The vendor required to provide data privacy, security, and artificial intelligence (AI) use policy will establish clear guidelines, standards, and best practices for the collection, storage, use, sharing, and disposal of all city data — including data processed or generated through AI systems — with an emphasis on security, privacy, transparency, and ethical use.
- Current state assessment
• Conduct interviews with city departments to identify all data flows, AI usage, and processing activities.
• Inventory all categories of city data, including personally identifiable information (PII), operational data, AI training datasets, and AI-generated outputs.
• Review existing AI use cases and assess potential risks including bias, transparency, and privacy.
• Evaluate current policies, procedures, and technical controls for compliance with NIST, state, and federal standards.
- Gap analysis and compliance review
• Compare current practices to NIST cybersecurity, privacy, and AI risk management framework (RMF) standards.
• Identify gaps related to state -specific AI regulations and public sector privacy obligations.
• Provide a prioritized risk assessment with recommendations for mitigating both data security and AI governance risks.
- Policy development
1. Data governance and security
• Data classification and handling requirements.
• Access control and authentication protocols.
• Encryption standards for data at rest and in transit.
• Data retention and secure disposal procedures.
• Privacy impact assessments for new technology implementations.
2. AI governance and responsible AI use
• Definition of approved AI use cases within city operations.
• Guidelines for the acquisition, deployment, and monitoring of AI tools.
• Requirements for transparency and explain ability of AI-driven decisions.
• Bias detection, mitigation, and fairness assessments.
• Human oversight requirements for AI-assisted decision-making.
• Data minimization and privacy safeguards in AI model training and inference.
• Compliance with state AI-related statutes and public accountability standards.
3. Third-party and vendor requirements
• Data protection obligations for AI and non-AI vendors.
• Contractual clauses for data ownership, access rights, and breach reporting.
4. Incident response and breach notification
• Procedures for responding to cybersecurity incidents, data breaches, and AI system failures.
• Notification timelines and requirements under state law.
- Implementation roadmap
• Provide a phased rollout plan for the policy, including department-level adoption.
• Recommend monitoring, logging, and auditing processes for AI and data systems.
• Suggest governance structures (e.g., AI oversight committee) for ongoing review.
- Training and knowledge transfer
• Conduct workshops for city leadership, IT staff, and department heads.
• Provide training on secure data handling, privacy compliance, and ethical AI use.
• Deliver plain-language guidance documents for city employees.
- Ongoing support recommendations
• Recommend review intervals and update procedures for the policy.
• Suggest ongoing compliance and AI risk monitoring tools.
- Contract Period/Term: 1 year
- Pre-Offer Conference Date: January 21, 2026
- Questions/Inquires Deadline: January 28, 2026
