State of Indiana Artificial Intelligence Policy and Guidance

• Exceptions to the policy may be granted as a result of the AI Readiness Assessment process as prescribed by AI policy. This process includes a risk assessment and review by the Chief Privacy Officer and a team of subject matter experts within the Management Performance Hub (reference as the MPH AI Team).
• Exceptions are reevaluated annually in a manner prescribed by the OCDO and CPO.

• The OCDO reviews readiness and maturity assessment submissions, provides advice on the efficient and ethical use of data, and works with the Indiana Office of Technology (IOT) to enforce appropriate web filtering rules and make approved AI Systems available to State Agencies.
• The OCDO also ensures appropriate contractual controls are imposed on External Partners related to AI Implementation Activities and AI Systems, and may promulgate and audit conformance to standards, procedures, and guidance in furtherance of the AI policy.
• Please reach out to ResponsibleData@mph.in.gov with any questions, concerns, or suggestions!

Under this policy and in accordance with the NIST AI Risk Management Framework, an AI System is defined as an engineered or machine-based system that can generate outputs such as predictions, recommendations, or decisions influencing real or virtual environments for a given set of objectives. AI Systems are designed to operate with varying levels of autonomy.

If you're unsure whether a system qualifies as AI under this policy, you should consult with your designated Agency Privacy Officer (APO) or the OCDO via ResponsibleData@mph.in.gov. They can provide guidance on whether the system falls under the policy's definition of an AI System and what steps need to be taken.

• AI Readiness Assessment Questionnaires are reviewed by the MPH AI Team, which includes reviewers from Legal & Privacy, Data Science, Data Governance, and Enterprise Solutions teams. Each reviewer considers the objectives, efficacy, and risks of the proposed AI Implementation Activities from their professional perspective.
• The agency wishing to utilize an AI system must submit an AI Readiness Questionnaire for consideration by the MPH AI Team. The Questionnaire provides information for an initial triage of risk level which assists in prioritizing the submissions. Please see the AI Readiness Assessment Process Flow diagram. Most low and moderate risk submissions are automatically approved/ granted an exception, but the MPH AI Team reserves the right to apply more scrutiny at any time. High risk submissions are fully reviewed by the team.

If an agency does not intend to utilize AI features or capabilities of a specific system or software, they should complete an Out of Scope Affirmation form . This form serves as documentation and fulfills the requirement to consult with the OCDO/Management Performance Hub (MPH) by IOT’s Software Authorization Request.

• Note: Completing this form and submitting it to IOT indicates that the agency is willing to take necessary measures to disable or block the AI features in the method(s) prescribed by IOT.

The Agency Privacy Officer is responsible for ensuring compliance with the AI policy in your agency. This individual is designated under the State of Indiana Policy: Information Privacy and is responsible for submitting readiness and maturity assessment documentation.

For state employees, it may lead to removal from relevant AI Implementation Activities and a review of their access. It can also constitute employee misconduct. For external partners, violations may result in removal from AI Implementation Activities and a review of their access, potentially leading to contractual remedies. State agencies violating the policy may face termination of relevant AI Implementation Activities or other remedial actions as determined by the OCDO or IOT.

The NIST AI Risk Management Framework (AI RMF) is a widely-used framework adopted by the State of Indiana for managing risks associated with AI systems. It is important because it provides a structured approach to identify, assess and mitigate risks related to AI implementation. The framework emphasizes the need for responsible AI practices. It helps organizations think critically about the context and potential impacts of AI systems, enhancing trustworthiness and cultivating public trust.

The policy applies to all AI Systems, including those that have already been implemented. For existing systems, the agency should submit an AI Readiness Questionnaire and receive an AI Policy exception, in order to be in compliance.

Yes, notice must be provided to individuals when using some AI systems. The policy requires a 'just-in-time' (JIT) notice to adequately inform users of processes associated with their interaction with the AI system. This notice should be posted or presented at the point of information collection or interaction, making it clear that AI is involved and detailing relevant data processing that might otherwise be unclear. These notices must be reviewed and approved by the State Chief Privacy Officer.

AI Policy exceptions need to be reviewed when significant changes are made to the system, or annually, whichever occurs first. Significant changes include new policies or procedures affecting the AI system, merging with other systems, changes in stakeholder management or ownership, modifications to accessibility or processing, alterations to the character of information in the system, or significant modifications in the content or scope of AI system outputs. It is the responsibility of the agency using the AI system to identify and report significant changes. MPH initiates the annual review process which includes a self-report form for the agency using the AI system to complete.

AI systems are classified into three risk levels: High-Risk, Moderate-Risk, and Low-Risk. The classification is based on the system's potential impact and scope of application.

• High-Risk systems generally have broad-context applicability or may impact fundamental rights, safety, or critical sectors.
  • “Broad-context” means a system that operates across diverse domains and/or impacts individuals in unpredictable ways.
• Moderate-Risk systems typically have narrow-context applicability or are deployed in less sensitive contexts.
  • “Narrow-context” means a system that operates in a specific domain and/or conducts well-defined tasks with limited scope.
• Low-Risk systems have very limited ability to cause harm and the risks are easily mitigated.

Required documentation for the AI Readiness Questionnaire includes (but is not limited to): executed contract(s) for the requested system(s) and/or system Terms & Conditions, data flow documentation/ diagram(s), and executed Data Sharing Agreement(s) (if applicable).

• No. The only AI tools that are allowable for use by state employees are those covered under AI Policy Exceptions granted via the AI Readiness Questionnaire process. If you wish to use the AI tool, you should work with your Agency Privacy Officer to submit an AI Readiness Questionnaire to have an AI Policy Exception granted for the AI tool.
• No. If a vendor pushes an update that includes an AI tool, the agency should report it to IOT immediately.

At present, a “whitelist”/ list of approved tools is not available. However, there is a joint effort by MPH and IOT to create one for State of Indiana agency reference.

This is situational as data sources and data use can vary from use case to use case, even in the same AI tool.

Any type of AI use, tool, or system is required to be reviewed through the OCDO AI Readiness Questionnaire process, and use is only permitted once an AI Policy Exception is granted.

The OCDO/ MPH AI Review Team is looking at the use case for the AI tool/ system including the type of data to be used as input and scope of use. Risk is assessed based on the responses to the AI Readiness Questionnaire. See “How does MPH classify risk-level?” above.

It is at the discretion of the Agency as to who is able to submit the AI Readiness Questionnaire. The questionnaire requires the name and email address of the Agency Privacy Officer (APO) as they are responsible for ensuring the agency is compliant with the State of Indiana AI Policy, and a copy of the submission is sent to the email address provided. MPH has provided a roster of designated APOs for reference of those completing the Questionnaire.

An AI Readiness Questionnaire should be submitted as soon as an AI system/ tool is identified as a resource to be used by the agency. Ideally, this occurs prior to procurement and installation of the tool (IOT will not approve the Software Authorization request for systems with AI included without either an AI Policy Exception or Out of Scope Affirmation form). However, if AI is identified in a system/ tool that is already in use, it is important to submit a Questionnaire as soon as possible.

The agency completing the AI work should be the one to submit the AI Readiness Questionnaire. Please always feel free to reach out to ResponsibleData@mph.in.gov with any questions or for assistance in determining the responsible party for the AI Readiness Review.