Position Statement:

Use of Local LLMs

While the University has published AI guidelines regarding the use of online LLMs (https://ai.psu.edu/guidelines) many questions remain on the acceptable use of local LLMs, which this position statement hopes to address.

The Engineering IT team supports the responsible and secure use of local large language models (LLMs) by researchers and users. In alignment with institutional risk management practices and data governance expectations, local LLM deployments are permitted under specific conditions that ensure data security, regulatory compliance, and operational integrity.

We recognize the value of LLMs in advancing research and innovation. However, their use must be balanced with the university's obligations to protect sensitive data, uphold contractual and legal responsibilities, and maintain a secure computing environment.

Compliance Procedure for Local LLM Deployment

1. Network Isolation Requirements

  • Local LLMs must operate within a closed network environment. This means:
    • No outbound or inbound internet connectivity.
    • Communication is restricted to Penn State IP addresses only.
  • Exceptions (e.g., models requiring external connectivity) must undergo aformal review by Information Security (IS) and Compliance teams.

2. Data Classification and Usage

  • Only Level 2 or lower data (as defined by Penn State's data classification standards) may be processed by local LLMs, unless otherwise prohibited within a contract or agreement.
  • Researchers must not use LLMs to process Level 3 or level 4 data (Controlled Unclassified Information (CUI), FERPA-protected data, export control regulated, etc.) without prior approval.

3. Pre-Deployment Validation

  • The Engineering IT team will coordinate with IS to validate network restrictions prior to production deployment.
  • A brief review session (e.g., phone call or screen share) may be used to confirm that routing and firewall rules are correctly configured.

4. Documentation and Oversight

  • Researchers must document:
    • The LLM model and version in use.
    • The data types being processed.
    • The network architecture and access controls.
  • The Engineering IT team will maintain a record of approved LLM deployments and periodically review configurations for compliance.

5. Ongoing Monitoring and Change Control

  • Any changes to the LLM configuration, data scope, or network access must be reported to the Engineering IT team.
  • The Engineering IT team reserves the right to suspend or revoke access if compliance concerns arise.
 
 

About

The Engineering IT group provides all aspects of technological support and services to students, faculty and staff in the College of Engineering at Penn State.

Engineering IT

149 Hammond Building

The Pennsylvania State University

University Park, PA 16802-4710