Blocking AI tools without a written policy is a temporary fix. This guide walks district technology directors from the first board presentation through annual review.
Most districts responded to ChatGPT by adding domains to their content filter. That approach fails within weeks.
Teachers who find useful AI tools blocked will escalate to principals. Without a policy, IT fields endless one-off unblock requests.
CIPA requires a documented Internet safety policy, not just a content filter. E-Rate auditors want the policy, the protection measure, and enforcement evidence.
New AI tools launch daily. A policy that just says "ChatGPT is blocked" is outdated before the ink dries.
An AI policy from IT alone will face resistance. Successful policies are built collaboratively with every affected group.
Board members care about risk, liability, and community perception. Present the policy as a risk-mitigation measure aligned with CIPA.
Teachers are most directly affected. Some want AI for lesson planning; others worry about academic dishonesty.
Parents range from "block everything" to "my child needs AI skills for college." Acknowledge both perspectives.
Secondary students should have a voice. Include student government representatives on the policy committee.
This Apps Script processes Google Form survey responses into a structured report for the policy committee.
// Google Apps Script — AI Policy Stakeholder Survey Processor // Attach to your Google Form responses spreadsheet function processAIPolicySurvey() { const sheet = SpreadsheetApp.getActiveSpreadsheet().getSheetByName("Form Responses 1"); const data = sheet.getDataRange().getValues(); const headers = data[0]; const summary = { total: data.length - 1, byRole: {}, blockAll: 0, selective: 0, allowAll: 0, topConcerns: {}, toolsInUse: {} }; for (let i = 1; i < data.length; i++) { const role = data[i][1]; // Column B: Role const stance = data[i][2]; // Column C: Block preference const concerns = data[i][3]; // Column D: Top concerns const tools = data[i][4]; // Column E: AI tools currently used summary.byRole[role] = (summary.byRole[role] || 0) + 1; if (stance === "Block all AI tools") summary.blockAll++; else if (stance === "Selective blocking") summary.selective++; else summary.allowAll++; concerns.split(",").forEach(c => { c = c.trim(); summary.topConcerns[c] = (summary.topConcerns[c] || 0) + 1; }); tools.split(",").forEach(t => { t = t.trim(); if (t) summary.toolsInUse[t] = (summary.toolsInUse[t] || 0) + 1; }); } // Generate report const report = SpreadsheetApp.getActiveSpreadsheet() .insertSheet("Policy Survey Report"); report.appendRow(["AI Policy Stakeholder Survey Summary"]); report.appendRow(["Total Responses", summary.total]); report.appendRow(["Block All", summary.blockAll, "Selective", summary.selective, "Allow All", summary.allowAll]); Logger.log("Survey processed: " + summary.total + " responses"); }
Before you write a policy, you need to know which AI tools are already in use. A discovery audit reveals the current state.
Pull DNS query logs and content-filter reports for the past 90 days. Cross-reference against the 16,024+ classified AI domains.
If 60% of teachers already use an AI lesson-planning tool, banning it outright generates resistance. The policy should acknowledge current usage and provide a path forward.
Compare post-policy traffic to the baseline audit. This is the only way to measure whether technical controls actually reduce unauthorized AI tool usage.
Take-home Chromebooks with endpoint filtering generate off-network logs worth including. Students access AI tools from home, and patterns differ from on-campus usage.
Tools like the student device chatbot blocklist help you map this landscape before drafting.
Cross-references DNS logs against the AI Tools Blocklist and outputs a ranked CSV report.
# AI Tools Discovery Audit Script # Cross-references DNS logs against the AI Tools Blocklist # Run on your DNS server or export logs to a central location #!/bin/bash # /opt/scripts/ai-tools-audit.sh BLOCKLIST="/var/lib/ai-blocklist/domains.txt" DNS_LOG="/var/log/dns/query.log" REPORT="/var/reports/ai-audit-$(date +%Y%m%d).csv" echo "domain,query_count,first_seen,last_seen,category" > "$REPORT" # Extract unique domains from DNS logs awk '{print $5}' "$DNS_LOG" | sort -u > /tmp/queried_domains.txt # Cross-reference with AI blocklist while IFS= read -r domain; do if grep -qFx "$domain" "$BLOCKLIST"; then COUNT=$(grep -c "$domain" "$DNS_LOG") FIRST=$(grep "$domain" "$DNS_LOG" | head -1 | awk '{print $1}') LAST=$(grep "$domain" "$DNS_LOG" | tail -1 | awk '{print $1}') echo "$domain,$COUNT,$FIRST,$LAST" >> "$REPORT" fi done < /tmp/queried_domains.txt # Summary statistics TOTAL_AI=$(wc -l < "$REPORT") echo "[$(date)] Audit complete: $((TOTAL_AI - 1)) AI tools detected" echo "[$(date)] Report saved to: $REPORT" # Top 20 most-accessed AI tools echo "" echo "=== TOP 20 AI TOOLS BY QUERY COUNT ===" sort -t, -k2 -nr "$REPORT" | head -20
A complete AI policy is a framework with interconnected components. Each one addresses a different audience and aspect of governance.
Define exactly what constitutes acceptable AI use for each role in the district.
Be specific about what is prohibited and why. Vague prohibitions are unenforceable.
Every policy needs a clear exception mechanism. This prevents IT from becoming the sole gatekeeper.
Specify both technical enforcement mechanisms and human consequences tied to existing frameworks.
Machine-readable YAML companion to the board-approved PDF. Enables automated enforcement, reporting, and review tracking.
# district-ai-policy.yaml # Machine-readable AI policy definition # Version-controlled in the district's IT documentation repo policy: name: "District Generative AI Acceptable Use Policy" version: "2.1" effective_date: "2025-08-01" review_date: "2026-06-30" approved_by: "Board of Education — Resolution #2025-047" owner: "Director of Technology" scope: applies_to: - "All students (K-12)" - "All certified and classified staff" - "All district-owned and managed devices" - "All network connections (on-campus and take-home)" exceptions: - group: "IT Security Staff" reason: "Requires access for threat assessment and tool evaluation" - group: "Approved Teacher Pilot Participants" reason: "Participating in Phase 2 controlled rollout" categories: blocked: - "Text & Language" - "Image & Visual" - "Code & Development" - "Agents & Automation" - "Audio, Voice & Music" - "Video" - "Data, Analytics & Research" - "Search, Knowledge & Docs" permitted_with_approval: - "Education & Learning" always_permitted: - "Security & Detection" enforcement: technical: blocklist_source: "AI Tools Blocklist — 16,024+ domains" update_frequency: "daily" content_filter: "GoGuardian / Lightspeed / Securly" dns_filter: "Cisco Umbrella" consequences: student_first: "Digital citizenship module completion" student_second: "Parent conference + temporary device restriction" student_subsequent: "Academic integrity procedure per student handbook" staff: "Professional conduct framework per collective agreement"
District-wide deployment on day one causes confusion. A phased approach lets you test, adjust, and build support.
Weeks 1-4. Conduct audit, form committee, survey stakeholders, draft policy, review with legal.
Weeks 5-10. Deploy to 2-3 pilot schools across grade bands. Train staff and collect weekly feedback.
Weeks 11-16. Expand to all schools in one grade band. Begin parent communication and monitor bypass attempts.
Weeks 17-20. Full deployment: all student OUs, all staff trained, parent notification, exception process live.
Ongoing. Quarterly reports, annual review, policy updates. The blocklist updates daily; governance keeps pace.
Applies blocklist rules to organizational units on their scheduled deployment date automatically.
#!/bin/bash # /opt/scripts/phased-rollout.sh # Applies AI blocklist rules per the rollout schedule CONFIG="/etc/ai-policy/rollout-schedule.json" API_KEY="$AI_BLOCKLIST_API_KEY" TODAY=$(date +%Y-%m-%d) # rollout-schedule.json structure: # [ # {"phase": 1, "start": "2025-09-01", "ous": ["Pilot-Elementary", "Pilot-Middle"]}, # {"phase": 2, "start": "2025-10-15", "ous": ["All-Elementary"]}, # {"phase": 3, "start": "2025-11-15", "ous": ["All-Middle", "All-High"]}, # {"phase": 4, "start": "2026-01-06", "ous": ["All-Students", "All-Staff"]} # ] echo "[$(date)] Checking rollout schedule for $TODAY" # Parse JSON config and determine active phases ACTIVE_OUS=$(python3 -c " import json, sys from datetime import date schedule = json.load(open('$CONFIG')) today = date.fromisoformat('$TODAY') active = [] for phase in schedule: if date.fromisoformat(phase['start']) <= today: active.extend(phase['ous']) print(f'Phase {phase[\"phase\"]}: ACTIVE ({phase[\"start\"]})', file=sys.stderr) else: print(f'Phase {phase[\"phase\"]}: PENDING ({phase[\"start\"]})', file=sys.stderr) for ou in active: print(ou) ") # Apply blocklist feed to each active OU for OU in $ACTIVE_OUS; do echo "[$(date)] Applying AI blocklist to OU: $OU" curl -s -H "Authorization: Bearer $API_KEY" \ "https://feeds.aitoolsblocklist.com/v1/domains/education.txt" \ -o "/var/lib/content-filter/blocklists/$OU-ai-tools.txt" echo "[$(date)] OU $OU: $(wc -l < /var/lib/content-filter/blocklists/$OU-ai-tools.txt) domains applied" done echo "[$(date)] Rollout check complete"
A policy is only as effective as the people who implement it. Design your training program in three tiers.
Required for all staff. 60-minute asynchronous LMS module.
For teachers using approved AI. 3-hour synchronous workshop.
Teacher leaders (2 per building). Semester-long cohort, monthly meetings.
Many teachers fear replacement by AI or worry strict blocking will disadvantage students. Acknowledge these concerns honestly.
Principals should know which staff completed each tier. High violation rates with low training completion means more training is needed, not more punishment.
LMS module structure for all three training tiers. Integrates with Google Classroom or Canvas.
# Teacher Training Portal Configuration # LMS module structure for AI policy training # Integrates with Google Classroom or Canvas training_program: name: "District AI Policy Professional Development" academic_year: "2025-2026" tier_1_awareness: required: true audience: "All certified and classified staff" delivery: "Asynchronous — LMS module" duration: "60 minutes" deadline: "2025-09-30" modules: - title: "What Are Generative AI Tools?" duration: "10 min" content: "Overview of AI landscape, 16,024+ tools in 18 categories" - title: "Our District AI Policy — Key Points" duration: "15 min" content: "Acceptable use, prohibited use, exceptions, consequences" - title: "How Technical Controls Work" duration: "10 min" content: "Blocklist integration, content filter, on/off network" - title: "Spotting AI-Generated Student Work" duration: "15 min" content: "Red flags, detection tools, conversation starters" - title: "Exception Process & Reporting" duration: "10 min" content: "How to request tool approval, how to report incidents" assessment: type: "Quiz — 10 questions, 80% passing score" attempts: 3 tier_2_integration: required: false audience: "Teachers requesting AI tool access" delivery: "Synchronous — workshop" duration: "3 hours" sessions: "Monthly — October through March" prerequisite: "Tier 1 completion" topics: - "Designing AI-resistant assessments" - "Pedagogical frameworks for AI in the classroom" - "Data privacy when using approved AI tools" - "Submitting and managing tool exception requests" tier_3_champions: required: false audience: "Teacher leaders — 2 per building" delivery: "Cohort — monthly meetings" duration: "Full academic year" stipend: "$500 / year" responsibilities: - "Peer support for Tier 1 and Tier 2 staff" - "Evaluate new AI tools for potential exception approval" - "Serve on annual policy review committee" - "Present at building staff meetings quarterly"
Send the first communication at least two weeks before the policy takes effect. Avoid jargon.
Tip: Host a parent info night (virtual + in-person). Demo ChatGPT writing an essay in seconds. Show the block page students will see. This visual demo is more persuasive than any written explanation.
Integrate AI topics into your existing digital citizenship curriculum at every grade band.
AUP update: Add an AI-specific section to the annual acceptable-use agreement. Keep language grade-appropriate.
Blocking on the school network does not block students' personal phones. You need a multi-layered approach.
AI policy is an ongoing governance function, not a one-time project. Build an annual review with quarterly check-ins.
Has unauthorized AI usage decreased? Compare post-policy DNS logs to the baseline audit.
Are students reaching tools the blocklist misses? Review bypass attempts and student-reported tools.
Are teachers using approved tools productively? Survey the exception process and integration experience.
Has state or federal guidance changed? Check DOE, state agencies, and CoSN for updated requirements.
When the E-Rate auditor asks about AI filtering, point to the policy, technical controls, and review process in one place.
Generates a quarterly compliance report covering blocklist coverage, block events, and training completion.
# Policy Enforcement Audit Script # Generates quarterly compliance report # Run at the end of each quarter #!/bin/bash # /opt/scripts/policy-audit.sh QUARTER="Q$(( ($(date +%-m) - 1) / 3 + 1 ))" YEAR=$(date +%Y) REPORT_DIR="/var/reports/ai-policy/$YEAR" mkdir -p "$REPORT_DIR" echo "=== AI POLICY COMPLIANCE REPORT ===" > "$REPORT_DIR/${QUARTER}-report.txt" echo "Period: $QUARTER $YEAR" >> "$REPORT_DIR/${QUARTER}-report.txt" echo "Generated: $(date)" >> "$REPORT_DIR/${QUARTER}-report.txt" echo "" >> "$REPORT_DIR/${QUARTER}-report.txt" # 1. Blocklist coverage TOTAL_BLOCKED=$(wc -l < /var/lib/ai-blocklist/domains.txt) echo "Blocklist Coverage: $TOTAL_BLOCKED domains" >> "$REPORT_DIR/${QUARTER}-report.txt" # 2. Block events this quarter BLOCK_EVENTS=$(grep -c "BLOCKED.*ai-tools" /var/log/content-filter/access.log) echo "Block Events: $BLOCK_EVENTS" >> "$REPORT_DIR/${QUARTER}-report.txt" # 3. Unique students who triggered a block UNIQUE_STUDENTS=$(grep "BLOCKED.*ai-tools" /var/log/content-filter/access.log \ | awk '{print $3}' | sort -u | wc -l) echo "Unique Students Blocked: $UNIQUE_STUDENTS" >> "$REPORT_DIR/${QUARTER}-report.txt" # 4. Top 10 most-blocked AI domains echo "" >> "$REPORT_DIR/${QUARTER}-report.txt" echo "=== TOP 10 BLOCKED AI DOMAINS ===" >> "$REPORT_DIR/${QUARTER}-report.txt" grep "BLOCKED.*ai-tools" /var/log/content-filter/access.log \ | awk '{print $5}' | sort | uniq -c | sort -rn | head -10 \ >> "$REPORT_DIR/${QUARTER}-report.txt" # 5. Exception requests this quarter EXCEPTIONS=$(find /var/lib/ai-policy/exceptions/ -name "*.json" \ -newer "$REPORT_DIR/../last-quarter-marker" | wc -l) echo "" >> "$REPORT_DIR/${QUARTER}-report.txt" echo "Exception Requests: $EXCEPTIONS" >> "$REPORT_DIR/${QUARTER}-report.txt" # 6. Training completion echo "" >> "$REPORT_DIR/${QUARTER}-report.txt" echo "=== TRAINING COMPLETION ===" >> "$REPORT_DIR/${QUARTER}-report.txt" echo "See LMS report for Tier 1/2/3 completion rates" >> "$REPORT_DIR/${QUARTER}-report.txt" touch "$REPORT_DIR/../last-quarter-marker" echo "[$(date)] Quarterly audit report saved: $REPORT_DIR/${QUARTER}-report.txt"
A policy without measurement is a document, not a program. Define success metrics before deployment and present them to the board quarterly.
The drafting committee should evolve into a standing AI governance committee that meets quarterly.
The AI policy should reference -- not duplicate -- existing district policies.
The AI Tools Blocklist (16,024+ daily-updated domains across 18 categories) is the enforcement arm. The committee governs; the IT team operates.
Start with the technical foundation. Download the free sample to see the data your policy will enforce, or tell us about your district and we will help you scope the right feed for your rollout plan.
Tell us about your district — enrollment size, current content filter, policy stage — and we will help you scope the technical controls for your AI policy.