AI Governance Card: Gemini Workspace

​Revision History:

• Last Revised: 07/22/2025
• Date Issued: 03/30/2025
• Version: 1.1
• ​Author: Solomon Abiola

This governance card mirrors Maryland’s broader Generative AI (GenAI) guidance (Sections I–VI), providing guidance for standalone commercial GenAI tools. All Maryland state employees and contractors should review this document before using Google’s Gemini Workspace.

Gemini Workspace is Google’s GenAI suite. It is capable of producing new text, code, translations, summaries, and images.

This Guidance Card specifically governs the usage of Gemini, providing specific adjustments to interim policies.

• Unacceptable Risk AI (Prohibited):
• AI that automates decisions impacting individual rights or sensitive investigations or that handles restricted data is off-limits.
• Under the interim policy, staff must not use Gemini (or any GenAI) to generate decisions involving benefits, credentialing, legal enforcement, and other critical decisions., as stated in Section IV.2 (“Decision-making and evaluations”).
• High-Risk AI:
• If Gemini were integrated to make sensitive decisions or used to handle personal or protected health information, it could enter high-risk territory. However, Gemini uses technical controls that disallow processing of PI (i.e., Gemini will either be unresponsive or block PI in responses) thus ensuring using Gemini is not High-Risk AI.
• Limited Risk AI:
• Gemini poses limited risks if it is used for typical tasks such as drafting memos, brainstorming, analyzing public data, generating code for non-critical tasks, and generating reports that include protected internal-only data.
• These actions are allowed with caution, in line with guidelines on fact-checking, bias review, and not including personal/sensitive data in prompts (Sections IV.1, IV.3, IV.4 of state’s interim AI guidance).
• Minimal Risk AI:
• Routine, low-stakes tasks (grammar fixes, rewording public domain text) with no sensitive data.
• Agencies should still follow best practices: disclosing GenAI usage by using the citation template if significant proportions of content are generated while verifying outputs.

Most Gemini Workspace usage falls under Limited or Minimal risk as aligned with interim guidelines as long as users give special attention to the ban on restricted decisions as stated in Section IV.2 (“Decision-making and evaluations”).

Key Guidelines from the Maryland Department of Information Technology’s (DoIT’s) Interim AI Policy

• Do Not Use for Sensitive Decisions
• Per Section IV.2, do not use Gemini to decide or evaluate individual benefits, legal enforcement, HR hiring, or any “State activities affecting individual rights/safety.”
• Keep Gemini usage to lower risk tasks such as drafting, brainstorming, and summarizing data–not automated judgments about individuals.
• Fact-Check & Review
• As Section IV.3 warns, GenAI can generate plausible but false content. You are responsible for always validating outputs.
• For official memos or communications, do final edits manually to ensure correctness. You remain responsible for accuracy (even if Gemini drafted it).
• Review for Bias
• Section IV.4 highlights the risk of GenAI reproducing harmful stereotypes. Check Gemini-generated text for subtle bias or offensive language and correct such outputs.
• Create Transcriptions Only With Consent
• Section IV.5: Gemini-based transcription is approved for meetings. In such instances, one should still follow state guidelines for recording in particular:
• All-Party Consent: Maryland law prohibits recording conversations without “all” participants’ informed consent​. At the start of any call or meeting, Agencies must announce that the call or meeting will be recorded and/or transcribed by an AI-powered service, if applicable, and allow participants the ability to consent or object. If a participant objects to the recording or transcription, it shall not be used. This applies to both internal meetings and calls with the public. Lack of consent makes the recording illegal in Maryland and thus an unacceptable practice.
• Use Work Accounts Only
• Any usage of Gemini services should be through your @maryland.gov account only and separate from personal usage per Section IV.6.
• Disclose & Cite GenAI
• Section IV.8 + Table 1: Cite Gemini usage if content is significantly AI-generated. E.g., “This document was drafted with the assistance of Google Gemini.”
• Minimal usage (proofreading) may not require citation; see Table 1 in the interim guidance for more details.

Additional Considerations

DoIT’s approval of Gemini for Google Workspace means it can access and use protected internal-only data within Google, such as products like Gmail and Google Drive. However, you remain responsible for managing access to protected internal-only data, especially when sharing information on Google Drive. All Google product rules for personally identifiable information (PII) data apply to Gemini.

• Reinforcing Responsible AI Principles: Learn from the Utah Department of Transportation’s (UDOT's) experience: The YouTube video "Google Gemini at UDOT" provides a real-world example of implementing Gemini responsibly within a public organization. This presentation from UDOT underscores several key principles already outlined, including the importance of human oversight, accuracy verification, data security, and ethical considerations. UDOT frames Gemini as a tool to enhance human work, not replace it, and emphasizes core values like trust, integrity, and caring in its application. Reviewing this video can offer valuable reinforcement of these best practices and practical examples of appropriate Gemini usage.
• Privacy & Data Security: Gemini follows the same data loss prevention (DLP) policy present across Google Workspace, which restricts Gemini's usage of PII information​. Gemini's privacy policy can be found here: https://support.google.com/a/answer/15706919. Gemini has attained SOC 1/2/3, ISO 9001, ISO/IEC 27001, 27701, 27017, 27018, and 42001 certifications. Gemini has FedRAMP High authorization. Additionally, Gemini supports compliance with COPPA and FERPA​.

Prompt Engineering & Usage Examples

Prompt Engineering:

• Craft specific prompts for better outputs, referencing recommended resources (Section V: e.g., OpenAI docs, AWS prompt engineering guides).

Do’s and Don’t:

• Do: Use Gemini in Google Workspace, NotebookLM, and/or Gemini chatbot in accordance with the guidance issued here on internal data.
• Don’t: Use AIStudio with internal data. Using Level 2 data with AIStudio is not permitted without billing enabled.
• Learn More: Data Classification Policy; Gemini FedRamp High Approval

Example Use cases:

1. Drafting Documents: Let Gemini provide an initial draft for a memo on a public topic. Do carefully edit, but don’t rely on it to produce verified facts.
2. Analyzing Public Data: You can prompt Gemini to suggest insights. Fact-check these insights thoroughly.
3. Translation: Use Gemini to translate non-sensitive content. Confirm the final text with a native speaker for critical communications.
4. Research: Use NotebookLM to analyze publicly available legal text. Fact-check these insights thoroughly.

For additional resources that can help you use Gemini productively, please refer to this resource and this resource which are both provided by Google.