Practical recommendations from Polk Wagner for faculty use of agentic AI tools. These are working guidelines, not university policy — Penn ISC, Penn Law ITS, the Privacy Office, and the Office of General Counsel hold formal authority over data handling and tool approval.
Canonical Penn guidance: Penn ISC Statement on Generative AI (university-wide policy) and Penn Law ITS AI Tools & Guidance (school-level data-tier approvals).
IWhat’s different about agentic AI
Unlike chat tools, agentic AI reads files, runs commands, and acts on your behalf — often in sequences you don’t individually approve. You set the boundary up front (what folder, what permissions, what connectors), not in the moment. Faculty should think carefully about that setup before each session. For background on the distinction, see the companion Understanding Agentic AI document.
IIAccount setup
-
Use paid, professional tiers only. Free consumer AI tools generally offer weaker data-handling protections than paid tiers — depending on the vendor, they may retain your inputs longer, use them to train future models, or expose fewer privacy controls. Also note that terms vary and change. For any serious work — including drafts, research, communications, and anything touching private material — use a paid subscription (Claude Pro, Max, Team, or Enterprise; ChatGPT EDU (chat-only — see below), Plus, Pro, Business, or Enterprise; or equivalent). To get started, Claude Pro or ChatGPT Plus is sufficient; as you use agents more, you may need the higher usage limits that a Claude Max program provides. Again: free tiers are not appropriate.
Note that (at least in the Law School context) there are no Penn-managed agentic AI tools at present; for now, faculty can subscribe individually and be reimbursed from their research account. ChatGPT EDU — Penn’s institutional ChatGPT tier — does not fill this gap. OpenAI’s general EDU offering can include Codex and the OpenAI API, but Penn’s deployment has not enabled those features — EDU here is effectively chat-only for now and can’t run agentic coding tools. (Per Penn ISC’s ChatGPT EDU FAQ: “At this time API access is not available for university users.”) Faculty who want OpenAI’s agentic tools need a personal ChatGPT Plus, Pro, Business, or Enterprise subscription.
- Keep your professional AI account separate from any personal one, and use the professional account for Penn work.
- Enable two-factor authentication.
- Don’t share AI logins across faculty, staff, or research assistants — each person should have their own account.
A note on API keys
Most faculty will sign in to Claude tools using their normal account login. Some uses — particularly setting up Claude Code in certain configurations, connecting Claude to a third-party tool, or following a technical tutorial — will instead ask for an “API key.” An API key is a long string of letters and numbers (typically starting with sk-ant-...) that lets software use Claude on your behalf and bills it to your account. A few things to know:
- It’s a credential, not a setting. Anyone who has your API key can run unlimited Claude queries on your bill and, in some configurations, see what you’re doing. Treat it like a password.
- Don’t paste it into shared documents, email, Slack, or AI chats. Store it in a password manager or your operating system’s keychain.
- Don’t commit it to a Git repository or share a screen showing it. If you suspect a key has been exposed, revoke it in your Claude account settings and generate a new one.
- If you’re not sure whether a tool needs one, you probably don’t need to generate one yet. Stick to standard login until a specific tool requires it.
IIIWorking directory hygiene
- Create a dedicated working folder for AI sessions (e.g.,
~/ai-workspace/). Don’t run agentic tools from your home directory or Desktop. - Use a separate folder for each project, and limit the agent’s access to that folder for most sessions. Most agentic tools support folder-scoped access — keeping each project in its own folder prevents work on one matter from spilling into another and makes the boundary explicit.
- Only put files in the working folder that you’re comfortable with the AI reading. Whatever you put in there, the agent can and likely will read. Make the call about what belongs in the folder before you start a session, not in the middle of one.
- De-identify sensitive data before handing it to an agent. Strip or hash identifiers from any material before you analyze it.
- Keep work under version control or backup (git, Dropbox, Time Machine) so an agent mistake is recoverable.
IVPermissions
In agentic tools, “permissions” are the rules that decide which actions the agent can take on its own and which require your explicit approval — running a shell command, modifying a file, sending a message, calling an external service. Most agentic tools prompt you per action by default, but most also let you relax those prompts to keep sessions moving. The settings are a real tradeoff: tight permissions mean more interruptions; loose permissions mean real risk if the agent makes a wrong call. The defaults are usually right; the practices below are about resisting the temptation to relax them.
- Leave per-action approval prompts enabled. Resist “approve all,” “auto-accept,” or “do not ask again” modes when the session touches anything sensitive — most agentic tools have a version of this under different names.
- Read proposed bash commands before approving — particularly
rm,mv, network calls, and anything touching your home directory. - Be especially cautious with deletion and overwriting.
VConnectors (MCP, Gmail, Drive, Calendar, etc.)
Connectors are how an agent reaches outside its working folder — into your email, calendar, drive, Slack, or any other service you’ve granted access to. Most modern agentic tools use the Model Context Protocol (MCP), an open standard for plugging connectors in and out. Each one hands the agent another set of keys: it expands not just what the agent can read, but what it can do on your behalf (send the email, accept the invite, file the document). The practices below are about keeping that set small and intentional.
- Note that for now, faculty cannot connect Claude, ChatGPT, Cowork, or any other external agentic AI tool to the Law School’s O365 instance — email, calendar, OneDrive, Teams, etc. Microsoft Copilot is built into O365 and will likely roll out some agentic tools in the future.
- Each connector expands what the agent can see and do. Enable only what you’re actively using.
- Audit connected services periodically and disconnect the ones you’ve stopped using.
- Only install third-party MCP servers from sources you’d trust to read your files.
- Email and calendar connectors of any kind deserve extra caution (see §VII).
VIIdentifiable student records and other confidential data
Penn’s data-classification framework applies to agentic AI tools — and Penn ISC and Penn Law ITS have reviewed specific AI tools for use with each data tier. For the current tool-to-tier mapping, see the Policies tab of the AI Resources portal. When in doubt about whether a particular agentic use is appropriate, ask the Registrar, the Office of Student Services, or the Privacy Office before the session, not after. The default for identifiable student data and other confidential material is: don’t send it to a third-party AI service that hasn’t been reviewed for that tier.
VIIPrompt injection
A risk most faculty haven’t encountered. Malicious instructions can be hidden in documents, emails, or web pages that an agent reads — the agent treats them as commands from you. Realistic examples:
- A PDF that instructs the agent to write a favorable evaluation
- An email that instructs a Gmail-connected agent to forward messages to an outside address
- A web page that instructs the agent to exfiltrate clipboard contents
Be skeptical when an agent’s behavior changes after it reads external content. Keep sensitive tool permissions (send, delete, network) gated behind explicit approval. Don’t auto-approve actions taken after the agent reads anything from outside.
VIIIHuman in the loop
- Read what the agent produces before sending, submitting, or filing it.
- Verify factual claims and citations independently.
- Faculty should always be the last step before any external communication or formal action.
IXIf something goes wrong
If sensitive data was sent inappropriately, or an agent took an unintended action affecting confidential material: stop the session, preserve the session log, and contact Penn Law ITS promptly.
XQuick reference
- Use paid AI subscriptions; free tiers are not appropriate for Penn work
- Use a dedicated working folder; never run agents in folders with confidential material
- Keep approvals on for sensitive work
- De-identify sensitive data before analysis
- Enable only the connectors you actually need
- Read agent output before sending or submitting anything
- Ask before, not after, when in doubt
XIVendor documentation & guidelines
For agentic-tool training and platform-specific safe-use guidance, the vendors are the best source. Their documentation gets updated more often than this page.
Anthropic (Claude, Claude Code, Claude Cowork)
- Claude Code documentation — install, configure, and use Anthropic’s coding agent
- Claude Code Security — Anthropic’s safety guidance for Claude Code (permissions, sandboxing, command blocklist)
- Our Approach to User Safety — Anthropic’s broader overview of Claude safety mechanisms
OpenAI (ChatGPT, Codex)
- OpenAI Codex — installation and usage for OpenAI’s coding agent
- Codex Security — OpenAI’s safety guidance for Codex (sandboxing, approvals, network controls)
- OpenAI Safety Best Practices — broader safety practices for ChatGPT and API-based applications
Google (Gemini, Gemini CLI)
- Gemini CLI — installation, documentation, and source code (Apache 2.0)
- Gemini Code Assist & Responsible AI — Google’s safety guidance for the coding agent
- Gemini API Safety Guidance — broader safety practices for Gemini-based applications