Education & EdTech AI Security & Governance 2024

AI Governance and Compliance Validation for the University of Chicago’s GenAI Platform

University of Chicago Leading Research University — Education Sector
5 Frameworks Validated
GenAI Platform Assessed
7 High-Risk Gaps Identified

The Challenge

The University of Chicago developed a GenAI platform for academic, operational, and research workflows involving sensitive data including research health information. As the platform prepared for broader institutional adoption, the university needed independent validation of its internal security and compliance assessment — benchmarked against ISO 42001, NIST AI RMF, and NIST 800-171.

The Solution

Propelex conducted an independent validation of the university's internal GenAI security review — deepening the evaluation with multi-framework gap analysis across AI governance, lifecycle management, cloud shared responsibility, DLP, trustworthiness monitoring, and AI-specific penetration testing requirements not addressed by traditional cybersecurity frameworks.

Generative AI is entering academic institutions faster than the governance frameworks needed to manage it responsibly. Universities face a distinctive challenge: they are simultaneously deploying AI to support sensitive research involving protected health information, navigating HIPAA and federal compliance obligations, and operating in an environment where AI adoption is driven by faculty and research teams rather than top-down IT governance. Traditional cybersecurity frameworks were not designed for this reality.

The University of Chicago engaged Propelex to independently validate its internal GenAI platform security and compliance assessment — broadening the evaluation beyond HIPAA-aligned controls to benchmark the platform against ISO/IEC 42001, NIST AI RMF 1.0, and NIST SP 800-171, and identify the AI-specific governance gaps that traditional frameworks consistently miss.

About the Engagement

The University of Chicago’s Information Assurance team conducted a structured internal assessment of their GenAI platform before broader institutional rollout — a three-pass review combining documentation review and hands-on validation, focused primarily on HIPAA safeguards, institutional software security requirements, and NIST SP 800-66 considerations.

Rather than duplicating that work, Propelex was engaged to do something more valuable: independently validate its completeness, benchmark it against frameworks the internal team had not evaluated, and identify the AI-specific risks that traditional security assessments are structurally unable to see. The platform handles research health information and is being deployed across academic, operational, and research workflows — making both the compliance obligations and the reputational stakes significant.

What the Internal Assessment Got Right

Propelex’s independent review confirmed that the University had built a genuinely strong security foundation — not a checkbox compliance exercise, but a substantive assessment with real methodology:

  • Strong HIPAA-aligned foundational controls — the internal assessment correctly identified and addressed the core HIPAA Privacy and Security Rule requirements applicable to research health information handling
  • Structured three-pass assessment methodology — preliminary review, team review and assertion, and validation and documentation stages provided meaningful coverage and a defensible audit trail
  • Clear institutional commitment to responsible AI deployment — the University demonstrated genuine intent to deploy the GenAI platform responsibly, not just a desire to move fast
  • Mature traditional security documentation — architecture documentation, access control records, and operational safeguard documentation were well-maintained and accessible

These strengths are not trivial. Many institutions deploying AI have neither the internal security capability nor the commitment to responsible deployment that the University of Chicago demonstrated. The gaps Propelex identified were not failures of effort — they were the predictable result of applying frameworks designed for traditional IT systems to a technology category that requires fundamentally different governance.

High-Risk Gaps Identified

Propelex’s multi-framework analysis identified seven high-risk gaps not addressed by the internal assessment:

No formal AI Governance Charter
No framework existed defining AI oversight accountability, risk ownership, or ethical decision-making processes — meaning the institution had no formal mechanism for governing how the platform evolves, who is responsible for its behavior, and how disputes about its outputs are resolved
Undefined cloud shared responsibility boundary
Control ownership for encryption, monitoring, data retention, and incident response across the cloud AI service provider was not formally documented — creating uncertainty about what the University controlled versus what the provider was responsible for
No AI-specific SDLC
The platform lacked defined approval gates, AI-specific risk evaluations, formal model evaluation requirements, and change control processes tailored for AI behavior — meaning model updates and capability changes could be deployed without the systematic review they require
Missing trustworthiness metrics and logging
No formal criteria existed to measure model drift, accuracy, reliability, misuse attempts, or bias — making it impossible to detect or respond to degradation in the platform’s behavior over time
No DLP or prompt-level safety monitoring
Without specialized monitoring, sensitive data leakage through GenAI interactions — including inadvertent disclosure of research health information in prompts or responses — could not be detected or prevented
Unverified cloud encryption
Encryption of data in transit and at rest across cloud AI services was not fully documented or validated — including the encryption status of prompts, embeddings, and logs stored within the cloud provider’s environment
  • No AI-focused security assessment or penetration testing — the GenAI platform had never undergone cloud configuration review, AI-specific penetration testing, or boundary and vulnerability testing, leaving unknown exposures that traditional infrastructure assessment would not surface

Why Traditional Frameworks Are Insufficient for GenAI

AI Introduces New Risk Categories

HIPAA, NIST SP 800-66, and traditional cybersecurity frameworks address data confidentiality, integrity, and availability — the classic security triad. GenAI introduces additional risk categories that these frameworks were not designed to address: model drift, prompt injection, sensitive data leakage through inference, bias and inappropriate outputs, and the operational implications of AI behavior changes that are not analogous to traditional software updates.

Cloud AI Creates Novel Shared Responsibility Questions

Traditional cloud shared responsibility models are well-understood: the provider secures the infrastructure, the customer secures what they build on top of it. AI-as-a-service complicates this significantly — data submitted to a cloud AI service may be retained, used for training, encrypted with provider-managed keys, or processed in ways that the standard enterprise cloud security framework does not address. Every institution deploying cloud AI needs an explicit, documented understanding of where the shared responsibility boundary sits for their specific use case.

The Results

Five Frameworks Benchmarked

The GenAI platform was evaluated against HIPAA, NIST SP 800-66, ISO/IEC 42001, NIST AI RMF 1.0, and NIST SP 800-171 in a single integrated assessment — producing a unified gap analysis rather than five separate compliance exercises.

Seven High-Risk Gaps Identified and Prioritized

Every identified gap was connected to a specific risk consequence and prioritized against the platform’s deployment timeline — giving the University a clear, actionable remediation sequence rather than an undifferentiated list of findings.

Responsible AI Deployment Enabled

With the identified gaps addressed, the GenAI platform will have the governance structures, observability tools, and lifecycle controls needed to support sensitive academic and research workloads responsibly — giving the University confidence in broader institutional rollout.

Sector Leadership Established

Propelex’s engagement positions the University of Chicago’s GenAI platform as a model for secure and responsible AI adoption in higher education — demonstrating that institutional AI deployment can be both academically enabling and rigorously governed.

Key Takeaway

Generative AI in research universities is not a future consideration — it is an immediate operational reality. Researchers are using it now, often ahead of governance frameworks that can manage the associated risks. The question for institutions is not whether to deploy GenAI but how to deploy it in a way that protects sensitive research data, satisfies compliance obligations, and maintains the institutional trust that academic credibility depends on.

The University of Chicago’s approach — strong internal assessment followed by independent expert validation against AI-specific frameworks — is the right model. It acknowledges that traditional security expertise, however strong, needs to be supplemented by AI governance expertise that addresses the novel risk categories that generative AI introduces. Propelex will continue partnering with the University to mature their AI governance program, enhance lifecycle and testing rigor, and prepare for the evolving regulatory requirements that will govern AI in research and education.

The Results

Propelex confirmed strong foundational security controls while identifying seven high-risk gaps in AI governance, SDLC, DLP, cloud responsibility boundaries, and trustworthiness monitoring — producing a prioritized roadmap that positions the GenAI platform as a model for secure and responsible AI adoption in the education sector.

Related Case Studies

View all →

Partner with Propelex

Security Built for Your Reality

Our team brings deep expertise across compliance frameworks, attack surfaces, and industry-specific threats — so you can focus on your mission.

Schedule a Consultation Explore Services