Teaching & Learning
- The guidance also limits what data may be used with most AI tools to public or internal information (excluding restricted/HIPAA in most cases)
- The university provides examples of student-facing generative AI uses (e.g., brainstorming and summarization) and emphasizes that AI output does not replace human judgment; users remain responsible for accuracy and compliance
Student: Turn a rough paragraph into a clean, readable summary.
Student: Brainstorm thesis statements or research questions.
Students: Summarize key themes from multiple readings and get citations to quote properly.
Data: Use public or internal data only (no restricted or HIPAA).
Data: Use public or internal information only.
Do these tools replace human review?
A: No. Treat AI suggestions like a first draft. You are responsible for accuracy, policy compliance, and tone.
- The university allows limited code-related assistance as an example use (e.g., generating simple code snippets) but requires human review before using AI-generated code within institutional IT systems or services to ensure it does not contain malicious elements
Generate simple code snippets or formulas.
You may not use AI-generated code within institutional IT systems or services without having it reviewed by a human to verify it doesn’t have malicious elements.
Research
- Separately, the IRB guidance requires that confidentiality protections and applicable terms of use be communicated to the IRB and participants if AI tools have access to study data, including disclosure when confidentiality cannot be guaranteed
- The university prohibits entering protected/sensitive/restricted data into generative AI tools unless the tool has undergone appropriate internal review; it explicitly includes “material under confidential review, including research papers and funding proposals” as protected information
You may not enter any sensitive, restricted or otherwise protected data into any generative AI tool or service unless it has undergone appropriate internal review (see the UW–Madison CISO Statement on Use of Generative AI for more information).
This information includes, but is not limited to:
Material under confidential review, including research papers and funding proposals
How the confidentiality of the data to which the AI technology has access to will be protected. Communicate to the IRB and to participants via the consent form the terms of use of the AI technology related to confidentiality. If there is no guarantee that the information provided will remain confidential, the IRB and participants must be told.
- The university prohibits entering sensitive/restricted/protected data into generative AI tools unless the tool has undergone appropriate internal review, and it provides examples of protected data types
- For IRB-reviewed studies involving AI, the IRB guidance specifies that the IRB application/protocol should include details on the data the AI will collect, limits/parameters for data collection and analysis (if applicable), and plans to monitor participant and data safety; it also requires disclosure to the IRB and participants when confidentiality cannot be guaranteed
You may not enter any sensitive, restricted or otherwise protected data into any generative AI tool or service unless it has undergone appropriate internal review (see the UW–Madison CISO Statement on Use of Generative AI for more information).
This information includes, but is not limited to:
FERPA-protected information, such as:
Work produced by students to satisfy course requirements
Health information protected by HIPAA
Information subject to export control
If the study involves interaction or intervention with AI, describe AI’s role in the interaction or intervention along with the following:
A description of the data that the AI technology will be designed to collect;
Documentation of the parameters or limits placed on the AI tool for the interaction or intervention, data collection, and (if applicable) data analysis;
A plan to monitor the safety of participants and their data during and after the interaction or intervention.
How the confidentiality of the data to which the AI technology has access to will be protected. Communicate to the IRB and to participants via the consent form the terms of use of the AI technology related to confidentiality. If there is no guarantee that the information provided will remain confidential, the IRB and participants must be told.
- The generative AI use & policies page also requires reporting potential breaches of data protection or confidentiality, including those involving generative AI
- For human subjects research where IRB review is required, the university’s IRB guidance states that essential information must be included in the IRB application/protocol (with a reference to additional resources) and requires transparency about AI’s purpose and stage of development, plans for participant/data safety monitoring, and disclosure obligations regarding confidentiality
If the study requires IRB review, there is essential information the IRB requires to conduct its review.
The following information should be included in the IRB application or protocol. This is not an exhaustive list. Refer to HRP-337 – Artificial Intelligence (AI) / Machine Learning (ML) Technologies for additional information to include in the IRB application or protocol.
The purpose of the technology. This should be explained in an understandable and transparent manner.
The CURRENT stage of the technology as used in the study under review.
A plan to monitor the safety of participants and their data during and after the interaction or intervention.
How the confidentiality of the data to which the AI technology has access to will be protected. Communicate to the IRB and to participants via the consent form the terms of use of the AI technology related to confidentiality. If there is no guarantee that the information provided will remain confidential, the IRB and participants must be told.
Any member of the UW–Madison community who learns of a potential breach of data protection or confidentiality—including through the use of generative AI—must report the incident.
Academic Integrity
Institutional & Administrative
- It also states that AI output does not replace human review and that the user remains responsible for accuracy, policy compliance, and tone
- The university’s IT guidance applies to faculty and staff and provides examples of permitted administrative/productivity uses (e.g., drafting emails/memos and summarizing content)
This page outlines existing policies governing what you may and may not do when using generative artificial intelligence (AI) tools and services.
All university faculty, staff, students and affiliates must follow these policies.
What you can do easily:
Draft emails, memos, and announcements in a chosen tone.
Summarize an article or web page into key points.
Do these tools replace human review?
A: No. Treat AI suggestions like a first draft. You are responsible for accuracy, policy compliance, and tone.
- The university states that all faculty, staff, students, and affiliates must follow existing policies when using generative AI tools to safeguard institutional data
- It also requires incident reporting for potential breaches of data protection or confidentiality involving generative AI, and notes that most campus-listed tools are intended for public or internal data only (with limited exceptions noted for Secure Zoom when allowed/configured)
- It prohibits entering sensitive/restricted/protected data into any generative AI tool unless it has undergone appropriate internal review, and provides examples including FERPA-protected information, HIPAA-protected health information, employee performance information, non-public IP, confidential-review materials (research papers and funding proposals), and export-controlled information
This page outlines existing policies governing what you may and may not do when using generative artificial intelligence (AI) tools and services. These policies safeguard institutional data, which everyone in the university is legally and ethically obligated to protect. All university faculty, staff, students and affiliates must follow these policies.
You may not enter any sensitive, restricted or otherwise protected data into any generative AI tool or service unless it has undergone appropriate internal review (see the UW–Madison CISO Statement on Use of Generative AI for more information).
This information includes, but is not limited to:
FERPA-protected information, such as:
Work produced by students to satisfy course requirements
Student names and grades
Health information protected by HIPAA
Information related to employees and their performance
Intellectual property not publicly available
Material under confidential review, including research papers and funding proposals
Information subject to export control
Any member of the UW–Madison community who learns of a potential breach of data protection or confidentiality—including through the use of generative AI—must report the incident.
Data: Use public or internal data only (no restricted or HIPAA).
A: Usually no. Most tools here are for public/internal data only. Secure Zoom may be used with restricted/HIPAA when allowed and configured.
- It also encourages selection of AI tools that align with NIST’s characteristics of trustworthy AI for uses that are not prohibited
- The university frames its generative AI guidance as being governed by existing UW–Madison, UW System Administration, and Board of Regents policies, and it positions these policies as safeguarding institutional data that the university community is legally and ethically obligated to protect
This page outlines existing policies governing what you may and may not do when using generative artificial intelligence (AI) tools and services. These policies safeguard institutional data, which everyone in the university is legally and ethically obligated to protect.
As with everything you do at the university, you must follow UW–Madison, UW System Administration (UWSA) and UW System Board of Regents policies when using generative AI tools and services.
For uses of generative AI that are not prohibited, UW–Madison faculty, staff, students and affiliates can help protect themselves and others by choosing tools and services that exhibit the National Institute of Standards and Technology’s (NIST’s) characteristics of trustworthy AI.
DocuMark: Responsible AI Use for Academic Integrity
Knowing your institution's AI policy is step one. DocuMark helps enforce it fairly by empowering universities to manage AI-generated content, prevent cheating, and support student writing through responsible AI use.
Common Questions About University of Wisconsin-Madison's AI Policies
University of Wisconsin-Madison has defined AI policies in 8 of 12 categories, with an overall coverage score of 67%.
No explicit disclosure requirement is currently defined in the available policy sources.
No explicit detection or enforcement process is currently defined in the available policy sources.
The university states that all faculty, staff, students, and affiliates must follow existing policies when using generative AI tools to safeguard institutional data. It prohibits entering sensitive/restricted/protected data into any generative AI tool unless it has undergone appropriate internal review, and provides examples including FERPA-protected information, HIPAA-protected health information, employee performance information, non-public IP, confidential-review materials (research papers and funding proposals), and export-controlled information. It also requires incident reporting for potential breaches of data protection or confidentiality involving generative AI, and notes that most campus-listed tools are intended for public or internal data only (with limited exceptions noted for Secure Zoom when allowed/configured).