By July 1, 2026, every Ohio traditional public school district, community school, and STEM school is required to adopt a formal, board-approved policy on the use of artificial intelligence. The requirement was created by House Bill 96, Ohio's 2025 biennial budget, which added Section 3301.24 to the Ohio Revised Code and set two dates: the Ohio Department of Education and Workforce had to publish a model AI policy by December 31, 2025, which it released in early January 2026, and every district must adopt a policy by July 1, 2026. Ohio is the first state in the country to convert AI guidance from a suggestion into a statutory duty. The statute mandates that a policy exist; it does not dictate what the policy says, so a district may adopt the state model verbatim and be compliant or write its own aligned version. The model policy makes data privacy and security central, requiring that any AI tool comply with existing data privacy and security policies, including protections for personally identifiable information, FERPA, and other relevant state and federal laws, and that tools process only necessary data in a secure, transparent, and ethical manner. A legal analysis published June 12 by the firm Kohrman Jackson Krantz warns that adopting the state model makes a district compliant but not necessarily safe, and that the widest gap is in special education: the model addresses special education only by seating a special education representative on its AI workgroup and suggesting districts review related policies, even though AI tools used to draft IEP or Section 504 documents can raise disability discrimination concerns that surface in a due process complaint rather than a compliance audit.

Every Ohio district, charter, and STEM school immediately, and every district nationally as a preview of where state mandates are heading. Ohio is the template other states are watching and is likely to be copied. The districts most exposed are those that plan to adopt the state model verbatim at the last minute to clear the deadline without addressing the gaps the model leaves open, especially in special education, vendor data agreements, and the specific question of what student data may be entered into which tools. Adopting a policy by July 1 satisfies the statute; it does not by itself protect the district from the FERPA and disability-law exposures the policy is supposed to manage.

The statutory deadline creates a bright-line compliance event: a district without a board-adopted AI policy on July 1 is out of compliance with Ohio law. But the deeper exposure is in the gap between adopting a policy and being protected by it. Under FERPA, the district remains responsible for student education records that any AI tool touches. Under IDEA and Section 504, using an AI tool to help draft IEP or 504 documentation introduces disability discrimination risk if the tool's output is not carefully reviewed by a qualified human. Federal monitors and due process hearing officers would ask: Does your AI policy specifically address the use of AI in special education documentation? Does it name which tools are approved for student data and what data may never be entered? Does it require human review of any AI-assisted IEP or 504 content? A policy that is silent on these points is compliant with the statute but leaves the district exposed where the real risk is.

On May 14, 2026, Colorado Governor Jared Polis signed Senate Bill 26-189, which repeals and replaces SB 24-205, the 2024 Colorado AI Act that had been the first comprehensive state AI law in the country. The original law, which was scheduled to take effect June 30, 2026 after an earlier delay, used a high-risk artificial intelligence system framework with duty-of-care, risk-management, and impact-assessment requirements. The replacement law discards that machinery and instead regulates automated decision-making technology, defined as technology that processes personal data and uses computation to generate outputs such as predictions, recommendations, classifications, rankings, or scores that are used to make, guide, or assist a decision about an individual. The law applies when such technology materially influences a consequential decision in one of seven covered domains, and education is named explicitly alongside employment, housing, financial or lending services, insurance, health care, and essential government services. The new law takes effect January 1, 2027 and establishes three core obligations for deployers: a pre-use notice to consumers before covered technology is used in a consequential decision, a post-adverse-outcome notice within 30 days if the technology materially influences an adverse decision, and consumer rights to access and correct personal data and to request meaningful human review. The standard for meaningful human review is demanding: the reviewer must have authority to override the decision, must be trained for the role, and cannot simply default to the system's output.

Colorado school districts and any organization that uses algorithmic tools to make or assist consequential decisions about students in Colorado, with the same structure likely to spread to other states. Because education is a named covered domain, a district that uses automated decision-making technology to influence student access, eligibility, or selection, for example in admissions, program placement, disciplinary screening, or resource allocation, falls within scope. The law also notes that FERPA-covered educational institutions are treated as compliant when they follow their existing sector-specific notice and disclosure requirements, which makes a district's existing FERPA posture directly relevant to its position under the new law. Districts in other states should read SB 26-189 as a signal: the trend in state AI law is toward regulating automated decisions in education specifically, with notice, explanation, and human-review obligations.

For Colorado districts, the exposure is concrete from January 1, 2027: if an automated tool materially influences a consequential decision about a student and produces an adverse outcome, the district owes a plain-language explanation within 30 days and must honor the student's or family's right to request human review by a reviewer empowered to overturn the result. The meaningful-human-review standard means a staff member who rubber-stamps an algorithm's recommendation does not satisfy the law. Federal monitors and state regulators would ask: Does your district inventory the automated tools that influence decisions about students? Can you produce the pre-use notice and the post-adverse-outcome explanation the law requires? Is there a trained human with authority to override an AI-influenced decision? Districts that cannot answer these will not be ready when the law takes effect.

A national report published June 16 by Stateline, carried across dozens of outlets, documented how far the gap between AI adoption and AI governance has grown in K-12 schools as state deadlines arrive. It cited a Center for Democracy and Technology survey finding that 85 percent of teachers and 86 percent of students used AI during the 2024-25 school year, but that fewer than half received training on the risks. It quoted Sophia Romee, general manager of the GenAI Studio at the College Board, saying that only about one in five districts that allow students to use generative AI has a formal policy governing its use. The report set out the patchwork of state responses: Ohio's July 1 deadline for every district to adopt an AI policy, a new Idaho law signed in March requiring local districts and charter schools to devise AI usage policies and ensuring that no AI replaces a human teacher, and Maryland's law sponsored by state Senator Katie Fry Hester requiring an AI coordinator in each system, statewide professional development, and AI literacy in career-readiness and computer-science standards. It noted that lawmakers filed more than 134 bills across 31 states this year related to AI in education, focused on data privacy, classroom usage restrictions, and literacy. It also captured the skepticism: MIT researcher Justin Reich said writing a guide for AI in 2026 is like writing a guide for aviation in 1905, and the Center for Democracy and Technology found half of students said using AI in class made them feel less connected to their teachers while 70 percent of teachers worried AI use was preventing students from learning important skills.

Every district without a formal, communicated AI policy, which on the College Board figure is roughly four in five of the districts that already permit student AI use. The report makes the throughline of this bulletin explicit: adoption is near-universal, governance is not, and the gap is where data privacy, academic integrity, and student wellbeing incidents originate. The named state actions, Ohio, Idaho, and Maryland, show the policy floor rising, which means districts that have no policy are not just exposed to incidents but increasingly out of step with their states.

There is no single federal AI mandate, but the combination of near-universal use and minimal governance is itself the exposure. When a student or teacher enters student data into an unvetted AI tool, the FERPA responsibility lands on the district, and the absence of a written policy demonstrates that no reasonable safeguard was in place. As Ohio, Idaho, and Maryland show, the absence of a policy is shifting from a gap to a statutory violation depending on the state. Federal monitors and state auditors would ask: Does your district have a written, communicated AI policy? Have teachers and students received documented guidance on what data may and may not be entered into AI tools? Is there an approved-tools list and a named owner for AI governance?