eleved.ai Get the free framework
The Field Guide

Issue 3 · Governance, Risk & Compliance

The Policy Nobody Read

A policy that lives in a PDF and covers only the classroom is not enough. The real question is whether faculty, staff, and students know what they can and cannot do, and whether those rules are usable in daily work.

June 24, 2026 D2 Policy & Acceptable Use 5 min read

Most institutions now have an AI policy. Far fewer have one their people have actually read, understood, or could follow tomorrow morning.

The AI policy went out last spring as a PDF attached to an all-campus email. It was thorough. Counsel reviewed it. It covered the things a policy is supposed to cover, and by every measure that gets reported upward, it was complete.

It is also, eight months later, a document most of the people it governs have never opened. Ask three of them what it says and you will get three different answers, or more often a shrug and an honest “I think there’s something about ChatGPT and academic integrity?” The policy exists. Whether it functions is a separate question, and it is the one that matters.

The institutional question

Does a policy do anything if the people bound by it do not know what it says?

We tend to treat publication as the finish line. The committee debated, the language got approved, the document went out. But a policy is not a deliverable. It is an attempt to shape behavior, and behavior does not change because a PDF was attached to an email. The real test of an AI policy is not whether it exists. It is whether a faculty member, an advisor, or a financial aid counselor could act on it without going to look it up.

What this looks like in practice

The most common gap is scope. A great many “AI policies” in higher education are really academic integrity statements wearing a bigger title. They tell students what counts as cheating and tell faculty to put a line in the syllabus. They say almost nothing about the staff member pasting a budget spreadsheet into a free chatbot to summarize it, the advisor using AI to draft outreach to at-risk students, or the office that just turned on the AI features already sitting inside the software it has paid for since 2019. The classroom gets a policy. The rest of the institution improvises.

The second gap is language. Policies written in the register of legal counsel or central IT are technically correct and practically useless to the people who have to follow them. If a staff member has to translate the document before they can apply it, most will skip the translation and rely on instinct instead. Plain language is not dumbing it down. It is the difference between a rule that guides behavior and one that only protects the institution in a hearing.

The third gap is communication, and it is the one institutions most consistently underestimate. A single announcement is not communication. People absorb rules through repetition, through examples, and through encountering the rule at the moment they need it, which is usually inside the tool, not inside their inbox from last March. A policy that was communicated once has, for practical purposes, been communicated to almost no one.

Then there is the staff gray zone, which is where the quiet risk lives. Most policies do not clearly answer the questions staff are actually asking. Can I use AI for this report? Which tools are approved? What institutional data is off limits? Can I use my personal account? When the policy is silent, people do not stop. They guess, usually generously, because they are busy and the tool is right there. Silence is not a neutral choice. It is a decision to let everyone write their own policy.

Students deserve a specific mention, because two things are true at once. They need to know what is allowed and whether they have to disclose AI use, in terms concrete enough to follow. And they do not all arrive with the same access. A policy that assumes everyone can reach the same tools quietly advantages the students who can afford the paid versions over the ones who cannot. If the institution expects students to use AI, or not to, equity of access belongs in the policy, not in a separate conversation that never happens.

Underneath all of it is enforcement. If the consequences of violating the policy are unclear or applied unevenly, the document is aspirational. People can tell the difference between a rule and a suggestion, and they treat them accordingly.

The failure worth naming is the policy written for the audit rather than the user. It exists to be produced for an accreditor, a board, or counsel, and it does that job well. It was simply never built to be read by the person about to paste something into a chatbot at 4:45 on a Friday. Writing a thorough policy was the responsible first step. The gap is that a published policy and a followed policy are different artifacts, and only one of them changes what happens on campus.

The Compass connection

In the Compass framework this is Domain 2, policy and acceptable use, and it sits directly behind Domain 1, governance. That order is not accidental. A policy without decision rights behind it has no teeth, because there is no one with the authority to apply it or update it as the tools change. And policy runs straight into the domains ahead of it: what your policy says about data becomes real in data governance, and what it says about student work becomes real in academic integrity. A policy nobody reads weakens all of them at once, quietly, which is the most expensive way for it to fail.

Questions worth putting on the agenda

A useful test is to stop asking whether the policy exists and start asking whether it works.

  • Does our policy cover staff, students, faculty, vendors, and research, or really just the classroom?
  • Could a non-technical employee read it and know what they can and cannot do with institutional data tomorrow morning?
  • How are we communicating it: once by email, or repeatedly and where the work actually happens?
  • Do students know what is allowed and whether they must disclose, and do all of them have access to the tools we assume they are using?
  • What actually happens when someone violates the policy, and is that consistent enough that people believe it?

The bottom line

The policy that matters is not the one on the shared drive. It is the one in someone’s head when they open the tool and decide what to do next. If those two policies are not the same, the document is not protecting the institution. It is just describing a place that does not exist.

A policy is not what you published. It is what people do when they are not looking it up.

Also published on LinkedIn: read this issue on the newsletter .

New issues weekly on LinkedIn

Get the next Field Guide

Each issue lands here first as the canonical archive. Subscribe on LinkedIn to get the next one in your feed — one part of institutional AI readiness at a time, no hype.

Subscribe on LinkedIn
The framework underneath

Where the Field Guide comes from

The Field Guide is built from Eleved's Higher Ed AI Readiness Framework: five pillars and 23 domains for helping institutions move from scattered AI activity to practical institutional readiness. Compass is the assessment and planning tool in the works from eleved.ai to support and build on that framework — a way to turn these questions into a current-state picture and a plan an institution can actually run.

Compass is in early development. Join the early-access list to help shape it and be first in line when it opens.

No spam — just a note when Compass opens. Your details stay private.