From day to day tasks, to research and teaching, Artificial Intelligence (AI) is expected to be the next great change agent to how people and companies operate.  The University of Houston System is committed to ensuring that all constituents can use AI tools such as Microsoft Copilot, ChatGPT, or Google Gemini in a safe and responsible manner.  Please note that this security and privacy guidance may evolve as circumstances change and/or the System develops further policy regarding the use of AI.

• General guidelines for the usage of AI
• Guidelines for AI agents
• Guidelines for hosting your own model
• Additional resources

Security & privacy guidelines regarding AI tools

UHS is developing an official AI policy.  During this process, please use these privacy and security guidelines, or contact security@uh.edu should you have any questions, comments or concerns.

Prohibited use

Do not use confidential, sensitive, or mission critical data (Level 1 data) or protected information (Level 2 data) with unapproved AI tools.  For more information on what constitutes Level 1, Level 2 or Level 3 data please see SAM 07.A.08 – Data Classification and Protection.

Allowable use

You may use AI tools freely when using non-university or public information or creating new content through the use of the tools.

Avoid data sharing

Sharing information with AI applications such as ChatGPT could cause data to be used by the tool for future use, or potentially expose data to unauthorized individuals. 

Check accuracy

AI models can “hallucinate” (make up answers) or provide biased information, so it is critical that you verify any answers an AI tool such as ChatGPT provides.  Many tools lack contemporary context to questions they answer.

Data privacy

Consider how you share data with others. Be mindful that any information you make available to others or to the general public could be used for AI training and content generation.

Academic use of AI tools

Please check with the provost’s office at your System university regarding specific use cases of AI tools in your curriculum.

UHS Tip

• Consider increasing your knowledge by improving your AI literacy through online training such as courses on Linkedin Learning
• If you would like advanced Copilot features, contact your IT department for a Copilot Pro licenses (monthly recurring cost applicable).  For a list of additional features, see here.
• UHS faculty/staff can use Microsoft 365 Copilot Chat with their UHS M365 account
• Review your OneDrive/Sharepoint files to ensure that you are not oversharing

AI Agents

AI agents as autonomous or semiautonomous software entities that utilize AI techniques to perceive, make decisions, take actions, and achieve goals in their digital or physical environments.  This technology is still emerging, but please follow these guidelines when developing/deploying AI agents:

• Agent Identity & Access Management (IAM)
  • Agents must use unique, non-human identities (service accounts) with dedicated credentials
  • Enforce least privilege across systems, data, and tools
  • Grant access only to required skills and resources
  • Default tool access to read-only unless explicitly required otherwise
• Control Agent Scope & Autonomy
  • Clearly define the agent’s purpose and allowed operations
  • Restrict agents to operate only within their intended scope
  • Prevent execution of actions outside defined intent
  • Apply graduated autonomy based on risk level
  • Require human-in-the-loop approval for high-risk actions
• Control Agent Tooling & Capability
  • Allow only approved tools for agent use; all agent behavior must align with university acceptable use policies
  • Review all third-party skills and extensions prior to enablement.  Third party skills may include malware
  • Validate that tools do not introduce malicious or unauthorized behavior
  • Treat all external capabilities as potentially untrusted
• Control Multi-Agent Architecture
  • Control and govern communication between agents
  • Prevent unintended privilege escalation through agent chaining
  • Ensure combined agent workflows do not exceed intended authority
  • Carefully design deployment architecture to enforce separation of duties
• Control Third-Party & Data Exposure Risk
  • Evaluate all integrations with external agents, APIs, and data sources
  • Ensure data sharing aligns with contractual and regulatory requirements
  • Prevent unintended data exposure or exfiltration
  • Treat all third-party integrations as inherent security risks
• Monitoring, Logging & Detection
  • Log all agent prompts, data access, and actions performed
  • Monitor agent activity for anomalies and potential threats
  • Use logs to support incident response and forensic analysis
• Lifecycle Management & Governance
  • Regularly review agent usage and business necessity
  • Decommission agents that are no longer required
  • Periodically reassess access, tools, and integrations
  • Ensure agents remain aligned with current risk and governance standards

UHS Tip

UHS faculty/staff can explore using Microsoft Copilot Agents to help them become more productive.  If you use Microsoft Copilot with your UHS M365 account, enterprise data protection will protect the university's data.  For more information check out the Microsoft's "Get started with agents in Microsoft 365 Copilot."

Hosting Your Own Model

If you would like to host your own LLM there are several things to keep in mind:

• Work with your local IT department or ISO, and review any implementation with UHS Information Security
• Clearly define the purpose for the use of the model
• Clearly define who has access to the model
• Ensure that you get the correct model (verify checksums/hashes prior to installing the model) and that the model is not prohibited via the TX DIR Prohibited Technology & Covered Applications list (i.e. Deepseek)
• Decide if real data has to be used or if synthetic data would be sufficient
• If reusing the model for a different purpose, reset it back to the foundational model as residual training data may remain and may lead to unintended consequences

Need help?

If you are unsure whether you are using an AI application safely, please feel free to reach out to us via security@uh.edu.

Additional Resources

Some additional resources that may be helpful as you explore the topic of AI further:

• University of Houston AI Solutions Group
• UHS SAM 07.A.08 Data Classification and Protection
• OWASP Top 10 for Large Language Model Applications
• NIST AI 600-1: Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile
• UNESCO:  AI and Education: Guide for policy-makers
• WHO: Ethics and governance of artificial intellgience for health: Guidance on large multi-modal models