiency and innovation. To ensure the State of Colorado remains at the forefront of GenAI, we’ve developed this policy to ensure security and compliance while streamlining our ability to support GenAI initiatives. Effective immediately, all efforts and use cases that include GenAI considerations must go through OIT to conduct a risk assessment based on the National Institute of Standards and Technology (NIST). This policy also applies to third-party vendor use cases and projects.
As with any technology implemented in the state:
- Our IT Directors (ITDs) serving state agencies are the front door for potential GenAI use cases.
- Risk will be assessed for all uses of GenAI technology as defined by the Information Security Office.
- Low- and medium-risk uses will be evaluated and approved by the evaluation process.
- High-risk GenAI uses will be escalated for further review, including submission to the Governor’s Office.
Implementing GenAI
- State agencies interested in implementing GenAI must undergo an OIT intake and risk assessment, including third-party vendor use cases and projects.
- Clearly indicate when a request for implementation of a new technology leverages GenAI.
Developing GenAI
- New systems and material changes to existing systems must be processed through OIT.
- Record GenAI systems in ServiceHub.
- Maintain standards relating to privacy, validity and reliability, accountability and transparency, fairness and mitigation of harmful bias.
- Maintain awareness of how the GenAI system uses personally identifiable, confidential or sensitive information to ensure such use complies with applicable laws, rules, regulations, notices and policies.
- Once OIT approves development or deployment, state agencies are responsible for ongoing monitoring and maintenance, including testing.
- Testing must be conducted based on the risk level assigned by OIT:
- Annually for moderate-risk applications
- Biannually for medium-risk applications
- Quarterly for high-risk applications
OIT Responsibilities
- Review and maintain security, privacy, explainability, interpretability and transparency of GenAI used by state agencies.
- Ongoing monitoring and maintenance of OIT GenAI systems.
- Maintain security and privacy of state data.
- Ensure alignment and compliance with applicable state technology standards.
- Administer intake, review and approval of GenAI requests.
- Conduct risk assessments of new technologies.
- Enforce compliance.