Skip to main content
DA / EN
DA / EN

Search

AI Policy at SDU

This policy sets out the general framework for the use of artificial intelligence at SDU.

  • This policy sets out the general framework for the use of artificial intelligence at SDU.

  • The use of artificial intelligence is developing rapidly and is already having an impact on SDU’s core activities in the areas of research, education and administration. At the same time, the use of artificial intelligence brings with it new risks in terms of quality, responsibility, ethics, data protection and legislation.

    This policy has been drawn up to ensure a common institutional framework for the responsible use of artificial intelligence at SDU and to provide clarity on principles, responsibilities and guidelines across the organisation.

  • This policy applies to all of SDU. Specifically, it applies to both staff (academic staff and technical/administrative staff) and students. 

    This policy covers all forms of use of artificial intelligence in connection with work (research, teaching, administration) and education at SDU.

  • The use of artificial intelligence at SDU must be in accordance with the principles set out below, which are enshrined in SDU’s AI Code and the University’s core values.

    • People-centered application and responsibility 
      Artificial intelligence should support, not replace, human judgment, expertise, and relationships. People are always responsible for decisions, assessments, and output involving artificial intelligence.
    • Quality and academic validity
      The use of artificial intelligence must not undermine academic standards. AI-generated content must be critically assessed, verified and quality-assured by the responsible member of staff.
    • Transparency
      The use of artificial intelligence in academic, administrative, and organizational contexts must be transparent and comply with applicable guidelines.
    • Ethics and accountability
      Artificial intelligence must not be used for purposes that conflict with SDU's values or society's ethical standards, including manipulation, fraud, discrimination, surveillance or unfair treatment.
    • Compliance with the law and data protection
      Artificial intelligence must only be used in ways that comply with applicable legislation, including copyright law, intellectual property law, the GDPR, and SDU's data and information security policies.
    • Sustainability
      The use and selection of AI solutions must take into account environmental and societal implications and be aligned with SDU's climate and sustainability goals.

  • The Information Security and Data Protection Committee (UID) at SDU is responsible for the overall AI policy.

    System and process owners are responsible for establishing detailed rules governing the use of artificial intelligence within their system or core process. For example, HR is responsible for setting out detailed rules in a policy regarding the use of artificial intelligence in the recruitment process.

    Local AI guidelines must not conflict with the AI policy or any guidelines established by the main process owner.

    Management is responsible for ensuring that employees are made aware of the policy.

    Employees are responsible for familiarising themselves with and complying with the policy and associated guidelines, as well as any underlying instructions.

    SDU ensures that staff have an appropriate level of AI competence and literacy in relation to their job responsibilities. The use of new or modified AI solutions must fall within SDU’s established governance framework and may be subject to risk assessment, approval and follow-up.

  • The use of artificial intelligence at SDU must comply with Regulation (EU) 2024/1689 of the European Parliament and of the Council on artificial intelligence (the AI Act). The Regulation is based on a risk-based approach, whereby requirements and restrictions depend on how and for what purpose AI is used.

    SDU takes a risk-based approach to the use of artificial intelligence. This means that the use of artificial intelligence is assessed in terms of its purpose, consequences and risks, including its impact on people, data, rights and the institution’s reputation.

    SDU adopts a low risk tolerance in applications where artificial intelligence may have significant implications for individuals, legal certainty, data protection or academic integrity, and a higher risk tolerance in applications with limited consequences and clear human oversight.

    As a self-governing institution subject to public administration, SDU is required to pay particular attention to ensuring that the use of AI to support public authority tasks has a clear and unambiguous legal basis.

  • AI systems must be assessed according to the following general risk categories:

    • Minimal and limited-risk uses (e.g. generative AI for text, analysis and administrative tasks) may be applied, provided that applicable requirements for transparency, data protection, academic integrity and human accountability are met.
    • High-risk AI (e.g. systems used for recruitment, admissions, assessment, examinations, disciplinary matters or access to rights and benefits) may only be used following 
      specific approval and on the condition of documented risk management, meaningful human involvement, the possibility of oversight, and ongoing quality assurance.
    • Prohibited AI practices, as defined in the AI Act, must not be used at SDU. This includes, among other things, social scoring, manipulative behaviour management, 
      unlawful biometric identification or other uses that infringe on fundamental rights.

    The AI legislation sets out requirements relating to, among other things, risk management, documentation, logging, human oversight, transparency and incident reporting.

  • Where AI is used to generate content, analyses or decision support, appropriate transparency about its use must be ensured, and there must always be a clearly identifiable human sender.
    AI-generated output must not be used without a professional and critical evaluation.

  • The terms ‘AI agents’ and ‘AI assistants’ are often used interchangeably, both in the literature and in the product names of various providers, and there is no clear-cut definition, neither in international standards nor in a legal sense. This policy distinguishes between AI agents/AI assistants and agentic AI, which refers to the more autonomous virtual assistants (see Section 10).

    AI agents/AI assistants can be customised to provide responses based on specific sources and take into account the specified context or predefined rules. 

    AI agents/AI assistants can be used for ‘vibe coding’, a form of software development in which natural language is used as the primary input for an AI agent or AI assistant, which translates the user’s prompts into code, test cases, configuration files or architectural proposals. This method can be used for software development, maintenance and quality assurance, but does not alter human responsibility for design choices, accuracy, security and usage. 

    The use of AI agents must not replace professional responsibility, managerial decision-making or academic judgement. 

    The use of AI agents for vibe coding

    When using AI agents for vibe coding, particular attention must be paid to the following points:

    • Professional and legal responsibility
      AI-generated code must not be used without first having been professionally reviewed. The developer remains fully responsible for ensuring that the code is correct, secure, compliant with licensing requirements and in accordance with applicable legislation, internal requirements and architectural principles.
    • Information security and data protection
      Confidential information, personal data, security-critical configurations, keys, tokens or internal system details must not be included in prompts or shared with AI services that have not been approved by SDU RIO and SDU IT, unless this takes place in closed environments to which the model provider has no access. 
    • Supply chain and licensing risks
      AI-generated code may contain patterns, library choices or code snippets that pose licensing or copyright risks. The same assessment of dependencies and licences must therefore be carried out as in traditional development.
    • Security and vulnerabilities
      AI-generated code may contain known or unknown vulnerabilities, inappropriate default settings or weak security mechanisms. The code must therefore undergo relevant security testing, code reviews and, where appropriate, static/dynamic analysis in line with other software.
    • Overview and maintenance
      Vibe coding can lead to rapid coding without sufficient architectural coherence or documentation. Software that is put into operation must be made legible, versioned and documented so that solutions can be maintained, transferred and revised.

    Vibe coding may be used as a supporting tool but must not replace professional judgement, accountability or established development processes. Its use must be proportionate to the criticality of the task and must take into account the risks associated with automated code generation.

  • In this policy, agentic AI is defined as virtual assistants that, based on objectives, instructions or context, can perform actions, coordinate tasks, interact with other people and systems, or make (partially) autonomous decisions over time. This could include tasks such as creating or deleting user accounts, organising your documents, sending emails, setting up meetings or buying train tickets.

    For any application of agentic AI, the following must be in place:

    • Identification of a responsible person or organisational unit.
    • The ability to monitor, restrict, interrupt or override the actions of the agentic AI. 
    • Documentation of the purpose, scope of application and key decisions supported by AI. 

    Staff and students must not install or use agentic AI on SDU’s equipment or networks unless they understand and have control over the solution’s functionality and behaviour. If agentic AI is used to carry out harmful actions on behalf of an employee or student, responsibility rests with the individual concerned and may result in employment-related or academic consequences. 

    Agentic AI must not be able to independently download and install software from the internet (root access). SDU IT may set out detailed rules in guidelines governing the use of agentic AI with access to SDU’s identity management system and M365 environment, including specifying the access and permissions that agentic AI may have, as well as detailed documentation requirements. The current policy is that agentic AI which has rights in M365 may not be implemented without prior communication with and approval from SDU IT.

    There is nothing to prevent more extensive experimentation with agentic AI in closed or controlled environments, such as Ucloud or environments recommended by SDU IT. 

  • Compliance with this policy forms part of SDU’s general management, risk and compliance monitoring.

    The policy will be reviewed as necessary to ensure continued compliance with current legislation, changes in the risk landscape, and SDU’s organisational and technological developments.