Skip to content

Artificial Intelligence and Its Use at the University of Oulu

Author: Jesse Korhonen | Published: 11.6.2026
Keywords: , , , , , , , , ,

The University of Oulu supports the use of artificial intelligence in teaching, research, and day-to-day work. AI must be used responsibly, ethically, and with due regard to information security. AI can support ideation, writing, and information processing, but the user always remains responsible for the accuracy of the content.

As a primary rule, use AI services provided or approved by the university and ensure that any new service is approved before use.

Why are there restrictions on the use of AI?

The purpose of these restrictions is not to slow down the use of AI, but to ensure that it can be used safely, lawfully, and in a controlled way. The main reasons for these restrictions are as follows:

  • Legislation and obligations: requirements related to the processing of personal data (e.g. GDPR) and obligations concerning information security and data protection.
  • Information security: external cloud services may process data outside the university’s infrastructure, increasing the risk of data leaks and misuse.
  • Contracts and data governance: agent-based solutions in particular may act independently, for example, by calling different interfaces or reading user files, which means they are subject to stricter requirements.

For more information about the processing of personal data and related data protection obligations, see the University of Oulu’s data protection policy and information handling guidelines.

Key instructions in brief

  • As a primary rule, use AI services provided or approved by the university. ICT Services maintain a list of permitted AI tools and their approved use cases.
  • Do not enter personal data, health data, or other confidential data into external and unapproved AI services unless the service has been specifically approved for that purpose.
  • Check what types of data and content each service is permitted to process.
  • Always review AI-generated content before using it.
  • If you need to introduce a new AI service, see the separate onboarding guide.

AI services provided by the university

A separately maintained service list is available for AI services provided and approved by the University of Oulu.

The list shows which services are available, which of them are licensed or otherwise approved by local solutions, and the purposes and types of data for which each service may be used.

Types of AI services and operating environments

AI services can be viewed from two perspectives: what they do and the environment in which they operate. This helps in assessing which type of service is appropriate for a given purpose and what risks may be associated with its use.

By intended use

  • Content-generating AI tools support, for example, writing, ideation, analysis, and code generation.
  • Agent-based tools can retrieve information, call interfaces, read files, or carry out actions automatically. As a result, they usually involve a higher level of risk.

By operating environment

  • SaaS services: the service runs in the provider’s environment, and content entered by the user is transferred outside the university’s infrastructure for processing. These services require particular attention to contractual terms, data protection, and information security. Even if the service is accessed through a browser or workstation, processing usually does not take place locally.
    Examples: ChatGPT, Microsoft Copilot, and Gemini.
  • On-premises services: the service runs in the organization’s own or otherwise controlled environment, for example on a server managed by ICT Services or a faculty. On-premises solutions generally provide better control over data location, access rights, and the technical environment.
    Example: Lehmus AI in a university-controlled environment.
  • Services run on endpoint devices: the service runs on a physical workstation or server. In this context, it is important to distinguish between a standard workstation and a research device, as access rights, isolation, management practices, and risk levels may differ significantly. In some cases, an endpoint-based solution may require a lighter assessment if it involves only a single dataset and a single tool, and the risks are low, but the assessment is always based on the specific use case.
    Examples: a language model running locally on a workstation, or a separate AI application used on a research device.

The operating environment directly affects the kinds of reviews and safeguards required for a tool. This way of thinking is aligned with the CIS Controls framework (cisecurity.com), which emphasizes asset management, secure configuration, and data protection across different environments. The more a solution handles confidential data, relies on external services, or includes agent capabilities, the more extensive the assessment required before deployment.

Introducing other AI services

If you are considering introducing a new AI service from outside the university, consult the separate onboarding guide. This page provides more detailed instructions for the evaluation, approval, and controlled deployment of new AI services at the University of Oulu. A new service must not be introduced until the required assessment has been completed, and approval has been granted.

Safe use of AI

When using AI services, consider the data being processed, the service’s operating model, and the environment in which it operates. Use AI primarily for public or low-risk data, and choose a university-approved service that is suitable for the intended purpose.

Handle data correctly

Where possible, remove or anonymize personal data, confidential research data, and other identifying information. Do not enter unnecessary personal data, confidential materials, or contractually restricted data into external services. More detailed guidance on information classification and classification-based restrictions is available in Information classification at the University of Oulu and Oamk.

Use approved services

Use AI services provided or approved by the university as your primary option. In these services, data processing and terms of use have been assessed more thoroughly than in unapproved external services.

Understand what the tool does

Before using a service, determine whether it stores prompts, whether the data is used for model training, where the data is located, and what access rights the tool requires. Also make sure that the service is appropriate for the intended purpose.

Ensure the reliability of AI output

Always review AI-generated content before using, publishing, or applying it. AI may produce incorrect, incomplete, or misleading output, so it should be used as a support tool rather than an original source.

Protect credentials and access rights

Use personal credentials only in official services. Restrict access rights to the minimum necessary. Do not share API keys or credentials, and do not grant AI tools broader permissions than they need.

Use extra caution with agent-based solutions

Agent-based tools may, for example, read files, call interfaces, and perform actions automatically. For this reason, they should be granted only permissions that are strictly necessary, and access to data assets should be carefully limited. Unapproved or experimental solutions should be tested only in an isolated environment, such as a sandbox or a separate device, where access to data assets is restricted.

Further information and guidance

« Back

This article was published in categories English version available, All instructions, for the University of Oulu staff, Saavutettava ohjeartikkeli and tags , , , , , , , , , . Add the permalink to your favourites.