Your Teachers Are Already Using AI Without Approval. Now What?

A parent emailed the principal last October. The message was polite but pointed: she wanted to know which AI tools her daughter's teacher was using, whether any of them collected student data, and what the school's policy was on AI-generated assignments.

The principal didn't have answers. Not because she was behind — she was one of the more thoughtful administrators I know. But no one had equipped her with a process. There was no approved-tool list. No policy. No privacy review. Just a gap between what teachers were doing and what leadership knew about.

That conversation sat unresolved for three weeks. By the time it was addressed, two more parents had asked the same questions.

This is not an unusual story. It is, right now, the most common story in K-8 education.

This Is a Leadership Gap, Not a Teacher Problem

Before anything else, that framing matters. Teachers are not doing something wrong. They are doing what resourceful educators have always done — finding tools that make the work better. AI genuinely helps. It saves time on lesson planning. It helps differentiate materials for different learning levels. It can turn a rough draft of a parent newsletter into something clear in under two minutes.

The problem is not the tools. The problem is that the tools arrived faster than the governance did. And in that gap, real risks accumulate quietly.

When a teacher pastes student work into an unapproved AI tool for feedback, they are not trying to violate FERPA. They are trying to give better feedback faster. But if that tool uses input data to train its AI models — which many free tools do — student personally identifiable information may have just entered a system with no data processing agreement, no retention limit, and no accountability to your school.

That is a real exposure. And it is entirely preventable — but only if leadership moves first.

What the Risk Actually Is

Let me be specific, because "data concerns" is too vague to act on.

FERPA exposure. FERPA requires that any vendor handling student education records operate under a signed data processing agreement that designates them as a school official with limited data use. Most consumer AI tools — ChatGPT, Google Gemini, Claude in its consumer form — have not signed a DPA with your school. A teacher entering a student's name, grade, or work product into one of those tools has created an unauthorized disclosure under FERPA, whether or not anything harmful happens.

COPPA implications. For students under 13, COPPA requires verifiable parental consent before any online service collects personal information. The FTC's 2025 COPPA update — fully effective April 2026 — strengthened these requirements and expanded the definition of personal information. A tool that seems harmless can create compliance exposure if it collects data from interactions involving elementary-age students.

No paper trail. If a school board member, parent, or auditor asks which AI tools are in use and how student data is protected, a school without a policy and an approved-tool list has no defensible answer. That is not just uncomfortable — it creates legal and reputational risk that compounds over time.

Discipline without clear rules. If a teacher is later disciplined for using an AI tool with student data, and there was no policy in place when they did it, that creates a problem. You cannot hold staff accountable to rules that did not exist. Getting the policy in place before an incident is the only way to create enforceable expectations.

Three Things That Close the Gap — This Week

I want to be direct here: you do not need a 90-page policy document before you can take action. There are three things any K-8 school can do right now, before a single policy document is finalized, that meaningfully reduce the risk.

• 1 Audit current use before writing any rules. Send a short staff survey — two questions: "Which AI tools have you used in the last 60 days?" and "Did you enter any student names, grades, work, or other student information?" Treat this as a trust-building step, not a discipline exercise. You need to know what's actually happening before you can respond to it accurately. Most administrators are surprised by the audit — both by how much is happening and by how thoughtfully most teachers are approaching it.
• 2 Write one rule and communicate it immediately. You do not need a full AUP to put a boundary in place today. This sentence covers the core: "Staff and students may not enter student names, contact information, grades, assessment data, discipline records, IEP or 504 information, health information, or other personally identifiable student information into any AI tool that has not been reviewed and approved by the school." That is one sentence. It is enforceable. It can go out in a staff email today.
• 3 Start an approved-tool list — even if it has one entry. An empty approved-tool list sends a clear message: nothing has been reviewed yet, so nothing is approved for use with student data. A list with one entry — even if it is only the AI feature built into your existing SIS or reading platform — gives teachers a positive path and makes the boundary legible. Clarity is better than silence.

What Comes After the First 30 Days

These three steps stabilize the situation. They do not complete it. What follows — in a responsible, workable sequence — is a governance foundation: a vendor vetting process, a full staff acceptable-use policy, student expectations by grade band, a family communication, and a pilot framework that lets you evaluate AI tools before approving them at scale.

That work takes about 90 days when done carefully. Not 90 days of full-time focus — 90 days of deliberate weekly progress, with a launch team, clear deliverables, and decision gates at every stage.

The outcome of those 90 days is not "AI everywhere." It is a school that can answer the next parent email — or the next board question — with a clear, specific, defensible response. A principal who walks into any room and leads the AI conversation instead of dodging it.

That gap between awareness and readiness closes faster than most leaders expect. But only if someone decides to close it on purpose.

Your teachers are already using AI. The question is whether your school is ready to lead that reality — or just react to it.