Your faculty and staff are already using ChatGPT, whether you know it or not. This guide gives you a practical framework for using AI without putting student data or your institution at risk.
This guide is for higher-ed administrators and faculty whose students and staff are already using ChatGPT, whether the institution has a policy or not. It starts with the AI family tree — what's actually behind ChatGPT and the models like it — then walks through real cautionary case studies (Amazon's hiring algorithm, Clearview AI's facial recognition rollout, higher-ed-specific data exposures), prompt injection explained in 30 seconds, and the full OWASP Top 10 for LLM Applications. Ends with a printable security checklist and a Traffic Light Framework for green, yellow, and red AI uses. Written for the person who actually has to decide institutional policy, not for the vendor selling them the model.
We'll email the guide to you instantly.
This guide is for the people who actually decide how AI gets used on campus: higher-ed IT and security staff, administrators, and faculty, especially at smaller colleges and universities in Oklahoma and beyond. If students and instructors are already using ChatGPT and you are responsible for student data and policy, it is for you. It is practical, not a vendor pitch.
What FERPA actually requires before a language model touches student data, and where faculty most often cross the line without realizing it.
Source: FERPA, 20 U.S.C. 1232gReal cautionary cases, from hiring algorithms to facial recognition rollouts, and the higher-ed-specific risks they point to.
Prompt injection explained in 30 seconds, plus the full OWASP Top 10 for LLM Applications in plain language.
Source: OWASP GenAI Security ProjectA Traffic Light Framework (green, yellow, red) for AI in coursework, so faculty know what is allowed without a three-hour training.
A printable security checklist you can hand to a department or put in front of a committee.
The two easy answers are both wrong. 'Use whatever you want' exposes student data; 'AI is banned' just pushes it underground. The workable middle is clear, specific guardrails.
Logan Shimmer, Shimmer Labs
It can be. Student records and personally identifiable information are protected under FERPA, and pasting them into a consumer AI tool may count as an unauthorized disclosure. De-identifying the work or using an approved, contracted tool are safer paths. The guide explains where the lines are.
Carefully. Running identifiable student work through a consumer AI tool raises FERPA concerns. Feedback workflows can be done safely by removing identifying details or using institution-approved tools with the right agreements in place. The guide walks through both.
With clear, specific rules rather than a blanket yes or no. The guide's Traffic Light Framework spells out green (fine), yellow (be careful), and red (off-limits) uses, and gives a checklist departments can adopt quickly.
Yes. Faculty and students are already using these tools. A short, specific institutional policy, plus a few approved tools, protects student data far better than leaving every instructor to decide on their own.
It is the security community's list of the top ten risks in AI language-model apps, from prompt injection to data leakage. The guide translates it from engineer-speak into risks and safeguards that make sense for a campus.
