Box.com Guidance for Use

GTA recognizes Box.com as a cloud-based content management and collaboration platform that integrates AI features to automate document organization, summarize content, and enhance search and knowledge discovery. It is designed for enterprise-grade security and is compliant with FedRAMP Moderate, HIPAA, and StateRAMP standards. This makes it suitable for government use when configured correctly. Georgia state agencies must ensure that Box AI is implemented within approved data classification, encryption, and access-control frameworks before using it to process or analyze sensitive data, including personally identifiable information (PII) or protected health information (PHI).

Guidance

  • Purpose and Use

    Box AI can be used for document collaboration, version control, automated tagging, search summarization, and internal content generation such as drafting summaries or metadata.

    AI-assisted features should complement, not replace, human judgment in managing official documents.

    Use of Box AI should be limited to authorized users and approved organizational folders within your agency's secure enterprise tenant.

  • Transparency

    AI-generated summaries, tags, or insights must be clearly identified as machine-generated.

    Staff should be informed when AI tools are used in document processing or classification.

  • Accountability

    All AI-generated content must be reviewed and validated by a human before being shared or recorded as official information.

    Agency administrators must maintain audit logs of AI-assisted actions to ensure accountability and compliance.

  • Data Privacy and Security

    Sensitive or regulated data, such as PII and PHI, must be stored only in Box environments that are FedRAMP or StateRAMP compliant, using encryption at rest and in transit.

    Data Loss Prevention (DLP) and Zero Trust security controls must be applied and monitored.

    AI features should only process data that resides within the agency’s tenant. External data sharing for AI summarization or tagging should be disabled by default.

    All external access and sharing must be encrypted and approved by your agency’s Information Security Office or GTA.

  • Bias and Fairness

    Box AI should be used in ways that promote fairness, transparency, and accessibility.

    Bias detection and mitigation should be reviewed regularly, especially for document tagging and search-related features.

Prohibited Uses

  • PHI or PII

    Do not use AI to process PHI or PII without written approval from your agency’s Information Security Office.

  • Policy, medical, or legal matters

    Do not rely on AI-generated summaries or insights for final decisions related to policy, medical, or legal matters.

  • Using for Sensitive or Classified Information

    Do not upload or process classified or investigative materials through Box AI.

  • Training AI models

    Do not allow training or fine-tuning of AI models with internal agency data without explicit authorization.

  • External communications

    Do not use AI outputs in external communications or public documents that could be interpreted as official positions of the agency.

Security Assessment

Based on Box.com’s current certifications and security architecture:

  • Box is FedRAMP Moderate and StateRAMP Authorized, making it suitable for sensitive but unclassified (SBU) and moderate-risk data.
  • Box supports HIPAA and HITECH compliance when used under a signed Business Associate Agreement (BAA).
  • The agency must implement role-based access control, multi-factor authentication (MFA), and data retention policies.
  • Box Shield and the Admin Console should be used to monitor and control data access.
  • Annual security assessments and quarterly AI feature reviews must be conducted to ensure ongoing compliance.
     
DoDon't
Use Box AI only within the secure enterprise tenant.Use personal or public Box accounts.
Classify all content according to your agency's data tiers.Upload unclassified PHI or PII without authorization.
Enable MFA and DLP enforcement.Share sensitive folders externally without encryption.
Review AI-generated content for accuracy.Rely on AI outputs without human validation.
Maintain audit logs and quarterly compliance checks.Disable audit or access control settings.
Provide mandatory AI ethics and security training .Use AI-generated text or summaries for public releases.

Oversight and Compliance

  • Your agency's security team is responsible for reviewing Box AI configurations and overseeing compliance.
  • GTA's Office of AI must evaluate new Box AI features before statewide activation.
  • Any suspected data exposure or misconfiguration must be reported to GTA within 24 hours.
  • All staff using Box AI must complete training on secure and ethical AI use before access is granted.