Every public agency is getting the AI question now — from the board, from the council, from vendors, occasionally from a legislator with a survey attached. Nearly all of the resulting conversations start with tools: which model, which product, what the policy memo should say. The right starting place is older and much less interesting. It is the records.
The Tool Drafts From What the File Contains
Ask an AI tool to draft a violation letter from a case file and it will draft from whatever the case file holds. If the last three inspections live in an inspector's email — because the field app was down that week, or because that is simply how he has always worked — the letter goes out citing a two-year-old inspection as the current one. The tool did not fail. The record did, quietly, years before anyone bought software.
Summarization breaks the same way. Ask for a summary of public comment on a conditional use permit and you get a faithful summary of the comments in the system. The 40 comments submitted on paper at the front counter — scanned to a shared drive folder nobody indexed — are not in it. The staff report calls comment broadly supportive. The appeal hearing says otherwise.
And then there is the question nobody asks early: is the generated draft itself a public record, and where is it retained? In practice that question gets asked for the first time by a records officer in the middle of fulfilling a request — which is the worst possible moment to be deciding.
Every AI Question Is a Records Question
Strip the branding off and every government AI use case is an operation on records. Summarize these comments. Draft a letter from this file. Classify this document. Explain this status. Which means each one carries the same underlying questions:
- Are the records complete and accurate enough to act on?
- Who is allowed to see what the model is about to read?
- Is the output a public record, and under what retention schedule?
- Can you show, later, what was generated, what was edited, and who approved it?
An agency that cannot answer these does not have an AI readiness gap. It has a records gap, and AI will find it faster than any audit would have.
The Five Preconditions
Practical AI governance comes down to five things. None of them are new:
- Clean records — one system of record, statuses that mean something, exceptions tracked instead of living in someone's inbox
- Permissions — access defined by role, so a tool reading on a clerk's behalf inherits the clerk's actual boundaries
- Retention — drafts and final outputs classified and kept like the records they are, decided before the first records request, not during it
- Audit trails — who ran what, on which records, with what result, written so a human can read it back a year later
- Human review — approvals with names, timestamps, and reasons. A checkbox is not review
Notice what is missing: model selection, prompt strategy, vendor names. Those choices matter less than the floor they stand on, and they change faster too.
This Is Old Discipline, Not a New Field
Framing it this way turns an anxious technology conversation into ordinary government work. Agencies already know how to manage records, permissions, retention, and review — there are statutes, schedules, and decades of practice behind all of it. AI governance is not a new discipline. It is the old records discipline applied to a new way of producing documents. Which means an agency can act this quarter, with the staff it has. No task force required.
Start with the records officer, not the vendor demo. Find where the real case files live — including the parts in email — and decide now what a generated draft is and where it goes. That is the approach behind our AI governance work: we do not sell AI. We build the accountability layer that makes it safe to use.