Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 40 – Generative Artificial Intelligence Policy

Effective March 27, 2026

View All Sections >

47130.5 Roles and Responsibilities

Revised March 27, 2026

  • Department Chief Information Officer (CIO) or designee.

    • The CIO shall determine risk response for all GenAI usage and procurements, whether intentional or whether the procurement or use of the GenAI was incidental to the primary procurement or use. This includes the authority to approve or disapprove any and all potential use of GenAI by CDCRCalifornia Department of Corrections and Rehabilitation personnel. This responsibility cannot be designated.

    • The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

    • The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.

    • The CIO or Designee is required to audit and assess compliance with this policy at least once every two years.

    • The CIO or Designee shall ensure that GenAI risks are continuously monitored and managed.

    • The CIO or Designee shall determine the appropriate security controls for GenAI and related technologies.

  • Department ISOInformation Security Officer.

    • The ISOInformation Security Officer shall:

      • Participate in risk assessments associated with GenAI and related technologies. Risk assessments must adhere to State and Federal policy requirements.

      • Ensure the department inventories its use of “high risk automated decision systems” as defined in GCGovernment Code Section 11546.45.5, subdivision (a)(5), or its subsequent iteration, and “high-risk” GenAI systems as identified by the risk assessment required by SIMM 5305-F. This includes ensuring such inventories are made available to the California Department of Technology, as specified in GCGovernment Code Section 11546.45.5 and applicable State policy.

    • The ISOInformation Security Officer shall ensure that all use of GenAI and related technologies is approved prior to implementation.

  • Department owners of information assets and program management.

    • Owners of information assets shall ensure that personnel under their purview undergo GenAI training according to their roles and responsibilities, prior to their involvement in any potential use or use of GenAI that may utilize department data and information assets.

    • Owners of information assets shall ensure all GenAI applications under their purview that are deemed “high risk automated decision systems” as defined in GCGovernment Code Section 11546.45.5, subdivision (a)(5), or its subsequent iteration, and “high-risk” GenAI systems as identified by the risk assessment by SIMM 5305-F are documented.

    • Owners of information assets, in collaboration with Information Asset Custodians, shall ensure that all GenAI output under their purview used for decision making are reviewed regularly to prevent biases and misuse. The review shall include verification of accuracy and factuality of the input and output data to prevent misinformation.

  • Department Information Asset Custodians

    • Information Asset Custodians in collaboration with Owners of Information Assets shall implement, maintain, and monitor GenAI access and security controls for any GenAI usage under their purview.

  • Department Information Asset Users

    • Users of department information assets shall be aware of and adhere to all department information security and privacy policies.