April 14, 2026 HB 1186 / SB 394 Compliance Gap Analysis
This gap analysis is an early look at the current gaps in the Division-Managed AIS Pilot Program Platform – For discussion insight only – this is an Easter Egg extra.
How to Read This Document
This analysis is based on a complete reading of the enrolled text of HB 1186, its companion bill SB 394, the Virginia Governor’s EO 30 AI Task Force Report, the VITA Enterprise Architecture Standard EA-225, the NIST AI Risk Management Framework, and the federal COPPA Rule as updated through April 2026.
Every section pulls directly from the actual law or official Commonwealth policy. Where the law is clear about what is required, this document says so plainly. Where the law creates an obligation but leaves the how unanswered, those gaps are identified by name — because those gaps are where school divisions are most exposed.
This document is organized into five sections: what the law defines, what it requires of the state, what it requires of your school board, the hard deadlines in the law, and the gaps the law does not answer.
| A note on HB 1186 vs. SB 394 HB 1186 is the enrolled, enacted law. SB 394 was its companion bill introduced in the Senate. In the final legislative process, several meaningful differences emerged between the introduced Senate version and the enacted House version. Where those differences affect compliance planning, this document flags them. When this analysis says ‘the law,’ it means HB 1186 as enacted. |
Part 1: What the Law Defines
Before you can comply with a law, you need to know what its words mean. HB 1186 establishes five definitions that matter for day-to-day operations. These are not suggestions or guidelines — they are the legal vocabulary your policies must use.
| Term | Plain-Language Meaning |
| Artificial Intelligence System (AIS) | Any machine learning-based system that takes inputs and generates outputs — including content, decisions, predictions, and recommendations — that can influence physical or virtual environments. Systems used only for internal research, development, or prototyping before release to users are excluded. In plain terms: if an AI tool is deployed in a classroom or used to support school operations, it is covered. If it is still being built and tested by a company and has not been released to users, it is not. |
| AIS in Instructional Settings | Using artificial intelligence systems to support teaching, learning, assessment, or school operations. This definition is intentionally broad. Grading support tools, tutoring platforms, reading-level assessors, scheduling software with AI features, and attendance analytics all fall inside this definition. If AI touches how students are taught, evaluated, or managed, it counts. |
| Division-Managed AIS Platform | An AI solution that your school division controls, meeting three specific conditions: (1) it aligns with Virginia’s Standards of Learning and high-quality instructional materials; (2) it gives administrators visibility into how the platform is being used; and (3) it prohibits using school or student data to train or improve AI models outside the school division’s control. This is the standard the law wants school divisions moving toward. |
| Division-Managed Environment | The operational setup in which a division-managed platform runs. It must be administered directly by the school division using role-based access controls (different people get different levels of access), administrative oversight, audit logging (a timestamped record of who did what and when), and configurable moderation — all consistent with school board policy. The school division runs the show, not the vendor. |
| Pilot Program | The AIS Innovation in Education Pilot Program, established under subsection D of HB 1186, funded through state appropriations, and set to expire July 1, 2030. |
| Important: The definition changed from the introduced bill The introduced SB 394 defined AI broadly as ‘any machine-based system’ capable of predictions, recommendations, or decisions — a definition broad enough to potentially cover spellcheck, calculators, and spam filters. The enacted HB 1186 narrowed this to ‘machine learning-based systems’ and explicitly excluded systems still in development or research stages. This is a meaningful narrowing. Simple rule-based automation that does not use machine learning may fall outside the law’s definition. |
Part 2: What the State Is Required to Do
The law places the primary guidance-writing responsibility on the Virginia Department of Education (VDOE) — not the Virginia Board of Education. This is one of the most important structural facts in the entire law, and it is frequently misunderstood. Your compliance obligations are tied directly to what VDOE produces.
Obligation 1: Compile What Virginia Schools Are Already Doing
VDOE, in consultation with local school divisions and other stakeholders, must gather information on how AI systems are currently being used for student instruction across Virginia’s public schools. This is a data-collection step that precedes any policy or guidance the Department will write.
Obligation 2: Develop and Publish Guidance
VDOE must create guidance for the safe, ethical, and equitable use of AI in instructional settings and post it publicly on its website. The law specifies exactly what that guidance must cover:
- Student data privacy and security, including compliance with FERPA, COPPA, and any other applicable federal or state privacy laws
- Resources and training for teachers
- Transparency — specifically, how AI is being used and whether users can understand how it works
- Data privacy agreements with AI vendors, including the requirement that vendors cannot use school or student data to train or improve external AI models
- Best practices for guarding against bias and discrimination in AI systems
- Clear protocols for how teachers and students may use AI, including professional development and prohibitions on relying solely on AI for high-stakes decisions (as defined by VDOE)
- Equitable access to AI resources across the school setting
- How AI use in instruction can align with the Standards of Learning and high-quality instructional materials
- Functional guardrails that prioritize division-managed platforms in division-managed environments
- Requirements that any approved AI use in instruction provides teachers with transcripts of student interactions and allows monitoring through dashboards, automated alerts, and audit logs
Obligation 3: Establish and Oversee the Pilot Program
Subject to available funding, VDOE must establish and run the AIS Innovation in Education Pilot Program. This includes developing program guidelines, prioritizing proposals from school divisions serving high-poverty, rural, and under-resourced students, requiring participating divisions to include professional development and submit evaluation plans, and reporting annually to the General Assembly by December 1 of each year.
Part 3: What Your School Board Is Required to Do
This is the section that matters most for daily operations. The core obligation on school boards is contained in subsection C of HB 1186:
| The Core Legal Mandate “Each school board shall establish, implement, and enforce policies consistent with the guidance developed by the Department.” That sentence is short. Its implications are not. |
Breaking this down word by word:
- Establish — Your school board must formally adopt written AI policies. Not a memo, not a committee recommendation — adopted policy.
- Implement — Those policies must actually go into effect. Staff must be trained, systems must be configured, agreements must be signed. A policy sitting on paper does not satisfy this requirement.
- Enforce — Violations must have consequences, and you must have a mechanism to apply them. A policy with no enforcement is not a policy — it is a suggestion.
- Consistent with VDOE guidance — Your policies must align with whatever VDOE publishes. You cannot adopt policies that contradict the guidance, and you cannot omit what the guidance requires. You can be stricter. You cannot be more permissive.
What Your Policies Will Need to Cover
Based on what the law specifies for VDOE guidance, your school board policies will need to address, at minimum:
- Student data privacy — How student and school data is protected in the context of AI tools, consistent with FERPA, COPPA, and applicable state law.
- Vendor agreements — Any approved AI vendor must sign a data privacy agreement that specifically prohibits using division-level or student data to train or improve external AI models. This is required for every AI tool used in instruction.
- Teacher access and monitoring — Any AI tool used in instruction must give teachers access to transcripts of student interactions. Administrators and teachers must be able to monitor AI use through dashboards, automated alerts, and audit logs. If a tool does not offer these features in a form your administrators can actually use, it does not meet the standard the law sets.
- Human oversight for high-stakes decisions — AI cannot be the sole factor in making high-stakes decisions about students. A human must remain in the loop. What counts as a high-stakes decision has not yet been defined by VDOE.
- Alignment with Standards of Learning — AI tools used for instruction must align with Virginia’s SOLs and support the use of high-quality instructional materials. You need to be able to demonstrate alignment, not just assume it.
- Equitable access — Policies must address how the division ensures that all students, regardless of school, economic status, or other factors, have equitable access to AI resources.
- Educator training — The guidance will include embedded professional development resources for teachers. Your policies must address how that training is delivered and documented.
For Pilot Program Participants Only
If your school division is selected for the Pilot Program, two additional requirements apply:
- Include professional development for educators on AI literacy and responsible use as part of the pilot.
- Develop and submit evaluation plans measuring the impact of AI use on student learning, teacher workload, and equity outcomes.
Part 4: Deadlines and Timelines
The law is notably thin on hard deadlines. The ones that exist apply primarily to the state, not to school divisions directly. The ones that are missing are just as important to understand as the ones that are present.
Deadlines That Exist in the Law
- December 1 of each year — VDOE must submit its annual report on the Pilot Program to the chairs of the House Committee on Education and the Senate Committee on Education and Health.
- July 1, 2030 — The Pilot Program provisions (subsection D of HB 1186) expire automatically. This sunset applies to the pilot only, not to the law’s broader requirements for school board policies.
Deadlines That Do Not Exist in the Law
These missing dates create the central compliance problem for school divisions:
- No deadline for VDOE to publish its guidance. The law says VDOE shall do it — not by when.
- No deadline for school boards to adopt their local policies.
- No deadline for pilot divisions to submit their evaluation plans.
- No timeline for how often VDOE must update the guidance.
- No schedule for division audits, training refreshes, or policy review cycles.
| What the absence of deadlines means in practice School boards cannot finalize compliant policies until VDOE publishes guidance. But school boards cannot wait indefinitely — AI tools are already deployed across Virginia’s schools, and the law’s requirements are in effect now. The practical answer is to begin building foundational compliance infrastructure immediately so that when guidance arrives, you are aligning existing work, not starting from zero. |
Part 5: The Gaps — Where the Law Requires Action Without Saying How
Every gap below is a place where the law creates a real obligation but leaves the how unanswered. These are not technicalities. They are the places where school divisions face genuine compliance risk, where policy drafting gets stuck, and where independent analysis adds the most value. Until VDOE guidance fills these gaps or your board policy addresses them locally, your division is operating in undefined territory.
| Gap 1: “High-Stakes Decisions” Is Not Defined What the law says: The law prohibits relying solely on AI for ‘certain high-stakes decisions, as defined by the Department.’ VDOE has not yet published that definition. Why it matters: Every division using AI near grading, discipline, student placement, special education evaluations, graduation requirements, threat assessments, or counseling referrals is operating without a legal boundary until VDOE defines this term. This is the single highest-risk gap in the framework. Acting conservatively — treating any decision that significantly affects a student’s educational path as high-stakes and requiring human review — is the only defensible position until the definition arrives. |
| Gap 2: No Timeline for VDOE Guidance What the law says: The law says VDOE shall develop and publish guidance but sets no deadline. Why it matters: If VDOE takes six months, school boards are in a compliance limbo for six months. If it takes eighteen, the limbo extends accordingly. School divisions cannot finalize fully compliant policies without the guidance — but they cannot wait indefinitely either. Divisions that begin building foundational policy architecture now will be ready to align it when guidance arrives. Divisions that wait will be scrambling. |
| Gap 3: No Process for Verifying Vendor Compliance What the law says: The law requires data privacy agreements prohibiting AI vendors from using student data to train external models — but does not specify what those agreements must look like, who approves them, how violations are identified, or what remedies exist. Why it matters: A vendor can sign a data privacy agreement that technically meets the law’s minimum language and still be insufficient. Without a required template or standard contract terms, the quality of vendor agreements will vary widely across 131 school divisions. Each division is negotiating individually against vendors who have significant resources and legal experience on their side. |
| Gap 4: No Definition of “Approved Use” or Approval Process What the law says: The law refers to ‘approved use of an AIS in instruction’ several times but does not describe how that approval happens, who grants it, or what the approval looks like. Why it matters: When a teacher in your division wants to use an AI tool in their classroom, who decides whether that use is approved? The principal? The technology director? The superintendent? The school board by policy? The law does not say. Until your division defines this internally, every AI tool deployment is a judgment call without a formal standard behind it. |
| Gap 5: Monitoring Requirements Have No Technical Standards What the law says: The law requires dashboards, automated alerts, audit logs, and teacher access to student-AI transcripts. It does not specify what data these must capture, how long records must be kept, who must have access, or what response protocols apply when an alert fires. Why it matters: Any vendor can claim compliance based on a minimally functional feature. Without minimum technical standards, one school division’s dashboard is a comprehensive activity log while another’s is a simple login counter — both technically satisfying the same statutory requirement. This gap creates both a procurement problem and a legal exposure problem. |
| Gap 6: No Verification Process for Division-Managed Status What the law says: The law defines ‘division-managed AIS platform’ and ‘division-managed environment’ with specific criteria. It does not describe how a division demonstrates it is operating one, or what happens if a division believes it is compliant but is not. Why it matters: A division that licenses an enterprise AI platform, configures it with role-based access, and maintains audit logs may genuinely believe it operates a division-managed environment under the law. Whether that belief is legally defensible depends on details the law does not specify. Vendor representations alone are insufficient. |
| Gap 7: COPPA’s Age Triggers and the Under-13 Population What the law says: HB 1186 requires compliance with COPPA — the federal Children’s Online Privacy Protection Act, updated in April 2025. The 2025 update expanded COPPA’s definition of personal information to include biometric identifiers, including facial templates, voiceprints, and behavioral pattern data. Why it matters: If any AI tool your division uses with students under age 13 collects, processes, or generates biometric data — through voice analysis, facial recognition, behavioral monitoring, or similar features — separate verifiable parental consent is now required under federal law, independent of anything HB 1186 requires. Most divisions do not know to ask this question during procurement. This is an active compliance gap, not a future risk. |
| Gap 8: Parent Transparency Was Removed from the Enacted Law What the law says: The introduced SB 394 included ‘transparency for parents relating to the use of AI in instructional settings’ as an explicit named requirement. That line does not appear in the enacted HB 1186. Why it matters: Most policy frameworks being built for Virginia school divisions assume a parent notification requirement exists because it was in the introduced bill. Technically, the enacted law does not require it at the state level. This does not mean parent communication is unimportant — it means there is no state floor requiring it, and divisions must decide locally whether and how to communicate AI use to parents. Silence is not a safe default when parents are asking questions about AI in their children’s schools. |
| Gap 9: Existing AI Tools Inside Tools You Already Own What the law says: The law’s procurement and approval requirements apply to AI systems used in instructional settings. But AI is increasingly being delivered as a feature update inside software a division already owns and previously approved — not as a new procurement. Why it matters: A tutoring platform, a writing feedback tool, or a learning management system approved two years ago may have quietly added generative AI features in a software update. That prior approval does not extend to the new AI features. The division-managed environment requirement, the vendor data agreement requirement, and the monitoring requirement all apply to the new features the moment they are active in your environment — regardless of when the underlying software was purchased. |
| Gap 10: No Enforcement Mechanism Is Specified What the law says: The law says school boards shall establish, implement, and enforce policies. It does not say what happens if a school division fails to comply, who checks compliance, or whether there will be audits, attestations, or reporting requirements. Why it matters: The absence of a named enforcement mechanism does not mean enforcement is impossible — it means the mechanism has not yet been established. Parent complaints, civil rights complaints under FERPA or COPPA, and legislative oversight are all potential pressure points. Divisions that treat the lack of a named enforcer as permission to delay are taking a risk that may be clarified retroactively. |
Where This Leaves Virginia’s School Divisions
HB 1186 / SB 394 creates three things simultaneously: a real compliance obligation for every school board in Virginia, a dependency on VDOE guidance that has not been published yet, and a set of technical and operational requirements that most school divisions have not dealt with before.
The law does not distinguish between large urban school divisions with dedicated technology teams and small rural divisions with a single IT coordinator. If AI tools are deployed in your classrooms — and the odds are high that they are, whether central administration knows it or not — your division is inside the scope of this law.
The compliance gaps identified in Part 5 are not reasons to wait. They are the work. Waiting for VDOE to fill every gap before beginning local compliance work means arriving at the policy table with nothing done when the guidance clock starts running.
| The three things divisions that get ahead of this will do First: inventory every AI tool currently deployed across the division, including tools embedded in software licensed for other purposes. Second: review vendor contracts against the data privacy requirements HB 1186 specifies — the prohibition on student data being used for model training must be explicit, not implied. Third: designate someone — internally or through outside expertise — to monitor VDOE guidance as it is published and translate it into policy language ready for board adoption. |
About This Analysis
This analysis was produced by Strategic AI Education LLC, an independent AI compliance consultancy based in Virginia Beach, Virginia. It is based on the enrolled text of HB 1186, the introduced text of SB 394, the Virginia Governor’s EO 30 AI Task Force Report (January 2026), VITA Enterprise Architecture Standard EA-225, NIST AI RMF 1.0, and 16 CFR Part 312 (COPPA) as updated through April 2, 2026. It is provided for informational and planning purposes. It does not constitute legal advice. School divisions should consult legal counsel for division-specific compliance decisions.
strategicaieducation.com • Virginia Beach, Virginia • © 2026 Strategic AI Education LLC. All rights reserved.
