What the mandate actually requires
As of July 1, every traditional public school district, community school, and STEM school in Ohio was required to have a board-approved artificial intelligence policy on the books. The requirement comes from House Bill 96, and it applies statewide regardless of whether a district has bought a single AI tool. The Ohio Department of Education and Workforce published a model policy and a seven-part AI toolkit, developed with the nonprofit aiEDU, that districts can adopt directly or adapt to local priorities. Implementation support runs through a partnership with Denison University.
The framing is governance first. Ohio did not tell schools to teach with AI or to purchase specific products. It told them to decide, in writing and with board approval, how AI may and may not be used. That distinction matters for how we read the mandate. It treats AI as an operational and integrity risk that every district must address, similar to acceptable-use rules for the internet a generation ago. The deadline has now passed, which shifts the story from policy drafting to enforcement, vendor vetting, and the gap between paperwork and daily practice.
The model policy's three pillars
Ohio's model policy concentrates on three areas. The first is academic integrity, defining the line between AI-assisted learning and plagiarism and treating unauthorized use as a code-of-conduct violation. The second is procurement and privacy, setting vetting standards for third-party AI tools and protecting student data, with explicit attention to personally identifiable information and FERPA. The third is anti-bullying, updating harassment rules to cover deepfakes and AI-generated images that misrepresent students, staff, or board members. Taken together, the pillars read like a risk register rather than a teaching philosophy.
We think the procurement and privacy pillar carries the most weight for the technology market. Academic integrity and anti-bullying largely restate existing school responsibilities in AI terms. Vendor vetting is new work, and it forces districts to ask which platforms may touch student data and whether that data could feed model training. Ohio's guidance leans on stakeholder workgroups and AI literacy to make those calls durable. Districts that treat this as a one-time document will struggle, because the tool landscape shifts monthly and each new assistant reopens the same data questions.
Columbus sets the template
The state's largest district shows what compliance looks like in practice. Columbus City Schools passed its AI policy unanimously, giving teachers discretion over whether students may use AI on any given assignment and restricting which platforms are allowed. Christopher Lockhart, the district's chief of information technology, described the intent plainly: "We leave them with that control where they can say okay, you can use AI maybe for brainstorming for this." He also acknowledged the moving target, saying "we're in a disruptive period with AI, and so we're still understanding what that looks like."
Columbus also drew hard lines on non-academic harm and data. Its policy prohibits AI-generated fake images or misleading representations of students, staff, and board members, and it shields student and staff data from being used to train AI systems. That combination of teacher discretion plus firm data and integrity rules is likely to be copied across smaller districts that lack the capacity to write policy from scratch. For vendors, Columbus is the account that sets expectations: win its data terms and you have a reference for the rest of the state.
The procurement squeeze on vendors
For edtech companies, the mandate quietly raises the bar across an entire state at once. Every district now needs a defensible answer on data privacy, and many will lean on certifications from bodies like 1EdTech or iKeepSafe as a shortcut. Products that cannot explain their data handling, or that reserve the right to train on student inputs, become harder to approve. The friction shows up as a slower and more scrutinized sales cycle, with the buyer now holding a board-approved checklist to enforce.
This is the part enterprise technology leaders should recognize, because it mirrors their own vendor risk process. Ohio has effectively pushed procurement discipline down to hundreds of districts that previously bought tools on convenience. The winners will be vendors who arrive with clear data-processing terms, model-training opt-outs, and evidence of compliance ready to hand. The losers will be free or lightly governed tools that spread through classrooms without review. We expect other states watching Ohio to copy the mechanism, since a mandate to write policy is far cheaper than a mandate to buy anything.
Governance without adoption was the point
It is worth dwelling on what Ohio chose not to do. The mandate requires no district to adopt AI curricula, buy AI tools, or teach AI literacy at a set level. It requires only a policy. That is a politically efficient move: it forces every district to confront AI without the state picking technology winners or funding purchases. It also shifts liability. Once a board approves a policy, responsibility for misuse, data exposure, and integrity violations sits locally, against a documented standard the district agreed to uphold.
The weakness of the approach is uneven quality. A model policy adopted verbatim by an under-resourced district can become a compliance artifact that no one operationalizes. Ohio's toolkit, workgroups, and Denison University partnership are meant to close that gap, yet execution will vary widely. We would judge the mandate's success by whether districts actually vet tools and train staff, since policy counts will approach one hundred percent regardless. The paperwork is done. The practice is where the real difference between districts will show.
The national signal
Ohio is one of a growing number of states legislating AI in education, and its model is attractive because it is low cost and hard to oppose. Requiring governance rather than spending sidesteps budget fights while still forcing action. For CIOs and CTOs outside education, the pattern is familiar and instructive: mandate a policy, supply a template, push accountability to the operating unit. It is how large organizations manage emerging risk before standards mature, and it is spreading through the public sector quickly.
The takeaway for anyone selling into or running schools is that the compliance surface just changed. A statewide deadline turns scattered concerns about student AI use into an enforceable requirement with named owners and board sign-off. That creates real demand for tools that can prove they are safe, and real exposure for those that cannot. Ohio has made the first move at scale. The districts that treat their new policies as living governance, rather than filed documents, will be the ones that actually control how AI enters their classrooms.



