Potter County commissioners in Amarillo, Texas, voted unanimously on June 22, 2026, to adopt an AI Appropriate Use Policy that puts the county IT department in charge of approving and implementing all artificial intelligence tools used by county employees. The move marks one of the first local government mandates in the region to explicitly require IT oversight for every AI application, from large language models to specialized machine learning services, with a sharp focus on data protection.

County leaders did not release the full policy text immediately, but the excerpt shared with local media makes clear that the IT department will now serve as the gatekeeper for any AI technology. That means no department can independently procure or deploy an AI tool without a formal review. The policy cites the need to safeguard sensitive resident data, ensure compliance with state and federal regulations, and prevent shadow IT that could expose the county to cyber risks.

What the Policy Says

The new policy centers on three pillars: approval authority, implementation standards, and data governance. The county IT department must pre-approve any AI system before purchase or deployment. That includes both commercial products like Microsoft Copilot and custom-built solutions. The IT team will evaluate each tool against security benchmarks, data handling requirements, and operational impact before granting permission. Once approved, implementation is also led by IT, ensuring consistent configuration across all departments.

Data protection is the most prominent concern. The policy requires that no sensitive or personally identifiable information be fed into publicly hosted AI models without explicit safeguards such as data masking, tenant isolation, or on-premises processing. The county’s IT security team will maintain an allowed list of approved AI services, and any tool that cannot meet data residency or encryption standards will be blocked. This approach mirrors frameworks seen in regulated industries, but its application at the county level is a clear sign that AI governance is now a local government priority.

Why This Move Now

The timing aligns with a surge in generative AI adoption across public sector organizations. Microsoft 365 Copilot, Google’s Gemini, and open-source models are becoming as common as word processors. Yet the legal and security implications of feeding government records into these tools remain murky. Potter County’s decision reflects a growing consensus: unfettered AI use is too risky for entities handling law enforcement data, health records, and tax information.

For Windows-centric IT shops, the policy has immediate relevance. Most county employees work on Windows 10 or Windows 11 endpoints, with daily workflows anchored in Microsoft 365 apps. Copilot integrations in Word, Excel, and Teams mean that an AI assistant is literally one click away. Without policy guardrails, a well-meaning clerk could paste a confidential spreadsheet into a public model to “get a quick summary,” creating a data spill incident. Potter County’s rule closes that gap by funneling all AI interactions through a vetted, secure channel.

The Windows and Microsoft 365 Connection

Potter County, like thousands of other local governments, runs on Microsoft infrastructure. Its IT department manages Active Directory, Intune, and Defender for Endpoint across hundreds of Windows devices. The new AI policy must therefore translate into technical controls within that ecosystem. That means configuring Microsoft Purview data loss prevention (DLP) policies to detect and block sensitive data from being sent to unapproved AI endpoints. It also requires disabling built-in AI features in the Microsoft 365 suite until the IT team explicitly enables them for specific users.

For Windows admins watching this case, the operational blueprint is taking shape. First, audit all AI touchpoints: browser extensions, desktop apps, and cloud services that claim “smart” features. Second, use Group Policy or Microsoft Intune to restrict access to unvetted AI websites and apps. Third, enforce conditional access policies that require all AI model interactions to go through an approved proxy or enterprise API gateway. Finally, set up logging and alerts for any attempt to use blocked AI tools.

Microsoft’s own tools can help. Microsoft Purview compliance portal offers AI-specific policy templates that can identify when users attempt to input sensitive data into Copilot or other LLMs. Microsoft Defender for Cloud Apps can shadow detect unauthorized AI services and provide a cloud access security broker (CASB) layer to control data flows. The county’s IT team can also leverage Azure AI Content Safety to filter inputs and outputs for any internally developed AI applications.

Data Protection at the Core

The policy’s data protection focus resonates far beyond Potter County. When government employees use public AI models, they risk exposing data to third-party servers outside their jurisdiction. That could violate data residency laws, especially for records subject to CJIS (Criminal Justice Information Services) or HIPAA requirements. The policy likely mandates that all AI processing occurs within the county’s existing tenancy or on-premises infrastructure, a constraint that aligns well with Microsoft’s Azure Government and Microsoft 365 GCC High offerings.

For Windows security teams, the new rule reinforces the principle of least privilege. AI tools must not only be approved but also deployed with role-based access controls. A deputy sheriff’s access to an AI transcription service will differ from a clerk in the tax office. IT will need to integrate AI permissions with Active Directory groups, ensuring that sensitive datasets are never inadvertently exposed through an overly permissive AI interface.

The policy also addresses the often-overlooked area of model training. Many AI tools improve by learning from user inputs, but that process can embed confidential data into the model itself. Potter County’s IT approval process will scrutinize whether a vendor uses customer data for training and will likely require opt-out provisions or contractual terms that prohibit such use.

Implementation Hurdles and User Friction

While the policy closes security gaps, it also introduces new friction for county employees. An employee who has freely used ChatGPT for drafting emails now faces a multi-step IT approval process. This delay can frustrate staff accustomed to on-demand AI tools. The county must strike a balance between agility and control, possibly by pre-approving a curated set of AI tools that cover most legitimate use cases.

Training is another huge piece. IT departments will need to educate hundreds of users on what constitutes acceptable AI use, how to request new tools, and why copying sensitive data into a public chatbot is dangerous. Without robust change management, the policy risks being bypassed by employees who resort to personal devices or unauthorized accounts. Windows admins can mitigate this by deploying enforced web filtering and app control that leaves no room for circumvention.

The approval pipeline itself could become a bottleneck. If every AI request requires a manual security review, the IT team may drown in tickets. Automation is key. The county can set up a self-service portal where employees describe their AI needs, and the system automatically checks the tool against a pre-defined compliance checklist. Only edge cases would escalate to a human reviewer. This kind of workflow can be built with Power Platform tools already licensed in many Microsoft 365 environments.

What Windows Admins Can Learn

For IT professionals managing Windows fleets, Potter County’s policy is a real-world template. Start with an inventory of AI usage—both sanctioned and shadow. Use Microsoft 365 audit logs and endpoint telemetry to identify unsanctioned AI sites. Then draft a policy that mirrors the county’s approach: define data sensitivity levels, require IT sign-off for any AI that touches protected data, and mandate that all AI traffic flows through monitored channels.

Next, test the policy with a pilot group. Roll out approved AI tools like Microsoft Copilot with proper DLP and content filtering in place. Gather feedback and adjust before expanding. Document everything: the approval process, the security baseline, and the user training materials. This documentation will be crucial for auditor reviews and for defending the policy to frustrated users.

The policy also underscores the need for continuous monitoring. AI tools evolve rapidly, and a service that was safe last month could introduce a new feature that leaks data. Windows admins should set up regular reviews—at least quarterly—to re-evaluate approved tools and scan for new AI services appearing on the network.

Potter County is not alone. Across the U.S., local governments are scrambling to draft AI policies. The National Association of Counties (NACo) has released an AI toolkit, and several states have passed laws requiring impact assessments for government AI use. What makes Potter County’s move notable is its unanimous vote and the strong role assigned to IT. Many counties have adopted loose “encourage responsible use” language without enforcement teeth. This policy, by contrast, makes IT the enforcer.

The timing also coincides with Microsoft’s own push into government AI. The company has been aggressively marketing Copilot for Microsoft 365 GCC and Azure OpenAI Service for government customers. These enterprise-grade, compliant offerings can satisfy the county’s data protection requirements if configured correctly. But they still require careful oversight—something the new policy explicitly demands.

The Road Ahead

Potter County will now move into implementation. The IT department must inventory all current AI use, likely discovering tools no one knew existed. Then comes the hard work of building the approval workflow, training users, and deploying technical controls. Success or failure will be measured by the policy’s ability to reduce data incidents without grinding productivity to a halt.

For Windows-based organizations watching, the takeaway is clear: AI governance is no longer optional. Whether you manage a county government or a private business, the tools are on your endpoints now. The question is whether you have a policy to match. Potter County’s vote on June 22, 2026, is a benchmark worth following—and a warning that if you haven’t started, you’re already behind.