States nationwide are developing "sandboxes" and encouraging experimentation with AI to enable more effective and efficient operations—perhaps best described as AI with a purpose. However, promoting innovation within government carries inherent risks. In Colorado, CIO David Edinger reported that his office has reviewed approximately 120 AI-related proposals for potential state government applications. He detailed their process for vetting agency submissions. Among ideas deemed "high" risk according to the NIST framework, most rejections share a common issue: data practices failing to meet the state’s data privacy standards. Colorado is not unique in prioritizing data practices when assessing potential AI partners. During a discussion with Government Technology at last month’s National Association of State Chief Information Officers (NASCIO) Midyear Conference, California Chief Technology Officer Jonathan Porat outlined three key factors guiding the state’s evaluation of AI use cases. Beyond evaluating whether the use case is appropriate for state government, officials review the technology’s track record and closely examine the data involved in the proposal. “Are the data that we’re using appropriate for a GenAI system?” Porat asked. “Are they being properly governed and secured?” Video transcript: “I would say we’ve reviewed maybe 120 proposals so far across every agency for all possible uses, following the NIST framework—categorizing as medium, high, or prohibited risk. Prohibited uses we ban outright; medium-risk uses we deploy directly; and high-risk uses undergo more thorough evaluation.

When we reject proposals, it’s almost always not because of the intended use but due to data sharing concerns. Specifically, data shared with providers under standard contracts that are prohibited by state law, such as PII, HIPAA, or CJIS data. We have to deny these not because of how the tool is intended to be used, but because the data sharing arrangements are unacceptable. That is really the core issue—and one that surprised us—the problem lies not in the use itself, but in how the data privacy is handled. ” Noelle Knell is the executive editor at e. Republic, overseeing the overall editorial strategy for e. Republic’s platforms, including Government Technology, Governing, Industry Insider, Emergency Management, and the Center for Digital Education. She has been with e. Republic since 2011 and brings decades of experience in writing, editing, and leadership. A California native, Noelle has worked in both state and local government and holds degrees in political science and American history from the University of California, Davis.