On July 15, 2026, the Wasatch County Council in Utah voted unanimously to let its employees use generative AI—including a dedicated Microsoft Copilot account—but with a catch: no decision gets made without a human signing off, and no government data gets fed into free, unvetted chatbots. The policy, first reported by The Park Record and KPCW, is a notable example of a local government steering into the AI curve rather than slamming on the brakes, and it offers a practical template for businesses and IT departments everywhere.
The policy’s architect, IT Director Don Wood, told the council that the guiding principles are to “encourage our employees to learn, use and explore” AI, while “protecting privacy, maintaining human accountability and working toward fairness and transparency.” That balance—permission paired with guardrails—is what makes the Wasatch approach worth studying for any organization that uses Microsoft 365 or Copilot.
What Wasatch County Actually Approved
After months of discussion, the county council’s unanimous vote formalized a set of rules that apply to all county employees. Key provisions include:
- Approved tools only: Staff must use county-provisioned AI services that meet government privacy standards. Wood confirmed the county already has a dedicated Microsoft Copilot account. Meanwhile, free or consumer-grade tools that store data outside the United States are prohibited.
- Always a human in the loop: AI can assist with research, drafting, or analysis, but final decisions and official documents require human review. Wood bluntly told employees: “You can’t claim that the dog ate your homework. You have to own it.”
- Bias and hallucination checks: Employees are responsible for recognizing when AI output may be wrong, biased, or fabricated. Regular training will reinforce this.
- Public records and privacy: Because much government work falls under public records laws, employees must consider how AI interactions may be preserved or disclosed. The county aims to avoid services that store data abroad, which could complicate compliance.
- Disclosure: When AI is used in creating a work product, that use must be transparent.
Councilor Erik Rowland illustrated the policy in action: he used AI to parse the Utah Department of Transportation’s 450-plus-page draft environmental impact statement and cross-reference it with county ordinances, but he wrote the final public comment himself. AI accelerated the research; a human took responsibility for the submitted analysis.
Why IT Admins Should Pay Attention
For Windows administrators and IT managers, Wasatch County’s policy is more than a local-government curiosity. It addresses a headache that has plagued enterprises since ChatGPT burst onto the scene: employees are using AI tools whether IT permits them or not, often with personal accounts and no data controls. The result is “shadow AI,” where sensitive information leaks into ungoverned systems. High-profile incidents—like Samsung engineers pasting proprietary code into ChatGPT—underscore the risk.
Wasatch’s response is to acknowledge reality and shepherd usage into approved channels. That’s a strategy many IT leaders are now embracing. By offering a managed Copilot account and training staff, the county reduces the temptation to paste a proprietary document into a free web chatbot. Microsoft Copilot’s commercial data protection features—available in certain Microsoft 365 plans—help ensure that prompts and data aren’t retained or used to train models, a critical consideration for regulated environments.
Still, the policy doesn’t pretend that technology alone solves the problem. “We would never want, at least at this time, to ever have AI make decisions without any human interaction,” Wood said. That sentiment echoes emerging frameworks like the EU AI Act: high-risk decisions demand human oversight. For IT departments, this means configuring Copilot and other AI tools with appropriate permissions, audit logs, and perhaps a review workflow before AI-generated content becomes an official record.
The Copilot Connection: Approved Tools and Data Boundaries
Wasatch County’s choice of Microsoft Copilot is pragmatic. Copilot integrates tightly with Microsoft 365 and can be managed through familiar administrative consoles. IT can control which users have access, set data loss prevention (DLP) policies, and retain eDiscovery capabilities. These are table stakes for any organization that handles sensitive data.
However, the county’s approach also highlights a gap that Microsoft and other vendors will need to address. Wood told The Park Record that officials reached out to ChatGPT (OpenAI) but received no response. That suggests the county wanted a similar enterprise-grade agreement with another provider but couldn’t get one. For IT shops evaluating AI vendors, a supplier that ignores a government customer’s compliance questions is a red flag. Microsoft’s established presence in government licensing likely gave Copilot an edge.
The policy’s requirement that tools store data within the United States will resonate with organizations bound by ITAR, CJIS, or other data-sovereignty rules. While Copilot’s default data handling meets many standards, admins should verify data residency settings and contractual commitments, especially when using plugins or third-party integrations.
Building an AI Policy That Travels Well
Wasatch County isn’t trying to write the final word on AI governance. Council members acknowledged the technology changes “day to day,” and Wood expects to revisit the policy in six months. That flexibility is itself a best practice. An AI policy that’s too rigid will quickly become obsolete; one that’s too vague will be ignored.
For organizations starting from scratch, the county’s framework offers a pragmatic checklist:
- Inventory your existing AI use: Before drafting rules, find out what tools employees are already using. A simple survey or a review of network traffic can surface shadow AI.
- Designate approved tools: Choose one or two enterprise-grade AI platforms that meet your security, privacy, and compliance requirements. Configure them with SSO, DLP, and audit logging. For Microsoft shops, Copilot with enterprise data protection is a natural starting point.
- Write a clear acceptable use policy: Spell out what data can and cannot be entered, require human review for any work product that will be published or used as an official record, and mandate disclosure of AI assistance.
- Train—and retrain: Wasatch’s emphasis on recognizing bias and hallucination is key. Annual or quarterly training sessions that include real-world examples of AI failures will keep the message fresh. Microsoft Purview compliance features can help track how AI is being used and flag risky behavior.
- Plan for iteration: Set a review cycle (e.g., every six months) to update the policy as AI capabilities and regulatory expectations evolve.
Nearby Midway City and Heber City had already adopted AI policies, according to The Park Record, signaling that such frameworks are becoming the norm for forward-thinking municipalities.
What Windows Users Should Know
If you’re an employee whose organization hasn’t yet published an AI policy, Wasatch County’s rules provide a sensible personal operating manual in the meantime. Only use AI tools that your employer has explicitly sanctioned. Never paste customer data, financials, or proprietary code into a free chatbot. If you rely on AI-generated text or analysis, verify it thoroughly and document your verification steps—those notes could save you if the output is challenged later.
For Microsoft 365 users, check whether your license includes Copilot with enterprise data protection. That feature, which adds an extra layer of data isolation, matters if you’re drafting anything that could become a public record or litigation exhibit.
Outlook: More Guardrails, Not Bans
Wasatch County’s policy arrived at a moment when many organizations are moving past the “ban all AI” phase. A year ago, Wood admitted to feeling “fear about AI”; now he’s “much, much better” and can see where the technology will fit. That sentiment is spreading.
Microsoft is likely to watch such adoptions closely. As local governments and regulated industries demand tighter controls, the company will probably expand Copilot’s administrative tooling—think granular retention policies for AI prompts, built-in bias detection, and richer compliance reports. Competitors will scramble to match those features or risk being locked out of the government and enterprise market.
For IT professionals, the takeaway is clear: an AI policy doesn’t have to be a novel-length legal document. Start small, start with clear principles, and treat the first version as a draft that will evolve. The Wasatch model—a county of about 35,000 people—proves you don’t need the resources of a Fortune 500 company to do AI governance right. You just need a commitment to human accountability and a willingness to learn as you go.