Lead with guidance
- Publish user guidance by default.
- Publish summaries when full documents are too sensitive.
Who each document is for
Not every document should be public. The framework works best when every artifact carries a visibility label and a defined audience — so publishing decisions are deliberate, not accidental.
Four visibility labels
Every artifact in the framework is tagged with one of four labels. They describe how widely a document can be shared.
Public
Safe for open publication — appropriate for prospective students, external stakeholders, and the open web.
Institution-wide
Visible to all campus users with institutional credentials, but not published openly.
Restricted Internal
Limited to approved internal stakeholders such as governance bodies and service owners.
Confidential
Limited due to sensitive security, privacy, legal, or incident content.
Visibility by document type
A default visibility for each artifact, with the peer pattern that tends to accompany it.
| Document type | Primary audience | Default visibility | Peer pattern |
|---|---|---|---|
| Institutional AI strategy & principles | Community, leadership, public | Public | Often published |
| AI acceptable use guidance | Students, faculty, staff, researchers | Public / Institution-wide | Commonly published or broadly shared |
| Academic integrity & teaching guidance | Students, faculty, teaching support | Public / Institution-wide | Very commonly visible |
| Data classification & sensitive-data guidance | Users, data stewards, IT, compliance | Institution-wide | Summarized publicly, detail internal |
| AI RMF profiles | Governance bodies, service owners, reviewers | Restricted Internal | Public summaries possible, full profiles internal |
| AI service catalog | Entire campus | Public / Institution-wide | Common among early adopters |
| AI use-case registry | Service owners, approvers, governance teams | Institution-wide / Restricted | Emerging; summaries sometimes published |
| AI service cards | End users, approvers, support teams | Public / Institution-wide | Often partial via catalog entries |
| System cards | Security, privacy, technical owners, auditors | Restricted Internal | Usually not public |
| Vendor model cards | Developers, reviewers, governance teams | Public | Already public when vendor-supplied |
| Internal model summaries | Governance teams, reviewers, ML teams | Restricted Internal | Rarely public |
| Per-deployment risk registers | Leadership, governance, security, auditors | Confidential | Internal only |
| Consolidated AI risk registry | Leadership, governance bodies, auditors | Restricted Internal | Public summaries possible |
| Privacy, security, accessibility reviews | Compliance teams, service owners, auditors | Confidential / Restricted | Internal evidence |
| Vendor due diligence & contracts | Procurement, legal, privacy, security | Confidential | Internal only |
| Evaluation, red-team & incident reports | Technical owners, governance, leadership | Confidential / Restricted | Internal only |
Simple publication defaults
When in doubt, four defaults resolve most publishing decisions without a committee.
Protect the evidence
- Keep control evidence internal by default.
- Treat model documentation as mixed-visibility.