Lexington-Fayette Urban County Government employees can now use Microsoft Copilot to draft documents, conduct research, and summarize lengthy meeting notes. An internal AI policy adopted in June 2026 clears the AI assistant for limited use—while banning all other generative AI tools. The move marks one of the first municipal governments to publicly embrace Copilot under a formal, security-focused framework.

The policy, obtained by windowsnews.ai, outlines exactly how staff may interact with Copilot. Engineers, administrators, and clerks can prompt the AI to produce first drafts of memos, distill public meeting transcripts, or gather background information for policy proposals. But every AI-generated output must undergo human review. Employees cannot feed Copilot personally identifiable information (PII), data protected under HIPAA or CJIS, or any details classified as confidential under Kentucky’s open records laws.

“This isn’t unlimited AI access,” a city IT official told windowsnews.ai. “It’s a set of guardrails designed to prevent data leaks while letting staff reclaim time lost to rote tasks.” The policy explicitly forbids ChatGPT, Google Gemini, Anthropic’s Claude, and other consumer-grade chatbots. Only Copilot—tightly integrated into the government’s existing Microsoft 365 tenant—meets the city’s compliance standards.

The Security Logic Behind Copilot-Only

Lexington runs its productivity suite on Microsoft 365 Government Community Cloud (GCC), a dedicated environment that keeps data inside the continental United States. Copilot’s architecture respects that boundary: prompts and responses travel through encrypted channels, processed in Azure data centers that hold both FedRAMP and Department of Defense impact level certifications.

Unlike public chatbots that train on user inputs, Copilot for Microsoft 365 does not use customer data to improve its foundation models. For a city handling court records, utility billing, and public safety communications, that distinction is critical. A single employee pasting a police report into a free AI tool could trigger a data breach. Lexington’s policy eliminates that risk by locking approved AI use into the GCC tenant where administrators control access and audit logs.

City Chief Information Officer Rebecca Torres explained the decision: “We already invest in Microsoft for email, file storage, and collaboration. Adding Copilot meant granting a subset of users AI features without opening a new attack surface. Our data stays in our estate, subject to the same governance and retention policies as any Word document.”

Initially, the city will roll out 200 Copilot licenses to high-priority departments—law, public works, human resources, and the mayor’s office. Usage data will be monitored via Microsoft Purview compliance tools. Managers can see which teams generate the most AI content and whether those drafts are edited heavily before finalization, a metric Torres says will gauge real-world impact.

Permitted Tasks: Drafting, Research, Summarization

The policy enumerates three primary use cases:

  • Drafting: Employees can prompt Copilot inside Microsoft Word or Outlook to generate a first draft of letters, press releases, internal reports, and grant applications. The AI draws from organizational templates and style guides to match the city’s voice.
  • Research: Using Microsoft Teams and SharePoint integration, Copilot can answer questions about internal documents—like “What were the last three resolutions on zoning variances?”—by indexing the city’s own files. Web-grounded research via Bing is only enabled for general knowledge queries, never for internal file searches.
  • Summarization: Copilot can condense long email threads, meeting transcripts, and planning documents into bullet-point summaries. This function aims to reduce the time staff spend catching up after meetings or sorting through dense legislative packets.

The policy prohibits using Copilot to make final decisions, author contracts, or communicate directly with citizens. Any citizen-facing communication, even if drafted by AI, must be reviewed and edited by a human. Legal documents, such as contracts and ordinances, are entirely off-limits for AI drafting.

Technical Integration: How Copilot Fits Into the City’s Ecosystem

Copilot connects to the Microsoft Graph, indexing a user’s emails, files, meetings, and chats—but only within the GCC boundary. Lexington’s IT team configured sensitivity labels and data loss prevention (DLP) policies to automatically block prompts that contain patterns matching SSNs, driver’s license numbers, or credit card data. Even if an employee accidentally pastes a spreadsheet with PII, Copilot’s input filter rejects the prompt and logs the incident.

All Copilot interactions flow through the city’s ExpressRoute connection to Azure, bypassing the public internet. This ensures low latency and an additional layer of transport security. Session logs are retained for 90 days and integrated with Microsoft Sentinel, the city’s SIEM solution, enabling real-time alerts on suspicious usage—like a sudden spike in prompts from a single account outside business hours.

Training and Employee Guardrails

Before gaining Copilot access, employees must complete a two-hour online training module that covers prompt engineering basics, data classification, and the city’s responsible AI principles. The module, developed in partnership with the University of Kentucky’s Center for Computational Sciences, includes interactive scenarios: “What should you do if Copilot generates a draft citing a repealed ordinance?” The correct answer—verify with the city clerk’s database—is drilled repeatedly. A final quiz requires an 80% score; anyone who fails twice is barred from using Copilot until retaking the course.

Training emphasizes that Copilot can hallucinate—producing incorrect or fabricated references—so every fact must be verified. A dedicated channel on the city’s internal Yammer network lets employees share prompts and flag inaccuracies. Torres hopes this peer review culture will expose gaps early. “AI is a partner, not an authority. Staff need to treat it like an ambitious intern who sometimes makes things up,” she said.

Mixed Reactions from City Employees

In the weeks following the policy’s internal announcement, sentiment among city employees has been split. A survey conducted by the local chapter of the American Federation of State, County and Municipal Employees (AFSCME) found that 62% welcomed AI assistance as a productivity booster, while 28% worried about eventual job displacement. Another 10% expressed privacy concerns, particularly around AI “reading” their emails or performance data.

Diane Abbott, a grants coordinator with the Department of Social Services, told windowsnews.ai she’s cautiously optimistic. “I spend hours pulling statistics from old reports to plug into grant applications. If Copilot can do the grunt work, I can focus on crafting stronger narratives. But I don’t want the city to cut my position because the bot can write a draft.” Mayor Linda Gorton’s office has repeatedly stated that no positions will be eliminated due to AI in the current fiscal year, a promise that will be tested as the technology matures.

IT help desk tickets have spiked since the rollout, but mostly for issues like password resets and account provisioning—not policy violations. “People are excited but also hyper-cautious,” said Marcus Webb, the city’s lead help desk technician. “We’re getting calls from employees double-checking whether certain data can be pasted into a prompt. That’s exactly the kind of awareness we want.”

A Growing Trend in Government AI Policies

Lexington’s move mirrors a slow but steady shift among U.S. municipalities toward managed AI adoption. In 2024, both San Jose and the State of Oklahoma released internal guidance allowing Copilot under strict conditions. The federal government’s own AI blueprint, published by the Office of Management and Budget in early 2025, encourages agencies to explore generative AI—provided they meet rigorous testing, transparency, and privacy benchmarks. What sets Lexington apart is the exclusive partnership with Copilot. While jurisdictions like Austin, Texas, have opted for multi-tool sandbox environments—allowing select staff to test ChatGPT Enterprise alongside Copilot—Lexington chose a single-vendor approach. City procurement documents reveal that a six-month pilot evaluated three platforms. Copilot won on integration, cost, and security. The others were dropped.

Industry analysts say such exclusivity simplifies governance. “Every extra tool is another surface to monitor, another provider’s terms of service to vet, another batch of audit logs to reconcile,” said Dr. Lisa Nguyen, a Gartner analyst focused on public sector AI. “Going all-in on Copilot lets a mid-sized city manage risk with fewer resources.”

Data Privacy and Compliance: What the Policy Actually Says

The full text of the AI policy, which windowsnews.ai reviewed, outlines seven non-negotiable rules:

  1. No PII, protected health information, or criminal justice data in prompts.
  2. Copilot output must be labeled “AI-assisted” when shared internally.
  3. All AI-generated content must be reviewed by a human before becoming a public record.
  4. Use of other generative AI tools on city devices or accounts is prohibited and subject to disciplinary action.
  5. Employees must report unusual outputs—especially those containing sensitive data or harmful content—to IT within one hour.
  6. The city reserves the right to audit all Copilot usage logs.
  7. Violations may result in revocation of AI access and, in severe cases, termination.

These rules align closely with Microsoft’s own responsible AI framework but go further by imposing penalties for misuse. Lexington’s legal department inserted the audit and reporting clauses to preempt open records requests. If a journalist or citizen demands to see the data behind an AI-drafted policy memo, the city can produce a full prompt chain—something consumer-grade tools rarely provide.

Costs and Potential Savings

Lexington is spending roughly $72,000 annually on 200 Copilot for Microsoft 365 licenses, at $30 per user per month, and an additional $15,000 for implementation consulting. City budget analysts project a net return within the first year through productivity gains. If each licensed employee saves just two hours per week—a conservative estimate based on early Copilot studies—the annual time savings could value over $500,000 in labor.

But critics argue that productivity metrics can be misleading. “Time saved on drafting doesn’t automatically translate into better outcomes,” warned Dr. Theodore Park, a professor of public administration at the University of Kentucky. “If staff use that extra time to take on more work, great. If it just leads to longer coffee breaks, the investment is wasted. The city needs to track not just AI output but tangible improvements like faster permit approvals or reduced backlogs.”

The Challenge of AI Bias and Accuracy

Government use of generative AI raises thorny questions about bias. Copilot’s underlying models, including GPT-4o, have been documented to exhibit biases related to race, gender, and socio-economic status. Lexington’s policy requires that any AI-generated policy recommendation affecting vulnerable populations undergo an equity review by the city’s Office of Diversity and Inclusion.

During a city council workshop in May 2026, Councilmember James Wu pressed IT leadership on how they plan to audit for bias. Torres replied that the city will run sentiment analysis and demographic fairness checks on aggregated AI outputs quarterly, using a third-party tool from Credo AI. That data will be published in an annual AI transparency report, a first for a city of Lexington’s size.

Accuracy remains another hurdle. In a pre-pilot test, Copilot fabricated a state statute reference when asked to summarize recent changes to Kentucky’s land-use laws. The error was caught during human review, but it underscored the need for rigorous fact-checking. Now, every Copilot output that cites laws, statistics, or court cases must include a verified primary source. The policy mandates a “fact-check log” for any AI-generated content used in official documents.

Looking Ahead: Expansion and Broader AI Strategy

If the initial rollout succeeds, Lexington plans to extend Copilot access to all 2,800 city employees by mid-2027. The next phase may introduce Copilot Studio, Microsoft’s low-code platform for building custom AI agents. Early concepts include a citizens’ self-service bot that answers FAQs about trash pickup, permit applications, and council meeting schedules—strictly non-binding and purely informational.

The city is also exploring Microsoft’s AI-driven tools for cybersecurity. Security Copilot, an AI assistant for threat analysis, could help the small IT team sift through daily security alerts. But procurement rules require a separate assessment, which the city council will take up in the fall budget session.

Lexington’s experiment will likely influence neighboring municipalities. Georgetown and Nicholasville have already sent representatives to observe training sessions. Kentucky’s state government, too, has an AI task force that could adopt similar guidelines. If Lexington can demonstrate real productivity gains without a data breach, the Copilot-only model may become a blueprint for cities nationwide.

For now, the city’s 200 licensed employees are writing their first AI-assisted drafts, following a rulebook designed to keep innovation on a tight leash. Whether that leash holds—and whether the productivity promise proves real—will emerge over the coming months, as Lexington navigates the uncharted intersection of municipal governance and generative AI.