FederalShield

Never log into or use a public Generative AI service unless it is officially approved by your agency's IT security/procurement authorities.

Scrub all personally identifiable information (PII), agency-sensitive terms, project nicknames, and technical architecture details before submitting prompts to public models.

Understand your data categories (CUI, FOUO, PII, Draft policy documents). Treat public AI input fields as public releases.

Do not upload spreadsheets, source code, internal memos, or citizen datasets to commercial AI tools that retain user input for model retraining.

Identify emails that mention highly specific agency projects, colleague names, or specific terminology. AI can synthesize personalized lures rapidly.

If an email demands urgent financial actions, credential resets, or document transfers, verify the request through an established contact number, not via email reply.

Watch for unusual requests from managers or executives on Microsoft Teams, Slack, or telephone. Deepfakes can replicate voices and video in real time.

Never bypass established authentication standards based on audio or video validation alone. Follow strict administrative verification paths.

Document the tool name, version, exact business use case, and compliance details (e.g., FedRAMP authorization status) when requesting AI tooling.

Ensure any tool used allows opting out of data sharing for training purposes (e.g., utilizing API endpoints or enterprise seats rather than consumer tiers).

If you suspect credentials or sensitive data were submitted to an unauthorized AI, disconnect the browser session and notify security officers immediately.

Log the exact prompt, document uploaded, time of transaction, and the URL of the tool used. This assists forensic teams in assessing breach scopes.