Mayor Muriel Bowser's administration dropped a milestone on February 12, 2026: every District employee and contractor—across all 73 agencies—must complete a responsible artificial intelligence training course within 90 days of notification. The self-paced, no-cost program, built with public-sector education nonprofit InnovateUS, marks the first time a major U.S. city has tied AI literacy directly to workforce compliance, not just policy ambition.
The mandate unpacked: Who has to do what, and by when
The new requirement flows from the Office of the Chief Technology Officer (OCTO) and the District’s AI Taskforce. Notifications will land in employee inboxes soon, triggering a 90-day clock for completion. The course is entirely self-paced and accessible online, designed to fit around daily work. Contractors are included—an unusual step that extends accountability to the external workforce that touches District systems and data.
The training isn’t a one-and-done box-check. It’s intended as the baseline for a broader governance framework. Here’s exactly what it covers:
- Generative AI fundamentals: What large language models can and cannot reliably do.
- Data handling and classification: Explicit guidance on what information can never be pasted into public AI tools, and when to use agency-approved platforms.
- Human-in-the-loop decisionmaking: Emphasizing that AI outputs are advisory—final decisions and accountability rest with the human user.
- Prompt safety and adversarial awareness: Recognizing prompt injection, hallucinations, and signs of unreliable outputs.
- Privacy, cybersecurity, and public records: How AI interactions intersect with legal obligations, including FOIA and records retention.
The curriculum is deliberately pitched at the broad workforce, not engineers. It won’t replace specialized technical certifications, but it gives every employee a shared language and guardrails to avoid common pitfalls.
What it means for you, depending on your seat
This story lands differently depending on your role. Let’s break it down.
If you’re a D.C. government employee or contractor
You have an immediate, non-negotiable deadline. Look for a notification from your agency head or OCTO. The course is free and self-paced, so you can fit it into your schedule, but don’t wait until day 89. Completion will likely be tracked against your personnel file or contractor compliance record—noncompliance could affect system access or contract standing.
The practical payoff is clarity. You’ll finally know which AI tools you can use and how. For example, Microsoft Copilot Chat inside the District’s M365 tenant is approved because it’s configured to keep data within the District’s domain and not feed inputs into vendor model training. But slinging sensitive neighborhood planning data into a public chatbot? That’s a policy violation now, with real consequences. The training spells out these distinctions.
If you’re an IT leader or policymaker in another city
Washington’s move gives you a vetted template. The key pieces are:
- A clear policy foundation (the six DC AI Values—safety, equity, accountability, transparency, sustainability, and privacy & cybersecurity).
- Centralized governance (an AI Taskforce under the CTO).
- Mandatory, role-appropriate training tied to operational compliance, not just a voluntary webinar.
- Enforceable deadlines and contractor inclusion.
But don’t copy blindly. The District’s training is part of a layered defense that also includes technical controls (data-loss prevention, scoped API tokens) and contractual hardening with vendors. Training alone won’t stop a staffer from pasting protected data into a public model during a crunch. You’ll need outcome metrics—reductions in data exposures, adoption of approved tools—not just completion percentages.
If you’re an enterprise Windows or Microsoft 365 shop
There’s a procurement lesson here. D.C.’s use of Copilot Chat inside a government tenant demonstrates how enterprise controls can make AI tools safer without abandoning them. If your organization is on M365 E3 or E5, you can enforce similar guardrails: configure data residency, disable chat history that might feed model training, and apply DLP policies to prompts and responses. The training mandate itself is a reminder that technological controls are only half the battle; workforce literacy turns those controls from theory into daily practice.
How D.C. got here: From values on paper to a 90-day mandate
Mayor’s Order 2024-028, signed on February 8, 2024, planted the seed. It established six DC AI Values and directed agencies to evaluate and approve AI tools against them. But a policy framework without operational teeth is just a press release. The AI Taskforce, led by OCTO, spent two years turning those values into procurement checklists, approved-tool lists, and a workforce training plan.
By mid-2025, the District had already begun limiting AI usage to vetted tools and drafting contractual requirements for vendors—non-training clauses, data-residency guarantees, audit rights. The training mandate, announced February 12, 2026, is the final piece that connects policy to people. It enforces the human-in-the-loop principle at scale.
The 90-day window wasn’t arbitrary. It’s short enough to drive urgency but long enough to accommodate part-time staff and heavy workloads. Embedding the requirement into HR and contractor management workflows turns a symbolic gesture into an enforceable standard.
What to do now: Your action plan
For D.C. staff and contractors facing the mandate
- Watch your inbox. Notifications will come from your agency or OCTO. Read it carefully—it may include specific enrollment instructions or agency-specific addenda.
- Block time on your calendar. The course is self-paced, but schedule a few 30-minute sessions. Treat it like mandatory compliance training, not optional enrichment.
- Bookmark your approved AI tools. Know what’s allowed. If you’re unsure whether a tool is sanctioned, ask your IT or legal team before using it.
- Practice the principles immediately. Start tagging sensitive data classifications mentally. If you wouldn’t post it on a public website, don’t paste it into an unapproved AI tool.
For IT and policy leaders elsewhere
- Audit your current AI use. How many staff are pasting data into public models? What approved tools exist? Map the risks before you mandate training.
- Pair training with technical enforcement. Deploy AI-aware DLP, scoped API tokens, and tool-blocking for unvetted services.
- Contract with clarity. Insist on non-training clauses, data-residency guarantees, and audit rights in vendor agreements. If Copilot is your chosen tool, lock down the tenant configuration and get contractual confirmation those settings are binding.
- Design for your workforce. One-size-fits-none. Offer role-based modules: frontline staff need different scenarios than procurement officers or data engineers. Provide accessible formats—low-bandwidth, multilingual, assistive tech compatibility.
- Measure what matters. Completion rates are easy to track but tell you nothing about behavior. Track incidents: accidental data exposures, AI-assisted errors, off-policy tool usage. Baseline a pilot team’s productivity and risks before and after training.
For enterprise Windows admins
- Replicate D.C.’s Copilot setup. If you’re using Microsoft 365 Copilot or Copilot Chat, review your tenant’s data handling settings. Ensure commercial data protection is enabled for Copilot Chat, and verify through documentation that prompts and responses aren’t used for model training.
- Map DLP rules to AI interactions. Treat prompts and outputs as data streams. Use Microsoft Purview or equivalent to detect sensitive info types (SSN, credit cards, HIPAA) in AI prompts.
- Create a safe-tool list. Publish an internal registry of approved AI tools with clear use policies, just like OCTO did for the District.
What success actually looks like—and the risks to watch
The 90-day completion deadline is just the starting pistol. Real success will be measured months later by a drop in risky AI behaviors, enforceable vendor contracts that withstand audit, and transparent public reporting on AI use cases and incidents.
The biggest risk isn’t noncompletion—it’s complacency. If agencies treat training as a check-the-box exercise and don’t reinforce it with technical controls and managerial follow-up, the mandate will become security theater. Another risk: the course goes stale fast. Generative AI moves in months, not years. Without a continuous refresh cadence—quarterly micro-updates, tabletop exercises, and push alerts when new threats emerge—the training will quickly lag reality.
Public trust demands transparency. D.C. has established an AI Values Alignment Advisory Group, but residents need to see how community input actually shapes tool approvals and incident responses. FOIA tensions will arise: are AI prompts and outputs public records? The District must craft retention and redaction policies that preserve transparency without exposing sensitive operational data.
On the vendor side, watch for contractual disclosures. Does the Copilot agreement truly prevent Microsoft from using government prompts for model training? Are audit rights enforceable, and will OCTO ever exercise them? The training mandate’s long-term credibility hinges on these behind-the-scenes details.
The bottom line
Washington, D.C.’s AI training mandate is not a silver bullet, but it’s the most concrete step any U.S. city has taken to turn AI policy into daily operational practice. The 90-day clock forces action now. The real test begins on day 91.