Best Practices and Guidelines for ChatGPT & API Models

BEST PRACTICES & GUIDELINES

ChatGPT AND AI MODELS

CITY OF GREENSBORO | INFORMATION TECHNOLOGY

Best Practices and Guidelines for ChatGPT and Similar AI Models

INT RODUCT ION To ensure responsible and effective AI adoption within our organization, this document outlines best practices and guidelines for AI use. The IT department will serve as the primary point of contact, with an informal AI user group available as a resource for insights and discussion. Departments should submit AI-related inquiries and support requests through the IT ticketing system. A glossary of technical terms is available on page 10 in the Appendix. Initial Rules and Guidelines • Never upload documents or data that contain confidential information including personal identifiable information (PII), bank account numbers, credit card information, social security numbers, financial information, or any other information that is deemed confidential and not for public use.

• Never provide your login information.

• Never upload process documents that are specific to the operation of the City of Greensboro (i.e. SOPs, SCADA documents, architectural diagrams, configuration documents, software development documentation, operational documents related to Police, Fire and GM911).

• Do not use Chatbots to search for private information about employees or residents.

• Never use Chatbots for any illegal or fraudulent activities . The City is held liable for any activities you perform using the City’s IT resources.

• You should not use Chatbots to get personal, legal or medical advice .

• Check the responses provided by the Chatbots before utilizing it . As some information may be inaccurate or the content might be protected by copyright laws and cannot be used without authorization. • Do not click on links provided in Chatbot responses . As some may direct you to malicious websites intended to compromise your credentials. Always check with the Cyber Security Team first before clicking on any links. Acceptable Use and Risk Mitigation for AI Chatbots • Departments should collaborate with IT to regularly review and update AI Chatbot policies, ensuring compliance and mitigating risks. • AI-generated outputs should include disclaimers and verification processes to reduce misinformation risks. • Compliance with evolving regulations should be monitored regularly, and any concerns should be submitted through the IT ticketing system.

Best Practices and Guidelines for ChatGPT and Similar AI Models

AI Meeting A ssistants (Fireflies, ReadAI and similar tools )

• Never use third party AI meeting assistants in meetings where confidential information may be used . • Data stored by these tools should be considered public data and may be subject to public records requests . • Departments should work with IT to assign responsible contacts for ensuring proper implementations and adherence to guidelines. Va lid at in g Out put for M isi nformat i on an d A ccu ra c y Employees need to use critical thinking and research skills to validate information output from AI systems. • This data should never be taken at face value as AI systems may hallucinate and provide inaccurate i nformation. • Overreliance on the accuracy of AI systems can lead to skill atrophy and mistakes that could negatively impact our community. • AI tool adoption should follow a standardized integration process developed in collaboration with IT . • A formal review process should be conducted with IT to assess security, compatibility, and long-term sustainability. • Ongoing monitoring and feedback mechanisms should be implemented, with issues reported through the IT ticketing system. Reporting and F eedback Users are encouraged to provide feedback on AI systems and review outputs generated by these systems before relying on them for decision-making. Expanding Current Employee Guidelines Just as the city has a comprehensive moonlighting and conflict of interest policy in place, we may consider adding a clause that encompasses the use of AI systems outside of regular employment. AI Tool Integration into Workflows

Best Practices and Guidelines for ChatGPT and Similar AI Models Applications Development Expand our code review processes and policies to encompass Generative AI tools in order to hold ourselves accountable. • Generative AI systems often produces example code that is not only inefficient, but in some cases completely insecure. • Generative AI does not have the ability to distinguish between "good" and "bad" code. • For the purpose of data loss prevention, it should be stressed that no proprietary source code should ever be entered into a public repository or AI systems. Microsoft CoPilot 365 Microsoft currently offers a more privacy focused version of ChatGPT called CoPilot 365 that is is currently being tested in a pilot program. This option utilizes Azure as its backend and operates within the Microsoft tenant. This system allows AI features within Office 365 applications such as Word, Excel, Powerpoint, and Teams. • Data sent to these systems would not be used to further train the public AI. Data access for these systems follow our current security policies. Deepfakes Deep fakes are artificially created media (video, audio, or images) that use advanced AI technology to replace a person's likeness with someone else's in a convincingly realistic manner. These sophisticated forgeries leverage AI systems to manipulate or generate visual and audio content that can be nearly indistinguishable from authentic media. Deep fakes pose significant threats to organizations: • Reputational damage - Fabricated videos of individuals making inflammatory statements or engaging in inappropriate behavior can severely damage an organization's reputation, even after being debunked. • Security breaches - Voice-cloning technology can be used in social engineering attacks to trick employees into divulging sensitive information. • Misinformation spread - Deep fakes can undermine trust in authentic communications from an organization. - Organizations may face legal challenges defending against or addressing Legal liability • harm caused by deep fakes impersonating their representatives. • •

Best Practices and Guidelines for ChatGPT and Similar AI Models

Protection against Deepfakes

1. ChatGPT should not have access to any confidential company data or proprietary information. 2. The generated content ideas should be focused on general marketing concepts and not reveal any specific strategies or campaign details. 3. I should be able to customize and adapt the generated content ideas to align with the City of Greensboro guidelines and objectives. 4. Data utilized should be based on widely available marketing knowledge and not rely on proprietary data or insights. User Story : Generate Social Media Campaigns As a marketing professional for the City of Greensboro, I frequently work on crafting compelling social media campaigns. I often encounter challenges that require quick and accurate information or assistance. I want to leverage the capabilities of ChatGPT to provide me with valuable insights, suggestions, and support in real-time, without revealing any proprietary or confidential information. This will optimize my ability to generate creative and engaging content ideas that resonate with our target audience, while ensuring that security best practices are followed. Acceptance Criteria • Verify through multiple channels - Never rely on a single communication channel when receiving unusual requests. If you receive an email, video call, or voice message requesting sensitive information or financial transactions, confirm through a different method like an in-person conversation or a separate phone call to a known number. • Watch for warning signs - Look for inconsistencies in audio or video communications, such as unnatural facial movements, strange lighting, audio-visual misalignments, or distortions when someone moves. In voice-only communications, listen for unusual speech patterns, background noise inconsistencies, or linguistic choices that seem out of character. • Be skeptical of urgent requests - Deepfakes are often used in social engineering attacks that create a false sense of urgency. Be especially cautious of time-sensitive requests involving money transfers, credential sharing, or confidential information. • Report suspicious communications - If you encounter a suspected deepfake, report it immediately to the IT security team. Preserving the evidence can help prevent others from falling victim to similar attacks. CONSTRUCTIVE USER STORIES

Best Practices and Guidelines for ChatGPT and Similar AI Models Scenario I initiate a conversation with ChatGPT, providing it with a general overview of the campaign goals and target audience without disclosing any confidential details. I ask ChatGPT to generate content ideas for an upcoming product launch, focusing on broader marketing concepts and industry trends. ChatGPT responds with a variety of creative content ideas that can be adapted to different marketing channels. I carefully review and validate each idea, ensuring they align with our guidelines and do not disclose any confidential or proprietary information. After selecting the most promising content ideas, I further customize and refine them to meet our campaign objectives and ensure they remain within the boundaries of non-sensitive information. Throughout this process, I strictly adhere to the data privacy and confidentiality guidelines set forth by the City of Greensboro. By utilizing ChatGPT in this manner, I can leverage its capabilities to boost my creativity and efficiency in generating content ideas while safeguarding the privacy and confidentiality of our company's sensitive information. User Story: Talent Acquisition Job Screening As a talent acquisition specialist for the City of Greensboro, I am responsible for screening numerous job applications to identify suitable candidates for open positions. This process is time-consuming and labor-intensive. I want to leverage AI technology to assist with the initial screening of resumes and applications, helping me identify promising candidates more efficiently while ensuring fair and unbiased evaluation. This will allow me to focus on meaningful candidate interactions and strategic recruitment tasks, while maintaining compliance with regulations and responsible AI principles. Acceptance Criteria 1. The AI system should analyze applications based on job-relevant criteria only, without introducing or amplifying biases related to age, gender, ethnicity, or other protected characteristics. 2. All AI-assisted screening decisions should be transparent and explainable, with clear documentation of the criteria used. 3. I should maintain final decision-making authority, with the AI service in an advisory capacity only. 4. The AI should not have access to the candidates’ personal or sensitive information beyond what is strictly necessary for skills and qualification assessment. 5. The system should comply with all applicable privacy regulations and data protection standards. 6. Regular audits should be conducted to detect and mitigate any potential biases in the AI’s recommendations.

Best Practices and Guidelines for ChatGPT and Similar AI Models

1. The AI system should analyze maintenance requests based on multiple factors including safety implications, operational impact, affected departments, and resource requirements. 2. The systems must maintain transparency in its prioritization logic, allowing me to understand the reasoning behind each recommendation. 3. I should retain final decision-making authority, with the AI serving in an advisory capacity only. 4. The AI should integrate with our existing maintenance request system without compromising data security or privacy. 5. The system should be capable of adapting its recommendations based on feedback and changing organizational priorities. 6. Regular audits should be conducted to ensure the AI’s recommendations align with organizational policies and maintenance best practices. recommendations for prioritization. This will enable me to respond more effectively to critical issues, optimize resource allocation and improve facility management while maintaining transparency in the decision-making process. Acceptance Criteria Scenario I receive a large batch of applications for a position and need to identify qualified candidates efficiently. I upload the job description and anonymized resumes to the AI system, specifying the key skills, qualifications, and experience required for the role. The AI analyzes the applications and presents me with a structured overview highlighting candidates whose qualifications align with the job requirements. For each candidate, the AI provides a summary or relevant skills and experience matches, without making final judgments about suitability. I review the AI’s analysis, examining both highly-ranked and borderline candidates to ensure no qualified applications are overlooked. I notice the patterns that might have been missed i n a manual review, such as transferable skills from adjacent industries. Throughout this process, I maintain awareness of the AI’s limitations and potential blind spots. I periodically check candidates that weren’t highlighted by the AI to verify the system isn’t overlooking certain backgrounds or non-traditional career paths. By utilizing AI in this responsible manner, I improve the efficiency and consistency of our initial screening process while ensuring human oversight, fairness, and compliance with the city's commitment to inclusive hiring practices. User Story : Prioritize M aintenance R equests As a facilities manager , I am responsible for handling numerous maintenance requests across multiple buildings and departments. I often struggle with efficiently prioritizing these requests based on urgency, impact, and resource availability. I want to leverage AI technology to help analyze and categorize incoming maintenance requests, providing data-driven

Best Practices and Guidelines for ChatGPT and Similar AI Models

1. The AI system should assist with organizing and structuring reports based on departmental templates without compromising accuracy or completeness. 2. I must maintain full editorial control and final approval of all report content . 3. The AI should not have access to personally identifiable information (PII) unless absolutely necessary, and any such information must be properly secured and handled in compliance with privacy regulations. 4. The system should help identify potentially missing information or inconsistencies in the report based on standard protocols, without making assumptions about incident details. 5. All AI assistance must comply with departmental policies, legal requirements, and chain of custody considerations for documentation. 6. The system should improve efficiency without compromising the integrity or admissibility of reports in legal proceedings. 7. Regular audits should be conducted to ensure the AI’s assistance aligns with current reporting standards and requirements. comprehensive, and compliant with departmental standards and legal requirements. I want to leverage AI technology to assist with drafting these reports more efficiently while maintaining quality and compliance. This will help me reduce administrative time spent on documentation, ensure critical details are captured, and allow me to focus more on my primary public safety responsibilities . Acceptance C riteria Scenario I begin my workday with many new maintenance requests that have accumulated overnight across our facilities. Instead of manually sorting through each ticket, I utilize our AI-assisted prioritization system to help organize my team’s workflow. The AI analyzes the requests , considering factors such as the nature of the issue (electrical, plumbing, HVAC), potential safety implications, number of affected employees, impact on business operations, and available maintenance staff. The system presents me with a categorized view of requests, highlighting those requiring immediate attention. I review the AI’s recommendations, noting that a relatively minor-sounding electrical issue in the server room has been flagged as high priority due to its potential impact on business operations. I agree with this assessment and assign it to our electric ian. By leveraging AI in his collaborative manner, I improve our response time to critical maintenance issues while optimizing resource allocation and maintaining human oversight of this prioritization process. This results in better-maintained facilities, improved employee satisfaction, and more efficient operations overall. User Story: Public Safety Writing Assistant As a public safety employee, I regularly need to create detailed incident reports documenting various situations I encounter during my shifts. These reports must be accurate,

Best Practices and Guidelines for ChatGPT and Similar AI Models

Scenario After responding to an incident, I need to complete a detailed report documenting what occurred. Rather than starting from scratch, I use our AI-assisted report writing system to help streamline the process. I begin by entering basic information about the incident type and location. The AI presents me with the appropriate report template and suggests relevant sections to complete based on departmental standards for this incident type. As I dictate my observations, the AI helps organize the information into the proper format while flagging areas where additional details might be needed according to protocol. When describing witness statements, the AI prompts me to include key elements I may have overlooked, such as environmental conditions or estimated timelines. It also suggests standardized terminology consistent with departmental guidelines, which I can accept or modify as appropriate. Before finalizing the report, I thoroughly review all content, making necessary edits and ensuring that all information accurately reflects my observations and actions at the scene. I verify that sensitive information is handled appropriately according to our department’s policies. By utilizing AI in this supportive manner, I complete my reports more efficiently and consistently while maintaining full control over content and ensuring compliance with all relevant standards. This allows me to spend less time on administrative paperwork and more time focused on public safety duties, while still producing high-quality documentation . CONCLUSION By following the recommendations outlined in this advisory document, the City of Greensboro can leverage the capabilities of AI while ensuring safe and responsible AI usage. Though the introduction of these technologies may seem daunting, as an organization, the most effective way we can ensure the safety of our employees and citizens data is through regular training, awareness programs, and ongoing vigilance. Through our combined cooperation and ability to adapt to the changing landscape, we will surely thrive and continue to provide the most optimal and effective service for the city we serve.

Best Practices and Guidelines for ChatGPT and Similar AI Models

Appendix Glossary

AI (Artificial Intelligence) : Computer systems that are capable of performing tasks typically associated with human intelligence such as learning, reasoning, and problem solving. Most commonly used as a short hand for Generative AI systems. ChatGPT: A generative AI chat program owned by OpenAI. Data entered into chats is used to train the model further and should not be considered private information. Deepfakes: Artificially created media (video, audio, or images) that use advanced AI technology, particularly deep learning, to replace a person's likeness with someone else's in a convincingly realistic manner. These sophisticated forgeries leverage neural networks to manipulate or generate visual and audio content that can be nearly indistinguishable from authentic media. Generative AI : A subset of artificial intelligence that uses generative models to produce text, videos, images, and other data based on patterns learned from training. Designed to always respond with the most statistically relevant answer. Hallucinations: AI responses that contain inaccurate, incomplete, or non-factual information. When prompted, if the AI system does not have access to the information or the full context of the request, the response may be incorrect despite sounding authoritative. LLM (Large Language Model) : This is the underlying technology for Generative AI systems such as ChatGPT. These models are trained on vast amounts of data and will always respond with information that is most statistically relevant to the request made. PII (Personally Identifiable Information): Information that contains the names, social security numbers, financial information, bank account information, and credit card information of individuals or organizations.