For Schools

Schools are responsible for the environments in which students learn and interact.

When schools issue devices that are required for student use - whether on campus or off -those devices and the digital environments they enable fall within the school’s scope of responsibility.

Empty conference or classroom with wooden tables, green upholstered chairs, a large gray office chair, and informational posters on display stands. Bright natural light enters through large windows.

Governance Clarifications for Generative AI in Schools

AUP ≠ Control
Student Acceptable Use Policies do not give schools control over generative AI outputs.
Once a student submits a prompt, the system generates responses independently. Policies govern student behavior, not system behavior.

The system’s outputs can shape subsequent interactions, including influencing follow-up prompts and responses, without institutional review or control at the point of generation.
Responsibility may therefore be placed on the student even when system-generated outputs materially influence the direction of the interaction.

Supervision ≠ Authority Over Output
Teacher supervision does not provide authority over what the system generates.
Unless outputs can be reviewed, approved, or prevented before delivery, supervision does not extend to content generation.

Policy compliant inputs policy compliant outputs.

Monitoring ≠ Constraint
Logging and monitoring identify issues after they occur.
They do not provide a mechanism to prevent similar outputs from being generated again.

Absence of Exclusion ≠ Binding Coverage
The absence of an insurance exclusion does not mean coverage applies.
Coverage exists only if the insurer has affirmatively evaluated and confirmed the specific use case.

Are you aware of ISO Exclusions CG 40 47 and CG 40 48 for Generative AI? New Generative AI Insurance Exclusions: What Businesses Need to Know in 2026

And trends in insurance market show that they are not covering harm from GenAI outputs. Assuming covering is not reasonable, schools need to get explicit coverage details in writing.

Berkshire Hathaway, Chubb Win Approval to Drop AI Insurance Coverage — The Information

Insurers carve out gen AI liability, startups see opportunity

Summary Position

A school can only be said to exercise authority over system outputs if it has a mechanism to control or reliably constrain what the system delivers before it reaches the student.

A simple way to define that condition is a hypothetical: a teacher reviews each system response and can approve, reject, or modify it prior to delivery to the student. That model is clearly impractical at scale, but it is analytically useful precisely because it identifies the point at which institutional control would actually operate (during content formation), before exposure. It also defines what is being asked: not perfection, but the presence of a control function operating prior to delivery.

Current deployments do not provide a mechanism that performs an equivalent pre-delivery control function - this is not a criticism of the controls that are present. Acceptable use policies are designed to govern independently generated student inputs (but in stateful systems, student inputs are not reliably independent of system-generated context after the first input is given). From the first system suggestion, outputs begin shaping subsequent prompts, producing mixed-origin inputs that AUP has no mechanism to classify or evaluate. A policy that governs student inputs cannot function as a complete governance mechanism in an environment where the boundary between student input and system-shaped input is structurally indeterminate.

Content filters operate at the delivery perimeter.

Post-hoc review occurs after the student has already received the output.

Each of these controls operates on a variable other than content formation. None extends institutional authority into the phase where content is produced. The function the hypothetical defines of a pre-delivery institutional review is simply absent.

That absence would be governable if a responsible party had evaluated it, accepted it, and stood accountable for the assumption that pre-delivery control is not required. There is no evidence that this absence has been formally evaluated. No party has confirmed that the function is unnecessary, that an alternative mechanism performs an equivalent role, or that responsibility for outputs produced without institutional oversight at formation has been formally assigned.

The school is operating under an unverified assumption; that the absence of pre-delivery control is acceptable without any accountable party having formally confirmed that it is.

Why is Generative AI different?

Traditional educational tools:

  • The same input reliably produced the same or similar output

  • Content remained under institutional authority

  • Vendors stood behind defined materials

  • Institutions could supervise both the student and the tool in use

Student-facing generative systems:

  • Outputs are probabilistic rather than fixed

  • Content formation occurs outside the boundary of institutional authority, as no mechanism enforces that system outputs remain within instructional constraints prior to delivery

  • Behavior may vary across identical or similar inputs

  • Outputs may not be reliably attributable or reconstructable in practice

Structural Condition

Schools may be responsible for outcomes arising from systems that:

  • They do not fully control

  • They cannot meaningfully constrain

  • They may not be able to reconstruct after use

  • They cannot ensure that identified system failures are corrected in a way that prevents recurrence

This creates a governance gap between:

  • Institutional responsibility

  • Institutional authority

The framework demonstrates in detail that “Supervision” and “Student Acceptable Use Policies” do not resolve this gap.

Generative AI functions like an “Instructional Actor” but is being governed like a “tool”

What the Framework Asks

Attribution
Can the institution reconstruct interaction sequences and distinguish between student-originated and system-generated inputs for purposes of attribution?

Authority at Generation
Does the institution have the ability to review, approve, or prevent system-generated outputs before they are delivered to students in real time?

Constraint
Does the institution maintain enforceable technical controls that meaningfully limit what the system can generate during student interactions, rather than relying on post hoc monitoring or policy enforcement?

Liability / Binding
Has the institution obtained affirmative written confirmation that liability for student-facing system outputs (arising during normal, policy-compliant use) is covered by an identifiable and bound entity (insurer, vendor, or the institution itself)?

Coverage Clarity (Insurance Specific)
Have applicable policy terms and exclusions (including ISO CG 40 47 and CG 40 48 or functional equivalents) been reviewed for their application to student-facing generative AI use, and has the resulting coverage position been confirmed in writing?

Review the full IAF here

Review the Executive Summary here