Ninety-four percent of higher education workers used AI tools in the last six months. Only 54 percent know whether their institution has a policy governing that use. More than half are using tools their institution did not provide, which means sensitive student data is flowing through systems nobody in the compliance office has evaluated, approved, or even heard of.
That is not a projection. Those are January 2026 numbers from EDUCAUSE, based on a survey of 1,960 staff, administrators, and faculty across more than 1,800 institutions.
In K-12, the picture is moving even faster. New York City just expanded its AI governance requirements for every edtech vendor selling into its 1.1-million-student system, with a full AI governance playbook set to land this month. Ohio became the first state to convert AI guidance into a statutory mandate: every public school district must adopt a formal AI policy by July 1, 2026. That deadline is days away, and most of Ohio's 600-plus districts still do not have one. Maryland, Idaho, Utah, Georgia, and at least 27 other states have active AI education legislation moving through their legislatures right now.
The governance gap is no longer theoretical. It is operational, regulatory, and accelerating.
This is a practical guide to closing it. Not a think piece about why governance matters (you already know that), but a working architecture for building an AI governance framework that holds up under the scrutiny of a school board, a university compliance office, or a district procurement review.
Why most AI policies fail before they start
The instinct when a deadline hits is to find a template, adapt it, and get it to the board. That impulse is understandable. It is also the reason most AI policies become shelf documents within six months.
A policy is a statement of rules. A governance framework is an operating system: it tells you who makes decisions, how risks are classified, what monitoring looks like, and what happens when something goes wrong. Ohio's own analysis of House Bill 96 makes this distinction explicitly: adopting the state model policy makes a district compliant, but it does not, by itself, make the district safe.
EDUCAUSE's procurement research confirms the structural problem. When asked about their biggest challenges with AI tools, institutions ranked insufficient institutional governance as a top-two concern (40 percent of respondents), right behind the inability to keep pace with the rate of change in AI products (45 percent). And algorithmic bias assessment? Dead last at 30 percent, not because bias does not matter, but because most institutions do not yet have the infrastructure to evaluate it.
The pattern is consistent across K-12 and higher ed: organizations are adopting AI tools faster than they are building the governance infrastructure to manage them. The tools arrive through procurement, through faculty experimentation, through student use, and through vendor-embedded features in existing platforms. The governance catches up later, if it catches up at all.
The backbone: NIST AI RMF for education
Every serious governance framework needs an anchor. The one that universities, school districts, and federal agencies recognize is the NIST AI Risk Management Framework (AI RMF 1.0), published by the National Institute of Standards and Technology. It is voluntary, it is comprehensive, and it is the framework that procurement reviewers will look for when evaluating your institution or your edtech vendor.
The NIST AI RMF is built around four functions that form a continuous cycle, not a checklist.
- Govern establishes who makes AI decisions in your organization. This means naming an AI governance lead, defining the authority of different roles over AI tool adoption, and setting the review cadence. In education, this is where shared governance structures (faculty senates, department chairs, school boards) intersect with operational decision-making. The governance function answers the question: when someone at our institution wants to deploy a new AI tool, who says yes, who says no, and what criteria do they use?
- Map is the inventory. Every AI system currently in use gets cataloged: what it does, what data it touches, who it affects, and what risk tier it falls into. This is the step most organizations skip, and it is the reason they cannot answer basic questions during an audit. You cannot govern what you have not mapped. For higher ed, the shadow AI problem (56 percent of workers using unapproved tools) means the mapping exercise will surface systems nobody in IT knew about. That is the point.
- Measure defines how you evaluate an AI system's performance and fairness over time. This includes bias monitoring (are student grouping or recommendation systems producing equitable outcomes across demographics?), accuracy tracking (is the AI doing what it claims?), and data governance checks (is student PII being handled according to FERPA, COPPA, and your data agreements?). Measurement is what turns a policy from a document into an auditable practice.
- Manage is what happens when something goes wrong. Incident classification. Escalation paths. Human override protocols. Post-incident review. For education organizations, this function is especially critical because the consequences of AI failure can affect minors, educational placement, and protected student records. Your incident response plan needs to exist before the incident, not after.
When we built the governance framework for our own organization, 24/7 Teach, we anchored every section to these four functions. The same structure held when we designed the AI governance strategy for a national curriculum organization whose materials reach 1.3 million students across 47 states. The NIST backbone is universal. The education-specific provisions are what you layer on top.
Note: This article was researched and written by Justice Jones with AI assistance, then reviewed and edited by our team. External studies and sources are credited to their original authors. Examples from our own work reflect our organizational practice.
What governance looks like for K-12 schools
K-12 schools operate under centralized authority (superintendent and board) with heavy regulatory guardrails: FERPA, COPPA, state student privacy laws, and now emerging state mandates like Ohio's HB 96 and New York City's expanded procurement requirements. The governance problem in K-12 is primarily about compliance, vendor management, and protecting minors.
Three structural elements matter most.
First, the risk classification system. Not all AI tools carry the same risk. An AI-powered scheduling tool for bus routes is a different category than an AI system that dynamically groups students by skill level. The first processes operational data. The second makes decisions that affect a child's educational experience. Your governance framework needs a tiered system that applies different levels of oversight based on who the AI affects and what data it touches.
At 24/7 Teach, we use four tiers. Tier 1 (Critical) is any system that directly affects minors, processes student education records, or influences educational placement. Tier 2 (High) covers trust-critical interactions with adults. Tier 3 (Moderate) is brand-facing content and routine communications. Tier 4 (Low) is internal productivity tools. Each tier carries different oversight requirements, from continuous monitoring and mandatory human override at Tier 1 down to documented acceptable use at Tier 4.
Second, the automation boundary. There are decisions AI should accelerate and decisions AI should not make. We formalized this through what we call the two-gate test. Gate 1 (the liability gate): Does this workflow touch a guarantee, a minor, a legal document, or protected student data? If yes, a human stays in the decision loop. Gate 2 (the trust gate): Would a parent feel betrayed if they learned an AI handled this with no human involved? If yes, keep the human. Both gates must clear before a workflow is fully automated.
This is not a theoretical exercise. When New York City's guidance states that AI cannot be used to assign grades, make disciplinary decisions, or collect biometric data without strict oversight, they are drawing the same line. The question is whether your institution has formalized where that line sits for your specific context.
Third, the vendor assessment process. Every AI tool entering a school must undergo a review before student data flows through it. At a minimum, the review should evaluate: Does the vendor use student data to train AI models? Can data be deleted on request? What encryption and access controls are in place? Does the vendor have a data processing agreement that meets the FERPA school-official exception requirements? Is there a breach notification commitment? Districts already do this for major platforms. The governance framework makes it systematic for every AI tool, including the ones that arrive as features embedded in software your school already uses.
What governance looks like for universities
Universities face a structurally different governance challenge than K-12 schools. The authority is distributed. Academic freedom is a legitimate institutional value. Faculty, researchers, administrators, and students all adopt AI tools independently, often without institutional coordination.
The result is what EDUCAUSE's research describes: a massive gap between adoption and governance. Eighty percent of faculty and staff use AI tools. Fewer than one in four are aware of a formal institutional policy. The shadow AI problem in higher ed is not a future risk. It is already happening.
University governance frameworks need to address three problems that K-12 frameworks do not.
The coordination problem. AI governance in higher ed spans data privacy, academic integrity, procurement, and research ethics. Those domains typically report to different offices. The CIO owns data and security. The provost owns academic policy. The research office owns IRB and ethics review. Procurement owns vendor contracts. A governance framework that lives in only one of these offices will miss the others. The NIST AI RMF's Govern function addresses this directly: name the governance body, define its cross-functional membership, and give it actual decision authority, not just advisory status.
The academic integrity question. This is where universities diverge most sharply from K-12. The question is not whether students use AI (94 percent of UK undergraduates already do, according to the 2026 HEPI/Kortext survey). The question is what disclosure and attribution standards apply, how assessment design adapts, and where the institution draws the line between AI-augmented learning and academic dishonesty. Your governance framework needs an acceptable use policy for students that is specific enough to enforce but flexible enough to evolve as the technology changes. A blanket ban is not governance. It is denial with a policy label.
The research data risk. Universities process research data that may be subject to IRB protocols, export controls, or federal grant requirements. AI tools that process this data need to be evaluated against a different set of criteria than tools used in administrative workflows. The governance framework should distinguish between AI used in instruction, AI used in research, and AI used in administration, because the compliance requirements for each are different.
The EU AI Act adds another layer. Education AI is classified as high-risk under Annex III, and the Act has extraterritorial reach: universities outside the EU that process data from EU-based students or partner with EU institutions may fall within scope. Even for US-based institutions, alignment with EU AI Act principles strengthens the governance posture and prepares for future regulatory convergence.
What governance looks like for curriculum developers
Curriculum developers and education service organizations sit between K-12 and higher ed. They build the materials, platforms, and training programs that schools and universities adopt. Their governance framework has to satisfy both regulatory environments and, increasingly, has to be demonstrable to the institutions purchasing their products.
When we designed the AI governance strategy for a national curriculum organization, the core challenge was not writing the policy. It was building governance infrastructure that could be adopted by a network of schools spread across 47 states, each with its own regulatory context. The framework had to be specific enough to be operational and flexible enough that a school in Ohio (operating under HB 96) and a school in New York (operating under Education Law 2-d and the new NYC AI procurement requirements) could both implement it without contradiction.
The solution was the same NIST AI RMF backbone with state-level addenda. The four functions (Govern, Map, Measure, and Manage) are universal. The specific compliance provisions layer on top based on jurisdiction.
For curriculum developers specifically, three governance elements are non-negotiable. First, the vendor assessment documentation you provide to school partners: your data processing practices, your model training policies (does your AI system learn from student data?), your security certifications, and your incident response commitments. Second, the teacher override mechanisms in any AI-powered instructional tool: if your product makes recommendations about student grouping, content delivery, or assessment, the teacher must have documented, tested authority to override those recommendations at any time. Third, the bias monitoring commitment: if your AI system produces outcomes that vary by demographic group, how do you detect that, and what do you do about it?
Where to start: the first three things to build
If you are starting from zero, here is the build order that works whether you are a school district, a university, or a curriculum organization.
Build the AI System Registry first. Before you write a single policy sentence, inventory every AI tool currently in use across your organization. What is it? What data does it touch? Who uses it? Who approved it? If you cannot answer those questions, you cannot govern the tools. This exercise will surface shadow AI, which is the point. The registry becomes the foundation that everything else hangs from.
Build the governance policy second. Anchor it to the NIST AI RMF four functions. Name the governance lead. Define the risk classification tiers. Set the review cadence. This does not have to be a 50-page document. It has to be specific enough to be auditable and clear enough for someone new to the organization to read and understand how AI decisions are made.
Build the acceptable use policies third. One for staff. One for students (in schools and universities). One for institutional deployments (if you are a vendor selling into schools). Each policy should be written in plain language, specific to its audience, and enforceable. A policy that reads like a legal brief will not be followed. A policy that reads like a set of clear expectations will.
AI governance readiness assessment
10 questions. 2 minutes. Find out where your institution stands.
The honest limitation
Governance frameworks are necessary. They are not sufficient. A perfectly documented policy does not prevent a teacher from pasting student names into ChatGPT. A comprehensive vendor assessment does not prevent a faculty member from using an unapproved AI tool for research. Governance infrastructure reduces risk and creates accountability. It does not eliminate the human element.
The organizations that succeed at AI governance are the ones that pair the framework with training. Not a one-time workshop, but an ongoing commitment to AI literacy that helps staff understand why the governance exists, not just what it requires. When people understand the reasoning behind a policy, compliance becomes a practice rather than a burden.
This is also a moving target. AI capabilities, regulations, and institutional needs change faster than policy review cycles. Any governance framework that does not include a defined process for updating itself will be outdated within 12 months. Build the review cadence into the framework from day one.
About 24/7 Teach
24/7 Teach works with schools, universities, and education organizations to build AI governance frameworks, train staff on AI fluency, and design AI-integrated programs that hold up under institutional scrutiny. We built our own NIST-anchored governance framework because we operate AI systems that serve students, and we needed the same infrastructure we now help our partners build.
Our AI Fluency for Educators program delivers a FERPA-aware governance framework as a core program artifact, alongside three role-specific AI workflows that educators ship from their actual jobs. For organizations that need a custom governance build, our consulting team scopes, co-designs, and delivers the full framework in a nine-week engagement model.
If your institution needs help building its AI governance infrastructure, we can scope what you need.
About the author
Justice Jones is an instructional designer, AI strategist, and former K-12 principal, and the co-founder and CSO of 24/7 Teach. He built the company to close the gap between what schools teach and what teens and professionals need to succeed, and he leads AI strategy at its sister company, Naomi-AI, a K-8 classroom platform. Through 24/7 Teach, he and his team have supported more than 50 organizations and placed more than 600 adults in new careers.